fix(ci): pass Quaternions registry token as Docker build secret
Build and Deploy / build-and-push (push) Successful in 4m39s
Build and Deploy / build-and-push (push) Successful in 4m39s
cargo fetch --locked was failing with "failed to parse manifest" because .cargo/config.toml (which registers the Quaternions sparse index) was never copied into the build image, and the registry's auth token was never supplied. Changes: - COPY .cargo/config.toml into the builder stage so Cargo knows the Quaternions registry URL. - Replace bare `cargo fetch` and `cargo build` with `--mount=type=secret,id=cargo_token` variants that set CARGO_REGISTRIES_QUATERNIONS_TOKEN from the mounted secret — token never appears in image layers or docker history. - Workflow: pass CI_TOKEN as the `cargo_token` build secret. - Add solitaire_engine/** and solitaire_server/Dockerfile to trigger paths so engine changes and Dockerfile edits kick off rebuilds. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
funman300
@@ -8,8 +8,10 @@ on:
|
||||
- 'solitaire_server/**'
|
||||
- 'solitaire_sync/**'
|
||||
- 'solitaire_core/**'
|
||||
- 'solitaire_engine/**'
|
||||
- 'Cargo.toml'
|
||||
- 'Cargo.lock'
|
||||
- 'solitaire_server/Dockerfile'
|
||||
- '.gitea/workflows/docker-build.yml'
|
||||
|
||||
env:
|
||||
@@ -55,6 +57,8 @@ jobs:
|
||||
${{ env.IMAGE }}:latest
|
||||
cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
|
||||
cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
|
||||
secrets: |
|
||||
cargo_token=${{ secrets.CI_TOKEN }}
|
||||
|
||||
- name: Install kustomize
|
||||
run: |
|
||||
|
||||
@@ -12,6 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
||||
# Copy only the files needed to build the server crate.
|
||||
# Layer order: workspace manifests first so dependency fetches are cached.
|
||||
COPY .cargo/config.toml ./.cargo/config.toml
|
||||
COPY Cargo.toml Cargo.lock ./
|
||||
COPY solitaire_core/Cargo.toml ./solitaire_core/Cargo.toml
|
||||
COPY solitaire_sync/Cargo.toml ./solitaire_sync/Cargo.toml
|
||||
@@ -33,7 +34,11 @@ RUN for crate in solitaire_core solitaire_sync solitaire_data solitaire_engine \
|
||||
echo "fn main() {}" > solitaire_app/src/main.rs && \
|
||||
echo "fn main() {}" > solitaire_assetgen/src/main.rs
|
||||
|
||||
RUN cargo fetch --locked
|
||||
# The Quaternions registry requires authentication. CI passes CI_TOKEN as a
|
||||
# build secret so it never appears in image layers or docker history.
|
||||
RUN --mount=type=secret,id=cargo_token,required=true \
|
||||
CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
|
||||
cargo fetch --locked
|
||||
|
||||
# Now copy real source and build in release mode.
|
||||
COPY solitaire_core/src ./solitaire_core/src
|
||||
@@ -46,7 +51,9 @@ COPY solitaire_server/migrations ./solitaire_server/migrations
|
||||
COPY .sqlx ./.sqlx
|
||||
|
||||
ENV SQLX_OFFLINE=true
|
||||
RUN cargo build --release --locked -p solitaire_server --bin solitaire_server
|
||||
RUN --mount=type=secret,id=cargo_token,required=true \
|
||||
CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
|
||||
cargo build --release --locked -p solitaire_server --bin solitaire_server
|
||||
|
||||
# --- Runtime stage ---
|
||||
FROM debian:bookworm-slim
|
||||
|
||||
Reference in New Issue
Block a user