fix(ci): update Dockerfiles and workflow to include new Cloudinary environment variable

- Added NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME to both admin and storefront Dockerfiles to ensure it is available during the build process.
- Updated deploy-staging.yml to pass the new Cloudinary variable as a build argument.
- Clarified comments regarding the handling of NEXT_PUBLIC_* variables and Gitea secret prefixes.

This change enhances the build configuration for both applications, ensuring all necessary environment variables are correctly passed during the Docker build process.

.gitea/workflows/deploy-staging.yml

@@ -19,9 +19,10 @@ on:
 #   STAGING_SSH_USER                        — SSH user on the VPS
 #   STAGING_SSH_KEY                         — SSH private key (full PEM)
 #   STAGING_SSH_PORT                        — (optional) defaults to 22
-#   STAGING_NEXT_PUBLIC_CONVEX_URL          — Convex deployment URL (shared by both apps)
+#   STAGING_NEXT_PUBLIC_CONVEX_URL                  — Convex deployment URL (shared)
 #   STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY        — storefront Clerk publishable key
 #   STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY  — admin Clerk publishable key
+#   STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME        — admin Cloudinary cloud name
 #
 # The Dockerfiles are expected at:
 #   apps/storefront/Dockerfile
@@ -107,28 +108,39 @@ jobs:
         # Each app has its own Clerk instance so the publishable key differs.
         # NEXT_PUBLIC_* vars must be baked in at build time — Next.js prerender
         # fails with "Missing publishableKey" if they are absent.
+        # Secrets use STAGING_/PROD_ prefix in Gitea; the prefix is stripped here
+        # so Dockerfiles receive the plain NEXT_PUBLIC_* names they expect.
         env:
-          STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
           ADMIN_CLERK_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
           NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
+          NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
         run: |
           SHORT_SHA="${GITHUB_SHA::7}"
           IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}"
 
           if [ "${{ matrix.app }}" = "admin" ]; then
             CLERK_KEY="$ADMIN_CLERK_KEY"
+            docker build \
+              -f apps/admin/Dockerfile \
+              --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
+              --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
+              --build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \
+              -t "${IMAGE}:staging" \
+              -t "${IMAGE}:sha-${SHORT_SHA}" \
+              --push \
+              ./out
           else
             CLERK_KEY="$STOREFRONT_CLERK_KEY"
-          fi
-
             docker build \
-            -f apps/${{ matrix.app }}/Dockerfile \
+              -f apps/storefront/Dockerfile \
               --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
               --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
               -t "${IMAGE}:staging" \
               -t "${IMAGE}:sha-${SHORT_SHA}" \
               --push \
               ./out
+          fi
 
   # ── 3. Deploy ───────────────────────────────────────────────────────────────
 

apps/admin/Dockerfile

@@ -28,12 +28,15 @@ COPY --from=deps /app/node_modules ./node_modules
 COPY full/ .
 
 # NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js.
-# They must be present here (not just at runtime) or SSG/prerender fails with
-# "Missing publishableKey". Pass via --build-arg in CI.
+# They must be present here (not just at runtime) or SSG/prerender fails.
+# Passed via --build-arg in CI. Note: Gitea secrets use a STAGING_/PROD_ prefix
+# which is stripped by the workflow before being forwarded here as build args.
 ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
 ARG NEXT_PUBLIC_CONVEX_URL
+ARG NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME
 ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
     NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \
+    NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME=$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME \
     NEXT_TELEMETRY_DISABLED=1
 
 RUN npx turbo build --filter=admin

apps/storefront/Dockerfile

@@ -34,8 +34,9 @@ COPY --from=deps /app/node_modules ./node_modules
 COPY full/ .
 
 # NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js.
-# They must be present here (not just at runtime) or SSG/prerender fails with
-# "Missing publishableKey". Pass via --build-arg in CI.
+# They must be present here (not just at runtime) or SSG/prerender fails.
+# Passed via --build-arg in CI. Note: Gitea secrets use a STAGING_/PROD_ prefix
+# which is stripped by the workflow before being forwarded here as build args.
 ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
 ARG NEXT_PUBLIC_CONVEX_URL
 ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \