played/workflows
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
b10c249b464678a798356b8cf9cfd60637caba21
workflows/README.md
T
enricobuehler 12ddd85414 ci(renovate): automerge non-major + lockfile, document registry mapping 
Automerge third-party minor/patch updates and lockfile maintenance via
Gitea auto-merge; @played/* and majors stay manual. Document the bunfig.toml
scope mapping and the no-PR-CI automerge caveat.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 02:19:28 +02:00

4.4 KiB
Raw Blame History

played/workflows

Reusable Gitea Actions workflows for the played ecosystem.

build-deploy-game.yml

Drives the standard four-stage build-api-core → deploy-api-core → build-web → deploy-web pipeline for a played game.

Usage

Each game's .gitea/workflows/deploy.yml:

name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
    with:
      game-id: <game-id>
    secrets: inherit

Required caller secrets

secrets: inherit makes all the calling repo's secrets available. The workflow reads:

Secret Purpose
BUILD_ENV Full prod .env contents. Used as a Docker build secret (secret-files: env=...) AND written to ~/<game-id>-secrets/.env on the deploy VM.
NPMRC ~/.npmrc content with @played:registry=... + auth tokens.
REGISTRY_USER / REGISTRY_TOKEN Gitea container registry creds.
PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY Deploy target SSH.
STEP_CA_PROVISIONER_PASSWORD For the cert-init container in compose.production.yml.

Assumptions

  • The repo lives at git.unom.io/played/<game-id> (matches ${{ gitea.repository }}).
  • The VM working dir is ~/<game-id> (the deploy step cds there).
  • Secrets dir is ~/<game-id>-secrets/.
  • compose.production.yml defines api-core and web services, both with --env-file ~/<game-id>-secrets/.env.

renovate.yml + renovate-config.json

Self-hosted Renovate that keeps dependencies aligned across the game repos. renovate.yml is a scheduled bot (Mondays 06:00 UTC, plus manual workflow_dispatch); renovate-config.json is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (@played/* together; third-party non-major batched) to keep PR noise down.

One-time setup

  1. Create a Gitea PAT — a dedicated renovate bot user is cleanest — with scopes read:user, write:repository, write:issue. Add it as the RENOVATE_TOKEN Actions secret (org-level, or on this repo).
  2. Make sure the existing NPMRC secret (registry + @played auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up @played/* versions.
    • Add RENOVATE_GITHUB_COM_TOKEN — a read-only github.com PAT (no scopes). Required in practice: updating bun.lock installs bun, whose versions come from github.com releases, so without it lockfile artifacts fail with "No tool releases found". It also stops api.github.com rate-limit warnings and enables changelogs + actions/checkout/appleboy/ssh-action updates.
  3. Push, then run the workflow once (Run workflow). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does extends: ["local>played/workflows:renovate-config"]; merge them to go live.

Target repos

Listed in renovate.yml under RENOVATE_REPOSITORIES (the six games + plaza). Add the shared packages (app-ui, games-registry, api-core, …) to that list to manage them too, or switch to RENOVATE_AUTODISCOVER=true with RENOVATE_AUTODISCOVER_FILTER=played/*.

Automerge

Third-party non-major (minor/patch) updates and weekly lockfile maintenance automerge (platformAutomerge → Gitea's "auto-merge"); @played/* bumps and majors stay manual (a @played minor can be breaking pre-1.0, and merging redeploys the game).

⚠️ There's currently no PR-level build check, so an automerged PR isn't validated before it lands on main (and triggers the deploy). If a bump breaks the build you'll find out at deploy time, not at merge. To make automerge safe, add a lightweight "build on PR" workflow and a required status check — then Renovate only merges green PRs.

Registry resolution

@played/@unom/etc. scopes are mapped to the Gitea registry via a committed bunfig.toml in each repo (token-free). Without it, Renovate's lockfile bun install falls back to registry.npmjs.org and 404s. Auth comes from RENOVATE_NPMRC (the NPMRC secret), the gitignored local .npmrc, and the mounted build secret.

Keeping versions current together isn't hard parity. For "every repo on the exact same version, CI red on drift", pair this with a syncpack check.

Reference in New Issue View Git Blame Copy Permalink