admin/the-pet-loft
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): replace dynamic matrix with explicit per-app jobs
All checks were successful
Deploy — Staging / Detect changed apps (push) Successful in 16s
Details
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 1m29s
Details
Deploy — Staging / Build & push — storefront (push) Has been skipped
Details
Deploy — Staging / Build & push — admin (push) Has been skipped
Details
Deploy — Staging / Deploy to staging VPS (push) Has been skipped
Details

Browse Source 
Gitea Actions does not evaluate fromJson() in matrix strategy — matrix.app
was always empty, breaking turbo prune. Replaced with two explicit jobs
(build-storefront, build-admin) each with a plain if: condition.

The deploy job uses always() + !contains(needs.*.result, 'failure') so it
runs when either build succeeded and skips when a build was cancelled/failed.
Parallelism is preserved — both apps still build simultaneously when both change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
ianshaloom
2026-03-08 16:35:10 +03:00
parent f6156c78d1
commit 777c3b34bc
1 changed files with 90 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
.gitea/workflows/deploy-staging.yml
View File

@@ -8,7 +8,6 @@ on:
# Gitea Actions has no environment-level secrets (unlike GitHub Actions). # Gitea Actions has no environment-level secrets (unlike GitHub Actions).
# Staging and production secrets live at repo level, distinguished by prefix. # Staging and production secrets live at repo level, distinguished by prefix.
# Production workflow uses the same names with PROD_ prefix. # Production workflow uses the same names with PROD_ prefix.
# (see: troubleshooting #8 — REGISTRY must include the owner segment)
# #
# Required secrets (repo → Settings → Secrets and Variables → Actions): # Required secrets (repo → Settings → Secrets and Variables → Actions):
# STAGING_REGISTRY — host:port/owner # STAGING_REGISTRY — host:port/owner
@@ -31,18 +30,13 @@ on:
jobs: jobs:
# ── 0. Detect changes ──────────────────────────────────────────────────────── # ── 0. Detect changes ────────────────────────────────────────────────────────
# Determines which apps have changed so downstream jobs skip unchanged ones. # Determines which apps need to be rebuilt on this push.
# Rules: # Shared paths (packages/, convex/, root config) mark both apps as changed.
# apps/storefront/** → storefront
# apps/admin/** → admin
# packages/**, convex/** → both (shared code)
# package.json, package-lock.json, turbo.json → both (root config)
changes: changes:
name: Detect changed apps name: Detect changed apps
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
matrix: ${{ steps.detect.outputs.matrix }}
storefront: ${{ steps.detect.outputs.storefront }} storefront: ${{ steps.detect.outputs.storefront }}
admin: ${{ steps.detect.outputs.admin }} admin: ${{ steps.detect.outputs.admin }}
steps: steps:
@@ -53,7 +47,6 @@ jobs:
- name: Determine affected apps - name: Determine affected apps
id: detect id: detect
run: | run: |
# Fall back to diffing against an empty tree on the very first commit
BASE=$(git rev-parse HEAD~1 2>/dev/null || git hash-object -t tree /dev/null) BASE=$(git rev-parse HEAD~1 2>/dev/null || git hash-object -t tree /dev/null)
CHANGED=$(git diff --name-only "$BASE" HEAD) CHANGED=$(git diff --name-only "$BASE" HEAD)
@@ -66,22 +59,9 @@ jobs:
ADMIN=true ADMIN=true
fi fi
echo "$CHANGED" | grep -q '^apps/storefront/' && STOREFRONT=true echo "$CHANGED" | grep -q '^apps/storefront/' && STOREFRONT=true || true
echo "$CHANGED" | grep -q '^apps/admin/' && ADMIN=true echo "$CHANGED" | grep -q '^apps/admin/' && ADMIN=true || true
# Build JSON matrix for the build job
APPS=()
[ "$STOREFRONT" = "true" ] && APPS+=("storefront")
[ "$ADMIN" = "true" ] && APPS+=("admin")
if [ ${#APPS[@]} -eq 0 ]; then
MATRIX="[]"
else
MATRIX=$(printf '"%s",' "${APPS[@]}" | sed 's/,$//')
MATRIX="[${MATRIX}]"
fi
echo "matrix=${MATRIX}" >> "$GITHUB_OUTPUT"
echo "storefront=${STOREFRONT}" >> "$GITHUB_OUTPUT" echo "storefront=${STOREFRONT}" >> "$GITHUB_OUTPUT"
echo "admin=${ADMIN}" >> "$GITHUB_OUTPUT" echo "admin=${ADMIN}" >> "$GITHUB_OUTPUT"
@@ -93,116 +73,131 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Setup Node.js - uses: actions/setup-node@v4
uses: actions/setup-node@v4
with: with:
node-version: 20 node-version: 20
cache: npm cache: npm
- name: Install dependencies - run: npm ci
run: npm ci - run: npm run lint
- run: npm run type-check
- run: npm run test:once
- name: Lint # ── 2a. Build storefront ─────────────────────────────────────────────────────
run: npm run lint
- name: Typecheck build-storefront:
