From f7986bc1a7b9a4c3ec0c38a8f3f326517e008272 Mon Sep 17 00:00:00 2001
From: Wuesteon <nils.weiser@outlook.com>
Date: Thu, 4 Dec 2025 03:22:07 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(cd):=20fix=20staging=20deplo?=
 =?UTF-8?q?yment=20registry=20authentication=20and=20missing=20images?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes to .github/workflows/cd-staging.yml:
- Add Docker login step for GitHub Container Registry (ghcr.io)
- Add permissions for packages:read
- Update service deployment options to only include services with Dockerfiles
- Update health checks to match deployed services

Changes to docker-compose.staging.yml:
- Comment out services without Dockerfiles:
  - maerchenzauber-backend (no Dockerfile yet)
  - nutriphi-backend (no Dockerfile yet)
  - news-api (no Dockerfile yet)
- Keep only services with Docker images:
  - mana-core-auth ✅
  - chat-backend ✅
  - manadeck-backend ✅
- Update nginx dependencies to remove disabled services

This fixes the "error from registry: denied" error that was preventing
staging deployments. The deployment was trying to pull Docker images
that were never built because those services don't have Dockerfiles.

Now only services with actual Docker images will be deployed to staging.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/cd-staging.yml |  16 ++-
 docker-compose.staging.yml       | 171 ++++++++++++++++---------------
 2 files changed, 99 insertions(+), 88 deletions(-)

diff --git a/.github/workflows/cd-staging.yml b/.github/workflows/cd-staging.yml
index 5270263cd..874548fdb 100644
--- a/.github/workflows/cd-staging.yml
+++ b/.github/workflows/cd-staging.yml
@@ -10,13 +10,14 @@ on:
         options:
           - all
           - mana-core-auth
-          - maerchenzauber-backend
           - chat-backend
           - manadeck-backend
-          - nutriphi-backend
-          - news-api
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+
 env:
   NODE_VERSION: '20'
   PNPM_VERSION: '9.15.0'
@@ -96,6 +97,13 @@ jobs:
           scp .env.staging ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }}:~/manacore-staging/.env
           rm .env.staging
 
+      - name: Login to GitHub Container Registry on staging server
+        run: |
+          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << EOF
+            # Login to ghcr.io with GitHub token
+            echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+          EOF
+
       - name: Pull latest Docker images
         run: |
           ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
@@ -132,8 +140,8 @@ jobs:
           # Health check for each service
           SERVICES=(
             "mana-core-auth:3001:/api/v1/health"
-            "maerchenzauber-backend:3002:/health"
             "chat-backend:3002:/api/health"
+            "manadeck-backend:3003:/api/health"
           )
 
           for SERVICE_CONFIG in "${SERVICES[@]}"; do
diff --git a/docker-compose.staging.yml b/docker-compose.staging.yml
index e9ed1998c..c5f009c4d 100644
--- a/docker-compose.staging.yml
+++ b/docker-compose.staging.yml
@@ -82,37 +82,38 @@ services:
         max-size: "10m"
         max-file: "3"
 
-  maerchenzauber-backend:
-    image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/maerchenzauber-backend:${MAERCHENZAUBER_VERSION:-latest}
-    container_name: maerchenzauber-backend-staging
-    restart: unless-stopped
-    depends_on:
-      mana-core-auth:
-        condition: service_healthy
-    environment:
-      NODE_ENV: staging
-      PORT: 3002
-      MANA_SERVICE_URL: http://mana-core-auth:3001
-      SUPABASE_URL: ${SUPABASE_URL}
-      SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
-      SUPABASE_SERVICE_ROLE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
-      AZURE_OPENAI_ENDPOINT: ${AZURE_OPENAI_ENDPOINT}
-      AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY}
-      AZURE_OPENAI_API_VERSION: ${AZURE_OPENAI_API_VERSION:-2024-12-01-preview}
-    ports:
-      - "3002:3002"
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3002/health"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-    networks:
-      - manacore-network
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "10m"
-        max-file: "3"
+  # maerchenzauber-backend:
+  #   image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/maerchenzauber-backend:${MAERCHENZAUBER_VERSION:-latest}
+  #   container_name: maerchenzauber-backend-staging
+  #   restart: unless-stopped
+  #   depends_on:
+  #     mana-core-auth:
+  #       condition: service_healthy
+  #   environment:
+  #     NODE_ENV: staging
+  #     PORT: 3002
+  #     MANA_SERVICE_URL: http://mana-core-auth:3001
+  #     SUPABASE_URL: ${SUPABASE_URL}
+  #     SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
+  #     SUPABASE_SERVICE_ROLE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
+  #     AZURE_OPENAI_ENDPOINT: ${AZURE_OPENAI_ENDPOINT}
+  #     AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY}
+  #     AZURE_OPENAI_API_VERSION: ${AZURE_OPENAI_API_VERSION:-2024-12-01-preview}
+  #   ports:
+  #     - "3002:3002"
+  #   healthcheck:
+  #     test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3002/health"]
+  #     interval: 30s
+  #     timeout: 10s
+  #     retries: 3
+  #   networks:
+  #     - manacore-network
+  #   logging:
+  #     driver: "json-file"
+  #     options:
+  #       max-size: "10m"
+  #       max-file: "3"
+  #   # DISABLED: No Dockerfile exists yet
 
