diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index c0c21a4..c57277f 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -3,7 +3,7 @@ name: CI on: push: branches: - - "**" + - feat #"**" # TODO: change to "**" after testing jobs: ci: diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml index b55cf31..c00035d 100644 --- a/.gitea/workflows/deploy-staging.yml +++ b/.gitea/workflows/deploy-staging.yml @@ -11,14 +11,17 @@ on: # (see: troubleshooting #8 — REGISTRY must include the owner segment) # # Required secrets (repo → Settings → Secrets and Variables → Actions): -# STAGING_REGISTRY — host:port/owner (e.g. git.yourdomain.com:3000/myorg) -# STAGING_REGISTRY_USER — Gitea username -# STAGING_REGISTRY_TOKEN — Gitea personal access token (package:write scope) -# STAGING_SSH_HOST — use host.containers.internal, not the external IP -# (see: troubleshooting #13 — VPS firewall blocks ext IP) -# STAGING_SSH_USER — SSH user on the VPS -# STAGING_SSH_KEY — SSH private key (full PEM) -# STAGING_SSH_PORT — (optional) defaults to 22 +# STAGING_REGISTRY — host:port/owner (e.g. git.yourdomain.com:3000/myorg) +# STAGING_REGISTRY_USER — Gitea username +# STAGING_REGISTRY_TOKEN — Gitea personal access token (package:write scope) +# STAGING_SSH_HOST — use host.containers.internal, not the external IP +# (see: troubleshooting #13 — VPS firewall blocks ext IP) +# STAGING_SSH_USER — SSH user on the VPS +# STAGING_SSH_KEY — SSH private key (full PEM) +# STAGING_SSH_PORT — (optional) defaults to 22 +# STAGING_NEXT_PUBLIC_CONVEX_URL — Convex deployment URL (shared by both apps) +# STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY — storefront Clerk publishable key +# STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY — admin Clerk publishable key # # The Dockerfiles are expected at: # apps/storefront/Dockerfile @@ -85,14 +88,6 @@ jobs: # Copy it manually so the Dockerfile has the generated types it needs. cp -r convex out/full/convex - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - # docker-container driver spawns a privileged builder container which - # fails on rootless Podman. "docker" driver reuses the daemon directly. - # (see: troubleshooting #5) - driver: docker - - name: Authenticate with registry # docker login sends HTTPS even for HTTP-only (insecure) registries, so it # fails before the daemon can handle it. Pre-populating config.json bypasses @@ -105,22 +100,36 @@ jobs: echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json - name: Build & push ${{ matrix.app }} - # Plain docker build — no docker/setup-buildx-action needed. - # The docker-container buildx driver spawns a privileged builder container - # which fails on rootless Podman without --privileged. (see: troubleshooting #5) + # Uses --push to push directly during build, which avoids the "No output + # specified with docker-container driver" warning that appears when using + # a separate docker push step without --load. (see: troubleshooting #5) + # + # Each app has its own Clerk instance so the publishable key differs. + # NEXT_PUBLIC_* vars must be baked in at build time — Next.js prerender + # fails with "Missing publishableKey" if they are absent. + env: + STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }} + ADMIN_CLERK_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }} + NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }} run: | SHORT_SHA="${GITHUB_SHA::7}" IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}" + if [ "${{ matrix.app }}" = "admin" ]; then + CLERK_KEY="$ADMIN_CLERK_KEY" + else + CLERK_KEY="$STOREFRONT_CLERK_KEY" + fi + docker build \ -f apps/${{ matrix.app }}/Dockerfile \ + --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \ + --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \ -t "${IMAGE}:staging" \ -t "${IMAGE}:sha-${SHORT_SHA}" \ + --push \ ./out - docker push "${IMAGE}:staging" - docker push "${IMAGE}:sha-${SHORT_SHA}" - # ── 3. Deploy ─────────────────────────────────────────────────────────────── deploy: diff --git a/apps/admin/Dockerfile b/apps/admin/Dockerfile index 8c2545c..094d477 100644 --- a/apps/admin/Dockerfile +++ b/apps/admin/Dockerfile @@ -27,7 +27,14 @@ WORKDIR /app COPY --from=deps /app/node_modules ./node_modules COPY full/ . -ENV NEXT_TELEMETRY_DISABLED=1 +# NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js. +# They must be present here (not just at runtime) or SSG/prerender fails with +# "Missing publishableKey". Pass via --build-arg in CI. +ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY +ARG NEXT_PUBLIC_CONVEX_URL +ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \ + NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \ + NEXT_TELEMETRY_DISABLED=1 RUN npx turbo build --filter=admin diff --git a/apps/storefront/Dockerfile b/apps/storefront/Dockerfile index 3478c00..57a0c76 100644 --- a/apps/storefront/Dockerfile +++ b/apps/storefront/Dockerfile @@ -33,7 +33,14 @@ WORKDIR /app COPY --from=deps /app/node_modules ./node_modules COPY full/ . -ENV NEXT_TELEMETRY_DISABLED=1 +# NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js. +# They must be present here (not just at runtime) or SSG/prerender fails with +# "Missing publishableKey". Pass via --build-arg in CI. +ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY +ARG NEXT_PUBLIC_CONVEX_URL +ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \ + NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \ + NEXT_TELEMETRY_DISABLED=1 RUN npx turbo build --filter=storefront