galaxy-game/.gitea/workflows/prod-build.yaml

name: Build · Prod

# Builds the production-grade Docker images and the UI bundle on every
# merge into `main`, then saves the artifacts so a future
# `deploy-prod.yaml` run can ship them to the production host. This
# workflow does not deploy anything by itself — production rollout is
# strictly manual (workflow_dispatch on `deploy-prod.yaml`).

on:
  push:
    branches:
      - main
    paths:
      - 'backend/**'
      - 'gateway/**'
      - 'game/**'
      - 'pkg/**'
      - 'ui/**'
      - 'go.work'
      - 'go.work.sum'
      - '.gitea/workflows/prod-build.yaml'
      - '!**/*.md'

env:
  # See go-unit.yaml for the rationale; this disables TLS verify for
  # actions/checkout against the LAN Gitea host signed by host-Caddy's
  # internal CA.
  GIT_SSL_NO_VERIFY: "true"

jobs:
  build:
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.work
          cache: true

      - name: Set up pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 11.0.7

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
          cache-dependency-path: ui/pnpm-lock.yaml

      - name: Resolve image tag
        id: tag
        run: |
          short_sha=$(git rev-parse --short=12 HEAD)
          echo "tag=commit-${short_sha}" >>"$GITHUB_OUTPUT"

      - name: Build backend image
        run: |
          docker build \
            -t "galaxy/backend:${{ steps.tag.outputs.tag }}" \
            -f backend/Dockerfile \
            .

      - name: Build gateway image
        run: |
          docker build \
            -t "galaxy/gateway:${{ steps.tag.outputs.tag }}" \
            -f gateway/Dockerfile \
            .

      - name: Build engine image
        run: |
          docker build \
            -t "galaxy/game-engine:${{ steps.tag.outputs.tag }}" \
            -f game/Dockerfile \
            .

      - name: Install UI dependencies
        working-directory: ui
        run: pnpm install --frozen-lockfile

      - name: Build UI bundle
        working-directory: ui/frontend
        env:
          VITE_GATEWAY_BASE_URL: https://api.galaxy.com
        run: |
          # Production response-signing public key is not in the repo
          # yet (the dev key in `tools/local-dev/keys/` is for dev
          # only). When real prod keys exist, source them from a Gitea
          # Actions secret and set VITE_GATEWAY_RESPONSE_PUBLIC_KEY
          # here. Until then the prod bundle compiles with the dev
          # key as a placeholder so the artifact exists.
          export VITE_GATEWAY_RESPONSE_PUBLIC_KEY="$(grep -E '^VITE_GATEWAY_RESPONSE_PUBLIC_KEY=' .env.development | cut -d= -f2)"
          pnpm build

      - name: Save images as artifact bundles
        run: |
          mkdir -p artifacts
          docker save "galaxy/backend:${{ steps.tag.outputs.tag }}" \
            | gzip >"artifacts/backend-${{ steps.tag.outputs.tag }}.tar.gz"
          docker save "galaxy/gateway:${{ steps.tag.outputs.tag }}" \
            | gzip >"artifacts/gateway-${{ steps.tag.outputs.tag }}.tar.gz"
          docker save "galaxy/game-engine:${{ steps.tag.outputs.tag }}" \
            | gzip >"artifacts/game-engine-${{ steps.tag.outputs.tag }}.tar.gz"
          tar -C ui/frontend -czf \
            "artifacts/ui-dist-${{ steps.tag.outputs.tag }}.tar.gz" build

      - name: Upload images
        uses: actions/upload-artifact@v4
        with:
          name: galaxy-images-${{ steps.tag.outputs.tag }}
          path: artifacts/*.tar.gz
          retention-days: 30