From f6eeaed97df9dd68b032d0d4f1d29f2ceb186716 Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Tue, 7 Apr 2026 19:49:35 -0400
Subject: [PATCH] Fix CI/CD: use SSH-based build instead of Docker-in-Docker

act_runner doesn't reliably support docker/build-push-action.
Build the image on the staging server and push to registry from
there instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy-prod.yml    | 25 +++++++-------
 .gitea/workflows/deploy-staging.yml | 52 ++++++++++-------------------
 2 files changed, 29 insertions(+), 48 deletions(-)

diff --git a/.gitea/workflows/deploy-prod.yml b/.gitea/workflows/deploy-prod.yml
index dc7250b..5211d4c 100644
--- a/.gitea/workflows/deploy-prod.yml
+++ b/.gitea/workflows/deploy-prod.yml
@@ -7,9 +7,6 @@ on:
         description: 'Release tag to deploy (e.g. v3.3.0)'
         required: true
 
-env:
-  IMAGE: git.adlee.work/alee/golfgame
-
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -20,19 +17,21 @@ jobs:
           host: ${{ secrets.PROD_HOST }}
           username: root
           key: ${{ secrets.DEPLOY_SSH_KEY }}
-          envs: IMAGE
           script: |
+            set -e
+            TAG="${{ github.event.inputs.tag }}"
+            IMAGE="git.adlee.work/alee/golfgame"
+
             cd /opt/golfgame
 
-            # Pull the same image that passed staging
-            docker login git.adlee.work -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
-            docker pull $IMAGE:${{ github.event.inputs.tag }}
+            # Pull the image that passed staging
+            echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.adlee.work -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+            docker pull "$IMAGE:$TAG"
+            docker tag "$IMAGE:$TAG" golfgame-app:latest
 
-            # Tag it so compose uses it
-            docker tag $IMAGE:${{ github.event.inputs.tag }} golfgame-app:latest
-
-            # Update code (for compose file / env changes)
-            git fetch origin && git checkout ${{ github.event.inputs.tag }}
+            # Update code for compose/env changes
+            git fetch origin
+            git checkout "$TAG"
 
             # Restart app
             docker compose -f docker-compose.prod.yml up -d app
@@ -41,7 +40,7 @@ jobs:
             echo "Waiting for health check..."
             for i in $(seq 1 30); do
               if docker compose -f docker-compose.prod.yml ps app | grep -q "healthy"; then
-                echo "Production deploy successful — ${{ github.event.inputs.tag }}"
+                echo "Production deploy successful — $TAG"
                 exit 0
               fi
               sleep 2
diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml
index d28cb0a..670ab4e 100644
--- a/.gitea/workflows/deploy-staging.yml
+++ b/.gitea/workflows/deploy-staging.yml
@@ -4,63 +4,45 @@ on:
   release:
     types: [published]
 
-env:
-  IMAGE: git.adlee.work/alee/golfgame
-
 jobs:
-  build:
+  build-and-deploy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Log in to Gitea Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.adlee.work
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Build and push image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: |
-            ${{ env.IMAGE }}:${{ github.ref_name }}
-            ${{ env.IMAGE }}:latest
-
-  deploy:
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Deploy to staging
+      - name: Build, push, and deploy to staging
         uses: appleboy/ssh-action@v1
         with:
           host: ${{ secrets.STAGING_HOST }}
           username: root
           key: ${{ secrets.DEPLOY_SSH_KEY }}
-          envs: IMAGE
           script: |
+            set -e
+            TAG="${{ github.ref_name }}"
+            IMAGE="git.adlee.work/alee/golfgame"
+
             cd /opt/golfgame
 
-            # Pull the pre-built image
-            docker login git.adlee.work -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
-            docker pull $IMAGE:${{ github.ref_name }}
+            # Pull latest code and checkout the release tag
+            git fetch origin
+            git checkout "$TAG"
 
-            # Tag it so compose uses it
-            docker tag $IMAGE:${{ github.ref_name }} golfgame-app:latest
+            # Build the image
+            docker build -t "$IMAGE:$TAG" -t "$IMAGE:latest" -t golfgame-app:latest .
 
-            # Update code (for compose file / env changes)
-            git fetch origin && git checkout ${{ github.ref_name }}
+            # Push to Gitea container registry
+            echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.adlee.work -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+            docker push "$IMAGE:$TAG"
+            docker push "$IMAGE:latest"
 
-            # Restart app (no --build, image is pre-built)
+            # Restart app (no --build, image already tagged)
             docker compose -f docker-compose.staging.yml up -d app
 
             # Wait for healthy
             echo "Waiting for health check..."
             for i in $(seq 1 30); do
               if docker compose -f docker-compose.staging.yml ps app | grep -q "healthy"; then
-                echo "Staging deploy successful — ${{ github.ref_name }}"
+                echo "Staging deploy successful — $TAG"
                 exit 0
               fi
               sleep 2