played/workflows
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
ee51f4f032779ee2b42f42e316cef1e83f3fcb25
workflows/README.md
T
enricobuehler ee51f4f032 ci: add self-hosted Renovate for cross-repo dependency sync 
Scheduled Renovate bot (renovate.yml) + shared preset (renovate-config.json)
that every game/plaza repo extends, so dependency bumps land the same way
across repos. @played/* grouped together, third-party non-major batched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 01:26:36 +02:00

3.1 KiB
Raw Blame History

played/workflows

Reusable Gitea Actions workflows for the played ecosystem.

build-deploy-game.yml

Drives the standard four-stage build-api-core → deploy-api-core → build-web → deploy-web pipeline for a played game.

Usage

Each game's .gitea/workflows/deploy.yml:

name: Build & Deploy <Game>
run-name: ${{ gitea.actor }} is deploying <game-id>

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    uses: played/workflows/.gitea/workflows/build-deploy-game.yml@main
    with:
      game-id: <game-id>
    secrets: inherit

Required caller secrets

secrets: inherit makes all the calling repo's secrets available. The workflow reads:

Secret Purpose
BUILD_ENV Full prod .env contents. Used as a Docker build secret (secret-files: env=...) AND written to ~/<game-id>-secrets/.env on the deploy VM.
NPMRC ~/.npmrc content with @played:registry=... + auth tokens.
REGISTRY_USER / REGISTRY_TOKEN Gitea container registry creds.
PLAYED_HOST / PLAYED_USER / PLAYED_PORT / PLAYED_SSH_KEY Deploy target SSH.
STEP_CA_PROVISIONER_PASSWORD For the cert-init container in compose.production.yml.

Assumptions

  • The repo lives at git.unom.io/played/<game-id> (matches ${{ gitea.repository }}).
  • The VM working dir is ~/<game-id> (the deploy step cds there).
  • Secrets dir is ~/<game-id>-secrets/.
  • compose.production.yml defines api-core and web services, both with --env-file ~/<game-id>-secrets/.env.

renovate.yml + renovate-config.json

Self-hosted Renovate that keeps dependencies aligned across the game repos. renovate.yml is a scheduled bot (Mondays 06:00 UTC, plus manual workflow_dispatch); renovate-config.json is the shared preset every repo extends, so a bump lands the same way everywhere. Updates are grouped (@played/* together; third-party non-major batched) to keep PR noise down.

One-time setup

  1. Create a Gitea PAT — a dedicated renovate bot user is cleanest — with scopes read:user, write:repository, write:issue. Add it as the RENOVATE_TOKEN Actions secret (org-level, or on this repo).
  2. Make sure the existing NPMRC secret (registry + @played auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up @played/* versions.
  3. Push, then run the workflow once (Run workflow). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does extends: ["local>played/workflows:renovate-config"]; merge them to go live.

Target repos

Listed in renovate.yml under RENOVATE_REPOSITORIES (the six games + plaza). Add the shared packages (app-ui, games-registry, api-core, …) to that list to manage them too, or switch to RENOVATE_AUTODISCOVER=true with RENOVATE_AUTODISCOVER_FILTER=played/*.

The bot only keeps versions current together (it opens PRs). For hard parity — failing CI when any repo drifts — pair it with a syncpack check.

Reference in New Issue View Git Blame Copy Permalink