played/workflows
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
14 Commits 2 Branches 0 Tags
d0e039351ae4e5559db6e78fce5d1677e40ef279
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
enricobuehler d0e039351a renovate: cap kysely at <0.29.0 fleet-wide 
0.29.x drops DEFAULT_MIGRATION_LOCK_TABLE exports that @better-auth/
kysely-adapter bundles. Renovate kept auto-merging the 0.28→0.29 'minor'
bump and re-breaking every game's build; allowedVersions blocks it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 00:22:37 +00:00
.gitea/workflows
chore(deps): update actions/checkout action to v4.3.1
2026-06-01 06:11:53 +00:00
.gitignore
Initial: build-deploy-game.yml reusable workflow
2026-05-19 19:00:55 +02:00
README.md
ci(renovate): automerge non-major + lockfile, document registry mapping
2026-05-29 02:19:28 +02:00
renovate-config.json
renovate: cap kysely at <0.29.0 fleet-wide
2026-06-04 00:22:37 +00:00
renovate.json
chore(deps): add renovate.json
2026-05-31 12:15:50 +00:00

README.md

played/workflows

Reusable Gitea Actions workflows for the played ecosystem.

build-deploy-game.yml

Drives the standard four-stage build-api-core → deploy-api-core → build-web → deploy-web pipeline for a played game.

Usage

Each game's .gitea/workflows/deploy.yml:

name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
    with:
      game-id: <game-id>
    secrets: inherit

Required caller secrets

secrets: inherit makes all the calling repo's secrets available. The workflow reads:

Secret Purpose
BUILD_ENV Full prod .env contents. Used as a Docker build secret (secret-files: env=...) AND written to ~/<game-id>-secrets/.env on the deploy VM.
NPMRC ~/.npmrc content with @played:registry=... + auth tokens.
REGISTRY_USER / REGISTRY_TOKEN Gitea container registry creds.
PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY Deploy target SSH.
STEP_CA_PROVISIONER_PASSWORD For the cert-init container in compose.production.yml.

Assumptions

  • The repo lives at git.unom.io/played/<game-id> (matches ${{ gitea.repository }}).
  • The VM working dir is ~/<game-id> (the deploy step cds there).
  • Secrets dir is ~/<game-id>-secrets/.
  • compose.production.yml defines api-core and web services, both with --env-file ~/<game-id>-secrets/.env.

renovate.yml + renovate-config.json

Self-hosted Renovate that keeps dependencies aligned across the game repos. renovate.yml is a scheduled bot (Mondays 06:00 UTC, plus manual workflow_dispatch); renovate-config.json is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (@played/* together; third-party non-major batched) to keep PR noise down.

One-time setup

  1. Create a Gitea PAT — a dedicated renovate bot user is cleanest — with scopes read:user, write:repository, write:issue. Add it as the RENOVATE_TOKEN Actions secret (org-level, or on this repo).
  2. Make sure the existing NPMRC secret (registry + @played auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up @played/* versions.
    • Add RENOVATE_GITHUB_COM_TOKEN — a read-only github.com PAT (no scopes). Required in practice: updating bun.lock installs bun, whose versions come from github.com releases, so without it lockfile artifacts fail with "No tool releases found". It also stops api.github.com rate-limit warnings and enables changelogs + actions/checkout/appleboy/ssh-action updates.
  3. Push, then run the workflow once (Run workflow). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does extends: ["local>played/workflows:renovate-config"]; merge them to go live.

Target repos

Listed in renovate.yml under RENOVATE_REPOSITORIES (the six games + plaza). Add the shared packages (app-ui, games-registry, api-core, …) to that list to manage them too, or switch to RENOVATE_AUTODISCOVER=true with RENOVATE_AUTODISCOVER_FILTER=played/*.

Automerge

Third-party non-major (minor/patch) updates and weekly lockfile maintenance automerge (platformAutomerge → Gitea's "auto-merge"); @played/* bumps and majors stay manual (a @played minor can be breaking pre-1.0, and merging redeploys the game).

⚠️ There's currently no PR-level build check, so an automerged PR isn't validated before it lands on main (and triggers the deploy). If a bump breaks the build you'll find out at deploy time, not at merge. To make automerge safe, add a lightweight "build on PR" workflow and a required status check — then Renovate only merges green PRs.

Registry resolution

@played/@unom/etc. scopes are mapped to the Gitea registry via a committed bunfig.toml in each repo (token-free). Without it, Renovate's lockfile bun install falls back to registry.npmjs.org and 404s. Auth comes from RENOVATE_NPMRC (the NPMRC secret), the gitignored local .npmrc, and the mounted build secret.

Keeping versions current together isn't hard parity. For "every repo on the exact same version, CI red on drift", pair this with a syncpack check.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Reusable Gitea Actions workflows for the played ecosystem. Game repos invoke build-deploy-game.yml via uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main.
Readme 109 KiB