From bc7306fea4cf855de667aabfd902404a6066ed40 Mon Sep 17 00:00:00 2001
From: ianshaloom <naimoolsha@gmail.com>
Date: Sun, 8 Mar 2026 03:31:58 +0300
Subject: [PATCH] fix(ci): pass NEXT_PUBLIC build args and fix docker push

Two issues in the admin (and upcoming storefront) build:

1. Missing Clerk publishableKey during prerender
   NEXT_PUBLIC_* vars are baked into the client bundle at build time. If absent,
   Next.js SSG fails with "@clerk/clerk-react: Missing publishableKey".
   Added ARG + ENV in both Dockerfiles builder stage and pass them via
   --build-arg in the workflow. Admin and storefront use different Clerk
   instances so the key is selected per matrix.app with a shell conditional.

2. "No output specified with docker-container driver" warning
   setup-buildx-action with driver:docker was not switching the driver in the
   Podman environment. Removed the step and switched to docker build --push
   which pushes directly during the build, eliminating the separate push steps
   and the missing-output warning.

New secrets required:
  STAGING_NEXT_PUBLIC_CONVEX_URL
  STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY        (storefront)
  STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY  (admin)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml             |  2 +-
 .gitea/workflows/deploy-staging.yml | 53 +++++++++++++++++------------
 apps/admin/Dockerfile               |  9 ++++-
 apps/storefront/Dockerfile          |  9 ++++-
 4 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index c0c21a4..c57277f 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches:
-      - "**"
+      - feat #"**" # TODO: change to "**" after testing
 
 jobs:
   ci:
diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml
index b55cf31..c00035d 100644
--- a/.gitea/workflows/deploy-staging.yml
+++ b/.gitea/workflows/deploy-staging.yml
@@ -11,14 +11,17 @@ on:
 # (see: troubleshooting #8 — REGISTRY must include the owner segment)
 #
 # Required secrets (repo → Settings → Secrets and Variables → Actions):
-#   STAGING_REGISTRY       — host:port/owner  (e.g. git.yourdomain.com:3000/myorg)
-#   STAGING_REGISTRY_USER  — Gitea username
-#   STAGING_REGISTRY_TOKEN — Gitea personal access token (package:write scope)
-#   STAGING_SSH_HOST       — use host.containers.internal, not the external IP
-#                            (see: troubleshooting #13 — VPS firewall blocks ext IP)
-#   STAGING_SSH_USER       — SSH user on the VPS
-#   STAGING_SSH_KEY        — SSH private key (full PEM)
-#   STAGING_SSH_PORT       — (optional) defaults to 22
+#   STAGING_REGISTRY                        — host:port/owner  (e.g. git.yourdomain.com:3000/myorg)
+#   STAGING_REGISTRY_USER                   — Gitea username
+#   STAGING_REGISTRY_TOKEN                  — Gitea personal access token (package:write scope)
+#   STAGING_SSH_HOST                        — use host.containers.internal, not the external IP
+#                                             (see: troubleshooting #13 — VPS firewall blocks ext IP)
+#   STAGING_SSH_USER                        — SSH user on the VPS
+#   STAGING_SSH_KEY                         — SSH private key (full PEM)
+#   STAGING_SSH_PORT                        — (optional) defaults to 22
+#   STAGING_NEXT_PUBLIC_CONVEX_URL          — Convex deployment URL (shared by both apps)
+#   STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY       — storefront Clerk publishable key
+#   STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY — admin Clerk publishable key
 #
 # The Dockerfiles are expected at:
 #   apps/storefront/Dockerfile
@@ -85,14 +88,6 @@ jobs:
           # Copy it manually so the Dockerfile has the generated types it needs.
           cp -r convex out/full/convex
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          # docker-container driver spawns a privileged builder container which
-          # fails on rootless Podman. "docker" driver reuses the daemon directly.
-          # (see: troubleshooting #5)
-          driver: docker
-
       - name: Authenticate with registry
         # docker login sends HTTPS even for HTTP-only (insecure) registries, so it
         # fails before the daemon can handle it. Pre-populating config.json bypasses
@@ -105,22 +100,36 @@ jobs:
           echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"${AUTH}\"}}}" > ~/.docker/config.json
 
       - name: Build & push ${{ matrix.app }}
-        # Plain docker build — no docker/setup-buildx-action needed.
-        # The docker-container buildx driver spawns a privileged builder container
-        # which fails on rootless Podman without --privileged. (see: troubleshooting #5)
+        # Uses --push to push directly during build, which avoids the "No output
+        # specified with docker-container driver" warning that appears when using
+        # a separate docker push step without --load. (see: troubleshooting #5)
+        #
+        # Each app has its own Clerk instance so the publishable key differs.
+        # NEXT_PUBLIC_* vars must be baked in at build time — Next.js prerender
+        # fails with "Missing publishableKey" if they are absent.
+        env:
+          STOREFRONT_CLERK_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          ADMIN_CLERK_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+          NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }}
         run: |
           SHORT_SHA="${GITHUB_SHA::7}"
           IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}"
 
+          if [ "${{ matrix.app }}" = "admin" ]; then
+            CLERK_KEY="$ADMIN_CLERK_KEY"
+          else
+            CLERK_KEY="$STOREFRONT_CLERK_KEY"
+          fi
+
           docker build \
             -f apps/${{ matrix.app }}/Dockerfile \
+            --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
+            --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
             -t "${IMAGE}:staging" \
             -t "${IMAGE}:sha-${SHORT_SHA}" \
+            --push \
             ./out
 
-          docker push "${IMAGE}:staging"
-          docker push "${IMAGE}:sha-${SHORT_SHA}"
-
   # ── 3. Deploy ───────────────────────────────────────────────────────────────
 
   deploy:
diff --git a/apps/admin/Dockerfile b/apps/admin/Dockerfile
index 8c2545c..094d477 100644
--- a/apps/admin/Dockerfile
+++ b/apps/admin/Dockerfile
@@ -27,7 +27,14 @@ WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY full/ .
 
-ENV NEXT_TELEMETRY_DISABLED=1
+# NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js.
+# They must be present here (not just at runtime) or SSG/prerender fails with
+# "Missing publishableKey". Pass via --build-arg in CI.
+ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+ARG NEXT_PUBLIC_CONVEX_URL
+ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
+    NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \
+    NEXT_TELEMETRY_DISABLED=1
 
 RUN npx turbo build --filter=admin
 
diff --git a/apps/storefront/Dockerfile b/apps/storefront/Dockerfile
index 3478c00..57a0c76 100644
--- a/apps/storefront/Dockerfile
+++ b/apps/storefront/Dockerfile
@@ -33,7 +33,14 @@ WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY full/ .
 
-ENV NEXT_TELEMETRY_DISABLED=1
+# NEXT_PUBLIC_* vars are baked into the client bundle at build time by Next.js.
+# They must be present here (not just at runtime) or SSG/prerender fails with
+# "Missing publishableKey". Pass via --build-arg in CI.
+ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
+ARG NEXT_PUBLIC_CONVEX_URL
+ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
+    NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \
+    NEXT_TELEMETRY_DISABLED=1
 
 RUN npx turbo build --filter=storefront