enricobuehler
6c46ca98a7
mode=max was re-uploading the bun install cache mount (~40–60s per build, ~90s combined for api-core + web) to the Gitea OCI registry on every push, even when source hadn't changed. That single export accounts for most of the delta between 1-minute and 3-minute deploys. mode=min only exports the final stage's layers. The trade-off is a few-second tax on cold buildkitd starts (the installer stage no longer warms from registry cache), but the per-push savings dwarf it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
played/workflows
Reusable Gitea Actions workflows for the played ecosystem.
build-deploy-game.yml
Drives the standard four-stage build-api-core → deploy-api-core → build-web → deploy-web pipeline for a played game.
Usage
Each game's .gitea/workflows/deploy.yml:
name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>
on:
push:
branches: [main]
workflow_dispatch:
jobs:
build-deploy:
uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
with:
game-id: <game-id>
secrets: inherit
Required caller secrets
secrets: inherit makes all the calling repo's secrets available. The workflow reads:
| Secret | Purpose |
|---|---|
BUILD_ENV |
Full prod .env contents. Used as a Docker build secret (secret-files: env=...) AND written to ~/<game-id>-secrets/.env on the deploy VM. |
NPMRC |
~/.npmrc content with @played:registry=... + auth tokens. |
REGISTRY_USER / REGISTRY_TOKEN |
Gitea container registry creds. |
PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY |
Deploy target SSH. |
STEP_CA_PROVISIONER_PASSWORD |
For the cert-init container in compose.production.yml. |
Assumptions
- The repo lives at
git.unom.io/played/<game-id>(matches${{ gitea.repository }}). - The VM working dir is
~/<game-id>(the deploy stepcds there). - Secrets dir is
~/<game-id>-secrets/. compose.production.ymldefinesapi-coreandwebservices, both with--env-file ~/<game-id>-secrets/.env.