till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-15 01:41:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/cicd/IMPLEMENTATION_CHECKLIST.md
Wuesteon 0241f5554c fix(cicd): docker paths, formatting config, 
and documentation

  - Fix Docker build paths in maerchenzauber and manadeck
  backends
  - Add comprehensive CI/CD documentation (private repo
  solution, type analysis)
  - Configure Prettier with proper plugins for Astro/Svelte
  - Update .gitignore to exclude .hive-mind and .claude-flow
  - Fix Turbo config for Presi app

  Related to cicd/integration branch - Priority 1 & 2 fixes
2025-11-27 18:33:08 +01:00

4.5 KiB
Raw Blame History

Private Repo Access - Implementation Checklist

Issue: Docker builds fail due to private repo mana-core-nestjs-package access Solution: Pass GitHub token to Docker builds via secrets Time Required: 10-15 minutes

Checklist

Step 1: Create Personal Access Token (PAT)

  • Go to GitHub Settings → Developer Settings → Personal Access Tokens → Fine-grained tokens
  • Click "Generate new token"
  • Set token name: CI-Private-Repo-Access
  • Set expiration: 1 year
  • Repository access: "Only select repositories" → Memo-2023/mana-core-nestjs-package
  • Permissions:
    • Repository permissions → Contents → Read
    • Repository permissions → Metadata → Read (auto-selected)
  • Click "Generate token"
  • Copy token (starts with github_pat_...)

Calendar Reminder: Set reminder 1 week before token expires to rotate

Step 2: Add Secret to GitHub Repository

  • Navigate to https://github.com/Memo-2023/manacore-monorepo/settings/secrets/actions
  • Click "New repository secret"
  • Name: PRIVATE_REPO_TOKEN
  • Value: Paste the PAT from Step 1
  • Click "Add secret"

Verification: Secret should appear in the list (value is hidden)

Step 3: Update CI Workflow

  • Open .github/workflows/ci-main.yml
  • Find the "Build and push" step (around line 126)
  • Add these 2 lines after build-args: section:
secrets: |
  github_token=${{ secrets.PRIVATE_REPO_TOKEN }}

Complete example:

- name: Build and push
  if: steps.check-dockerfile.outputs.exists == 'true'
  uses: docker/build-push-action@v5
  with:
    context: .
    file: ${{ matrix.service.path }}/Dockerfile
    push: true
    tags: ${{ steps.meta.outputs.tags }}
    labels: ${{ steps.meta.outputs.labels }}
    cache-from: type=gha
    cache-to: type=gha,mode=max
    build-args: |
      NODE_ENV=production
      PORT=${{ matrix.service.port }}
    secrets: |
      github_token=${{ secrets.PRIVATE_REPO_TOKEN }}
  • Save file
  • Commit: git commit -m "ci: add GitHub token secret for private repo access"

Step 4: Verify Implementation

Local Testing (Optional):

# Export token
export GITHUB_TOKEN="github_pat_YOUR_TOKEN"

# Test maerchenzauber
docker build \
  --secret id=github_token,env=GITHUB_TOKEN \
  -t test-maerchenzauber \
  -f apps/maerchenzauber/apps/backend/Dockerfile \
  .

# Test manadeck
docker build \
  --secret id=github_token,env=GITHUB_TOKEN \
  -t test-manadeck \
  -f apps/manadeck/apps/backend/Dockerfile \
  .
  • Local builds succeed (if testing locally)

CI Testing:

  • Push changes to test branch
  • Check GitHub Actions workflow run
  • Verify build logs show: "Using GitHub token for private repo access"
  • Verify no "exit code 128" errors
  • Verify Docker images pushed to ghcr.io

Success Criteria

  • GitHub secret PRIVATE_REPO_TOKEN exists
  • CI workflow file updated with secrets section
  • Build logs show "Using GitHub token for private repo access"
  • Git clone succeeds without authentication errors
  • Tarball creation succeeds: "Mana-core packaged as tarball"
  • Docker images build and push successfully
  • Both maerchenzauber-backend and manadeck-backend images available in ghcr.io

Troubleshooting

Problem: "No GitHub token provided" in logs

  • Fix: Check secret exists and workflow syntax is correct

Problem: "git clone failed: exit code 128"

  • Fix: Token expired or has wrong permissions - regenerate PAT

Problem: "Permission denied (publickey)"

  • Fix: Check Dockerfile uses HTTPS URLs, not SSH

What This Fixes

Affected Services:

  • apps/maerchenzauber/apps/backend
  • apps/manadeck/apps/backend

Impact:

  • Docker builds will succeed in CI
  • Images will auto-push to ghcr.io
  • Unblocks deployment to staging/production
  • No changes needed to local development workflow

Maintenance

Token Rotation (Annual):

  1. Generate new PAT (same permissions)
  2. Update GitHub secret value
  3. Old token automatically revoked
  4. No code changes needed

Monitoring:

  • GitHub sends email 1 week before PAT expires
  • Set calendar reminder as backup

Related Documentation

Estimated Implementation Time: 10-15 minutes Risk Level: LOW (proven pattern) Rollback: Remove secrets section from workflow