From 9ff058545424253e78ee72ce8566271ab2342b0f Mon Sep 17 00:00:00 2001
From: funman300 <funman300@gmail.com>
Date: Tue, 2 Jun 2026 12:20:56 -0700
Subject: [PATCH] fix(ci): remove Quaternions registry auth; add canvas WASM
 drift guard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dockerfile:
- Drop --mount=type=secret,id=cargo_token: the Quaternions private
  registry has been migrated to the public Cargo.io path so the build
  secret is no longer needed. Removes the requirement for CI_TOKEN to
  carry registry credentials.

CI workflow (docker-build.yml):
- Add solitaire_wasm/** and solitaire_web/** to the push-trigger paths
  so changes to either WASM crate actually fire the build job.
- Add wasm drift check for solitaire_wasm artifacts (solitaire_wasm.js,
  solitaire_wasm_bg.wasm) — exits 1 if solitaire_wasm/ or solitaire_core/
  changed without updating the committed pkg files.
- Add hard canvas drift check: solitaire_web/ changes MUST update
  canvas_bg.wasm or the deploy gets a stale Bevy binary.
- Add advisory notice for solitaire_engine/ / solitaire_core/ changes
  that omit a canvas_bg.wasm rebuild (non-blocking; formatting commits
  should not fail CI).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/docker-build.yml | 46 +++++++++++++++++++++++++++++--
 solitaire_server/Dockerfile       | 11 ++------
 2 files changed, 47 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/docker-build.yml b/.gitea/workflows/docker-build.yml
index 4b343fc..55f0c44 100644
--- a/.gitea/workflows/docker-build.yml
+++ b/.gitea/workflows/docker-build.yml
@@ -6,6 +6,8 @@ on:
     branches: [master]
     paths:
       - 'solitaire_server/**'
+      - 'solitaire_wasm/**'
+      - 'solitaire_web/**'
       - 'solitaire_sync/**'
       - 'solitaire_core/**'
       - 'solitaire_engine/**'
@@ -34,6 +36,48 @@ jobs:
         id: meta
         run: echo "sha=${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
 
+      - name: Check wasm pkg drift
+        run: |
+          set -euo pipefail
+          BASE_SHA="${{ github.event.before }}"
+          HEAD_SHA="${{ github.sha }}"
+          if [ -n "$BASE_SHA" ] && git cat-file -e "$BASE_SHA^{commit}" 2>/dev/null; then
+            RANGE="$BASE_SHA..$HEAD_SHA"
+          else
+            RANGE="HEAD~1..HEAD"
+          fi
+
+          CHANGED="$(git diff --name-only "$RANGE")"
+          echo "Changed files:"
+          echo "$CHANGED"
+
+          if echo "$CHANGED" | grep -Eq '^(solitaire_wasm/|solitaire_core/|Cargo\.toml|Cargo\.lock)$|^(solitaire_wasm/|solitaire_core/)'; then
+            if ! echo "$CHANGED" | grep -Eq '^solitaire_server/web/pkg/solitaire_wasm\.js$|^solitaire_server/web/pkg/solitaire_wasm_bg\.wasm$'; then
+              echo "error: wasm/core/Cargo changed but committed web pkg artifacts are missing."
+              echo "Run: wasm-pack build --target web --out-dir solitaire_server/web/pkg --no-typescript solitaire_wasm"
+              exit 1
+            fi
+          fi
+
+          # Hard check: solitaire_web/ is the direct Bevy WASM source — any
+          # change there MUST rebuild canvas_bg.wasm or the binary goes stale.
+          if echo "$CHANGED" | grep -Eq '^solitaire_web/'; then
+            if ! echo "$CHANGED" | grep -Eq '^solitaire_server/web/pkg/canvas_bg\.wasm$'; then
+              echo "error: solitaire_web/ changed but canvas_bg.wasm not updated."
+              echo "Run: ./build_wasm.sh  (requires wasm-bindgen-cli + wasm32-unknown-unknown target)"
+              exit 1
+            fi
+          fi
+
+          # Advisory notice: solitaire_engine/ and solitaire_core/ changes often
+          # require a Bevy WASM rebuild but are not enforced (formatting-only
+          # commits should not be blocked).
+          if echo "$CHANGED" | grep -Eq '^(solitaire_engine/|solitaire_core/)' && \
+             ! echo "$CHANGED" | grep -Eq '^solitaire_server/web/pkg/canvas_bg\.wasm$'; then
+            echo "notice: solitaire_engine/core changed without a canvas_bg.wasm rebuild."
+            echo "        If the change affects gameplay run ./build_wasm.sh before pushing."
+          fi
+
       - name: Log in to Gitea registry
         uses: docker/login-action@v3
         with:
@@ -57,8 +101,6 @@ jobs:
             ${{ env.IMAGE }}:latest
           cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
           cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
-          secrets: |
-            cargo_token=${{ secrets.CI_TOKEN }}
 
       - name: Install kustomize
         run: |
diff --git a/solitaire_server/Dockerfile b/solitaire_server/Dockerfile
index e5cd106..11c8d0a 100644
--- a/solitaire_server/Dockerfile
+++ b/solitaire_server/Dockerfile
@@ -34,11 +34,8 @@ RUN for crate in solitaire_core solitaire_sync solitaire_data solitaire_engine \
     echo "fn main() {}" > solitaire_app/src/main.rs && \
     echo "fn main() {}" > solitaire_assetgen/src/main.rs
 
-# The Quaternions registry requires authentication. CI passes CI_TOKEN as a
-# build secret so it never appears in image layers or docker history.
-RUN --mount=type=secret,id=cargo_token,required=true \
-    CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
-    cargo fetch --locked
+# Registry config comes from .cargo/config.toml copied above.
+RUN cargo fetch --locked
 
 # Now copy real source and build in release mode.
 COPY solitaire_core/src ./solitaire_core/src
@@ -51,9 +48,7 @@ COPY solitaire_server/migrations ./solitaire_server/migrations
 COPY .sqlx ./.sqlx
 
 ENV SQLX_OFFLINE=true
-RUN --mount=type=secret,id=cargo_token,required=true \
-    CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
-    cargo build --release --locked -p solitaire_server --bin solitaire_server
+RUN cargo build --release --locked -p solitaire_server --bin solitaire_server
 
 # --- Runtime stage ---
 FROM debian:bookworm-slim