fix(ci): update Dockerfiles and workflow to include new Cloudinary environment variable

- Added NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME to both admin and storefront Dockerfiles to ensure it is available during the build process.
- Updated deploy-staging.yml to pass the new Cloudinary variable as a build argument.
- Clarified comments regarding the handling of NEXT_PUBLIC_* variables and Gitea secret prefixes.

This change enhances the build configuration for both applications, ensuring all necessary environment variables are correctly passed during the Docker build process.

.gitea/workflows/deploy-staging.yml

@@ -19,9 +19,10 @@ on:
 #   STAGING_SSH_USER                        — SSH user on the VPS
 #   STAGING_SSH_KEY                         — SSH private key (full PEM)
 #   STAGING_SSH_PORT                        — (optional) defaults to 22
-#   STAGING_NEXT_PUBLIC_CONVEX_URL          — Convex deployment URL (shared by both apps)
-#   STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY       — storefront Clerk publishable key
-#   STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY — admin Clerk publishable key
+#   STAGING_NEXT_PUBLIC_CONVEX_URL                  — Convex deployment URL (shared)
+#   STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY        — storefront Clerk publishable key
+#   STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY  — admin Clerk publishable key
+#   STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME        — admin Cloudinary cloud name
 #
 # The Dockerfiles are expected at:
 #   apps/storefront/Dockerfile
@@ -107,29 +108,40 @@ jobs:
         # Each app has its own Clerk instance so the publishable key differs.
         # NEXT_PUBLIC_* vars must be baked in at build time — Next.js prerender
         # fails with "Missing publishableKey" if they are absent.
+        # Secrets use STAGING_/PROD_ prefix in Gitea; the prefix is stripped here
+        # so Dockerfiles receive the plain NEXT_PUBLIC_* names they expect.
         env:
-          STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
           ADMIN_CLERK_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
           NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
+          NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
         run: |
           SHORT_SHA="${GITHUB_SHA::7}"
           IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}"
 
           if [ "${{ matrix.app }}" = "admin" ]; then
             CLERK_KEY="$ADMIN_CLERK_KEY"
+            docker build \
+              -f apps/admin/Dockerfile \
+              --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
+              --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
+              --build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \
+              -t "${IMAGE}:staging" \
+              -t "${IMAGE}:sha-${SHORT_SHA}" \
+              --push \
+              ./out
           else
             CLERK_KEY="$STOREFRONT_CLERK_KEY"
+            docker build \
+              -f apps/storefront/Dockerfile \
+              --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
+              --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
+              -t "${IMAGE}:staging" \
+              -t "${IMAGE}:sha-${SHORT_SHA}" \
+              --push \
+              ./out
           fi
 
-          docker build \
-            -f apps/${{ matrix.app }}/Dockerfile \
-            --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
-            --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
-            -t "${IMAGE}:staging" \
-            -t "${IMAGE}:sha-${SHORT_SHA}" \
-            --push \
-            ./out
-
   # ── 3. Deploy ───────────────────────────────────────────────────────────────
 
   deploy: