diff --git a/.gitea/workflows/docker-build.yml b/.gitea/workflows/docker-build.yml index 4b343fc..55f0c44 100644 --- a/.gitea/workflows/docker-build.yml +++ b/.gitea/workflows/docker-build.yml @@ -6,6 +6,8 @@ on: branches: [master] paths: - 'solitaire_server/**' + - 'solitaire_wasm/**' + - 'solitaire_web/**' - 'solitaire_sync/**' - 'solitaire_core/**' - 'solitaire_engine/**' @@ -34,6 +36,48 @@ jobs: id: meta run: echo "sha=${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT" + - name: Check wasm pkg drift + run: | + set -euo pipefail + BASE_SHA="${{ github.event.before }}" + HEAD_SHA="${{ github.sha }}" + if [ -n "$BASE_SHA" ] && git cat-file -e "$BASE_SHA^{commit}" 2>/dev/null; then + RANGE="$BASE_SHA..$HEAD_SHA" + else + RANGE="HEAD~1..HEAD" + fi + + CHANGED="$(git diff --name-only "$RANGE")" + echo "Changed files:" + echo "$CHANGED" + + if echo "$CHANGED" | grep -Eq '^(solitaire_wasm/|solitaire_core/|Cargo\.toml|Cargo\.lock)$|^(solitaire_wasm/|solitaire_core/)'; then + if ! echo "$CHANGED" | grep -Eq '^solitaire_server/web/pkg/solitaire_wasm\.js$|^solitaire_server/web/pkg/solitaire_wasm_bg\.wasm$'; then + echo "error: wasm/core/Cargo changed but committed web pkg artifacts are missing." + echo "Run: wasm-pack build --target web --out-dir solitaire_server/web/pkg --no-typescript solitaire_wasm" + exit 1 + fi + fi + + # Hard check: solitaire_web/ is the direct Bevy WASM source — any + # change there MUST rebuild canvas_bg.wasm or the binary goes stale. + if echo "$CHANGED" | grep -Eq '^solitaire_web/'; then + if ! echo "$CHANGED" | grep -Eq '^solitaire_server/web/pkg/canvas_bg\.wasm$'; then + echo "error: solitaire_web/ changed but canvas_bg.wasm not updated." + echo "Run: ./build_wasm.sh (requires wasm-bindgen-cli + wasm32-unknown-unknown target)" + exit 1 + fi + fi + + # Advisory notice: solitaire_engine/ and solitaire_core/ changes often + # require a Bevy WASM rebuild but are not enforced (formatting-only + # commits should not be blocked). + if echo "$CHANGED" | grep -Eq '^(solitaire_engine/|solitaire_core/)' && \ + ! echo "$CHANGED" | grep -Eq '^solitaire_server/web/pkg/canvas_bg\.wasm$'; then + echo "notice: solitaire_engine/core changed without a canvas_bg.wasm rebuild." + echo " If the change affects gameplay run ./build_wasm.sh before pushing." + fi + - name: Log in to Gitea registry uses: docker/login-action@v3 with: @@ -57,8 +101,6 @@ jobs: ${{ env.IMAGE }}:latest cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max - secrets: | - cargo_token=${{ secrets.CI_TOKEN }} - name: Install kustomize run: | diff --git a/solitaire_server/Dockerfile b/solitaire_server/Dockerfile index e5cd106..11c8d0a 100644 --- a/solitaire_server/Dockerfile +++ b/solitaire_server/Dockerfile @@ -34,11 +34,8 @@ RUN for crate in solitaire_core solitaire_sync solitaire_data solitaire_engine \ echo "fn main() {}" > solitaire_app/src/main.rs && \ echo "fn main() {}" > solitaire_assetgen/src/main.rs -# The Quaternions registry requires authentication. CI passes CI_TOKEN as a -# build secret so it never appears in image layers or docker history. -RUN --mount=type=secret,id=cargo_token,required=true \ - CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \ - cargo fetch --locked +# Registry config comes from .cargo/config.toml copied above. +RUN cargo fetch --locked # Now copy real source and build in release mode. COPY solitaire_core/src ./solitaire_core/src @@ -51,9 +48,7 @@ COPY solitaire_server/migrations ./solitaire_server/migrations COPY .sqlx ./.sqlx ENV SQLX_OFFLINE=true -RUN --mount=type=secret,id=cargo_token,required=true \ - CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \ - cargo build --release --locked -p solitaire_server --bin solitaire_server +RUN cargo build --release --locked -p solitaire_server --bin solitaire_server # --- Runtime stage --- FROM debian:bookworm-slim