galaxy-game/.gitea/workflows/dev-deploy.yaml

name: dev-deploy

# Builds the Galaxy stack and (re)deploys it into the long-lived dev
# environment on the host running this Gitea Actions runner. Triggered
# on every merge into `development`. Branch protections on `development`
# guarantee the commit already passed `go-unit`, `ui-test`, and
# `integration` as part of the PR that produced this push, so this
# workflow does not re-run those tests — it focuses on packaging and
# rollout.

on:
  push:
    branches:
      - development
    paths:
      - 'backend/**'
      - 'gateway/**'
      - 'game/**'
      - 'pkg/**'
      - 'ui/**'
      - 'go.work'
      - 'go.work.sum'
      - 'tools/dev-deploy/**'
      - '.gitea/workflows/dev-deploy.yaml'
      - '!**/*.md'

env:
  # See go-unit.yaml for the rationale; this disables TLS verify for
  # actions/checkout against the LAN Gitea host signed by host-Caddy's
  # internal CA.
  GIT_SSL_NO_VERIFY: "true"

jobs:
  deploy:
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.work
          cache: true

      - name: Set up pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 11.0.7

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
          cache-dependency-path: ui/pnpm-lock.yaml

      - name: Install UI dependencies
        working-directory: ui
        run: pnpm install --frozen-lockfile

      - name: Build UI frontend
        working-directory: ui/frontend
        env:
          VITE_GATEWAY_BASE_URL: https://api.galaxy.lan
        run: |
          # The response-signing public key is committed in
          # `.env.development` alongside its private counterpart in
          # `tools/local-dev/keys/`. Pull it from there at build time so
          # the production-mode bundle ships the same key the dev
          # gateway uses to sign.
          export VITE_GATEWAY_RESPONSE_PUBLIC_KEY="$(grep -E '^VITE_GATEWAY_RESPONSE_PUBLIC_KEY=' .env.development | cut -d= -f2)"
          pnpm build

      - name: Build galaxy-engine image
        working-directory: ${{ gitea.workspace }}
        run: |
          docker build \
            -t galaxy-engine:dev \
            -f game/Dockerfile \
            .

      - name: Build backend + gateway images
        working-directory: tools/dev-deploy
        run: |
          docker compose build galaxy-backend galaxy-api

      - name: Seed UI volume
        run: |
          docker volume create galaxy-dev-ui-dist >/dev/null
          docker run --rm \
            -v galaxy-dev-ui-dist:/dst \
            -v "${{ gitea.workspace }}/ui/frontend/build:/src:ro" \
            alpine sh -c 'rm -rf /dst/* /dst/.??* 2>/dev/null; cp -a /src/. /dst/'

      - name: Bring up the stack
        working-directory: tools/dev-deploy
        env:
          GALAXY_DEV_GAME_STATE_DIR: ${{ env.HOME }}/.galaxy-dev/game-state
        run: |
          mkdir -p "$GALAXY_DEV_GAME_STATE_DIR"
          docker compose up -d --wait --remove-orphans

      - name: Probe the stack
        run: |
          set -e
          # Use --resolve so the probe goes through the same routing as
          # a browser on the host: the host Caddy on :443 (which has
          # `tls internal`) terminates and forwards into the edge
          # network. We accept the host's internal CA via -k because
          # the runner image has no reason to trust it.
          curl -sk --max-time 10 https://api.galaxy.lan/healthz \
            | tee /tmp/healthz
          test -s /tmp/healthz
          curl -sk --max-time 10 -o /dev/null -w '%{http_code}\n' \
            https://www.galaxy.lan/ | tee /tmp/www_status
          grep -qE '^(200|304)$' /tmp/www_status