   chat-backend:
     image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/chat-backend:${CHAT_VERSION:-latest}
@@ -173,59 +174,61 @@ services:
         max-size: "10m"
         max-file: "3"
 
-  nutriphi-backend:
-    image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/nutriphi-backend:${NUTRIPHI_VERSION:-latest}
-    container_name: nutriphi-backend-staging
-    restart: unless-stopped
-    depends_on:
-      mana-core-auth:
-        condition: service_healthy
-    environment:
-      NODE_ENV: staging
-      PORT: 3004
-      MANA_SERVICE_URL: http://mana-core-auth:3001
-      SUPABASE_URL: ${SUPABASE_URL}
-      SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
-    ports:
-      - "3005:3004"
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3004/health"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-    networks:
-      - manacore-network
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "10m"
-        max-file: "3"
+  # nutriphi-backend:
+  #   image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/nutriphi-backend:${NUTRIPHI_VERSION:-latest}
+  #   container_name: nutriphi-backend-staging
+  #   restart: unless-stopped
+  #   depends_on:
+  #     mana-core-auth:
+  #       condition: service_healthy
+  #   environment:
+  #     NODE_ENV: staging
+  #     PORT: 3004
+  #     MANA_SERVICE_URL: http://mana-core-auth:3001
+  #     SUPABASE_URL: ${SUPABASE_URL}
+  #     SUPABASE_SERVICE_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
+  #   ports:
+  #     - "3005:3004"
+  #   healthcheck:
+  #     test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3004/health"]
+  #     interval: 30s
+  #     timeout: 10s
+  #     retries: 3
+  #   networks:
+  #     - manacore-network
+  #   logging:
+  #     driver: "json-file"
+  #     options:
+  #       max-size: "10m"
+  #       max-file: "3"
+  #   # DISABLED: No Dockerfile exists yet
 
-  news-api:
-    image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/news-api:${NEWS_VERSION:-latest}
-    container_name: news-api-staging
-    restart: unless-stopped
-    depends_on:
-      mana-core-auth:
-        condition: service_healthy
-    environment:
-      NODE_ENV: staging
-      PORT: 3005
-      MANA_SERVICE_URL: http://mana-core-auth:3001
-    ports:
-      - "3006:3005"
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3005/health"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-    networks:
-      - manacore-network
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "10m"
-        max-file: "3"
+  # news-api:
+  #   image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/news-api:${NEWS_VERSION:-latest}
+  #   container_name: news-api-staging
+  #   restart: unless-stopped
+  #   depends_on:
+  #     mana-core-auth:
+  #       condition: service_healthy
+  #   environment:
+  #     NODE_ENV: staging
+  #     PORT: 3005
+  #     MANA_SERVICE_URL: http://mana-core-auth:3001
+  #   ports:
+  #     - "3006:3005"
+  #   healthcheck:
+  #     test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3005/health"]
+  #     interval: 30s
+  #     timeout: 10s
+  #     retries: 3
+  #   networks:
+  #     - manacore-network
+  #   logging:
+  #     driver: "json-file"
+  #     options:
+  #       max-size: "10m"
+  #       max-file: "3"
+  #   # DISABLED: No Dockerfile exists yet
 
   # ============================================
   # Reverse Proxy (Optional)
@@ -237,8 +240,8 @@ services:
     restart: unless-stopped
     depends_on:
       - mana-core-auth
-      - maerchenzauber-backend
       - chat-backend
+      - manadeck-backend
     volumes:
       - ./docker/nginx/staging.conf:/etc/nginx/conf.d/default.conf
       - ./docker/nginx/ssl:/etc/nginx/ssl