run: npm run type-check name: Build & push — storefront
- name: Test
run: npm run test:once
# ── 2. Build & push ─────────────────────────────────────────────────────────
# Matrix is restricted to apps that actually changed — unchanged apps are
# skipped entirely so their build minutes are not wasted.
build:
name: Build & push — ${{ matrix.app }}
needs: [ci, changes] needs: [ci, changes]
if: needs.changes.outputs.matrix != '[]' if: needs.changes.outputs.storefront == 'true'
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy:
matrix:
app: ${{ fromJson(needs.changes.outputs.matrix) }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Setup Node.js - uses: actions/setup-node@v4
uses: actions/setup-node@v4
with: with:
node-version: 20 node-version: 20
cache: npm cache: npm
- name: Install dependencies - run: npm ci
run: npm ci
- name: Prune workspace for ${{ matrix.app }} - name: Prune workspace
run: | run: |
npx turbo prune ${{ matrix.app }} --docker npx turbo prune storefront --docker
# convex/ is not an npm workspace so turbo prune excludes it — copy manually
cp -r convex out/full/convex cp -r convex out/full/convex
# turbo prune can't fully parse the npm 11 lockfile; replace with full lockfile
# so non-hoisted packages (e.g. apps/storefront/node_modules/@heroui/react)
# are present when npm ci runs inside the Docker build.
cp package-lock.json out/package-lock.json cp package-lock.json out/package-lock.json
- name: Authenticate with registry - name: Authenticate with registry
# docker login fails for HTTP-only registries — pre-populate config.json instead
# (see: troubleshooting #7)
run: | run: |
mkdir -p ~/.docker mkdir -p ~/.docker
AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0) AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1) REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
- name: Build & push ${{ matrix.app }} - name: Build & push
# --push uses buildkit HTTPS internally, which fails for HTTP registries.
# --load + docker push goes through the Podman daemon (insecure=true). (#7, #12)
env: env:
STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }} NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.STAGING_STOREFRONT_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
ADMIN_CLERK_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }} NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
NEXT_PUBLIC_CLOUDINARY_API_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY }}
NEXT_PUBLIC_IMAGE_PROCESSING_API_URL: ${{ secrets.STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL }}
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY }} NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY }}
run: | run: |
SHORT_SHA="${GITHUB_SHA::7}" SHORT_SHA="${GITHUB_SHA::7}"
IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}" IMAGE="${{ secrets.STAGING_REGISTRY }}/storefront"
if [ "${{ matrix.app }}" = "admin" ]; then
docker build \
-f apps/admin/Dockerfile \
--build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$ADMIN_CLERK_KEY" \
--build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
--build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \
--build-arg NEXT_PUBLIC_CLOUDINARY_API_KEY="$NEXT_PUBLIC_CLOUDINARY_API_KEY" \
--build-arg NEXT_PUBLIC_IMAGE_PROCESSING_API_URL="$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL" \
--load \
-t "${IMAGE}:staging" \
./out
else
docker build \ docker build \
-f apps/storefront/Dockerfile \ -f apps/storefront/Dockerfile \
--build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$STOREFRONT_CLERK_KEY" \ --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY" \
--build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \ --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
--build-arg NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" \ --build-arg NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" \
--load \ --load -t "${IMAGE}:staging" ./out
-t "${IMAGE}:staging" \
./out
fi
docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}" docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}"
docker push "${IMAGE}:staging" docker push "${IMAGE}:staging"
docker push "${IMAGE}:sha-${SHORT_SHA}" docker push "${IMAGE}:sha-${SHORT_SHA}"
# ── 3. Deploy ─────────────────────────────────────────────────────────────── # ── 2b. Build admin ──────────────────────────────────────────────────────────
# Only pulls and restarts the containers whose images were just rebuilt.
build-admin:
name: Build & push — admin
needs: [ci, changes]
if: needs.changes.outputs.admin == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ci
- name: Prune workspace
run: |
npx turbo prune admin --docker
cp -r convex out/full/convex
cp package-lock.json out/package-lock.json
- name: Authenticate with registry
run: |
mkdir -p ~/.docker
AUTH=$(echo -n "${{ secrets.STAGING_REGISTRY_USER }}:${{ secrets.STAGING_REGISTRY_TOKEN }}" | base64 -w 0)
REGISTRY_HOST=$(echo "${{ secrets.STAGING_REGISTRY }}" | cut -d'/' -f1)
echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
- name: Build & push
env:
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
NEXT_PUBLIC_CLOUDINARY_API_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY }}
NEXT_PUBLIC_IMAGE_PROCESSING_API_URL: ${{ secrets.STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL }}
run: |
SHORT_SHA="${GITHUB_SHA::7}"
IMAGE="${{ secrets.STAGING_REGISTRY }}/admin"
docker build \
-f apps/admin/Dockerfile \
--build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY" \
--build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
--build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \
--build-arg NEXT_PUBLIC_CLOUDINARY_API_KEY="$NEXT_PUBLIC_CLOUDINARY_API_KEY" \
--build-arg NEXT_PUBLIC_IMAGE_PROCESSING_API_URL="$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL" \
--load -t "${IMAGE}:staging" ./out
docker tag "${IMAGE}:staging" "${IMAGE}:sha-${SHORT_SHA}"
docker push "${IMAGE}:staging"
docker push "${IMAGE}:sha-${SHORT_SHA}"
# ── 3. Deploy ────────────────────────────────────────────────────────────────
# Runs when at least one app changed and no build failed.
# `always()` is required so the job isn't auto-skipped when one build job
# was skipped (Gitea/GitHub skip downstream jobs of skipped jobs by default).
deploy: deploy:
name: Deploy to staging VPS name: Deploy to staging VPS
needs: [build, changes] needs: [build-storefront, build-admin, changes]
if: needs.changes.outputs.matrix != '[]' if: |
always() &&
(needs.changes.outputs.storefront == 'true' || needs.changes.outputs.admin == 'true') &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@@ -241,7 +236,6 @@ jobs:
| podman login "${REGISTRY_HOST}" \ | podman login "${REGISTRY_HOST}" \
-u "${REGISTRY_USER}" --password-stdin --tls-verify=false -u "${REGISTRY_USER}" --password-stdin --tls-verify=false
# Pull only the images that were just rebuilt
[ "${STOREFRONT_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/storefront:staging" [ "${STOREFRONT_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/storefront:staging"
[ "${ADMIN_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/admin:staging" [ "${ADMIN_CHANGED}" = "true" ] && podman pull --tls-verify=false "${REGISTRY}/admin:staging"
@@ -253,7 +247,6 @@ jobs:
> /opt/staging/.env > /opt/staging/.env
chmod 600 /opt/staging/.env chmod 600 /opt/staging/.env
# Restart only the containers whose images changed
SERVICES="" SERVICES=""
[ "${STOREFRONT_CHANGED}" = "true" ] && SERVICES="\${SERVICES} storefront" [ "${STOREFRONT_CHANGED}" = "true" ] && SERVICES="\${SERVICES} storefront"
[ "${ADMIN_CHANGED}" = "true" ] && SERVICES="\${SERVICES} admin" [ "${ADMIN_CHANGED}" = "true" ] && SERVICES="\${SERVICES} admin"