CodeForAfrica
diff --git a/‎.dockerignore‎
Lines changed: 57 additions & 3 deletions b/‎.dockerignore‎
Lines changed: 57 additions & 3 deletions
diff --git a/‎.github/workflows/bake-and-push.yml‎
Lines changed: 104 additions & 0 deletions b/‎.github/workflows/bake-and-push.yml‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎.github/workflows/build-base-images.yml‎
Lines changed: 58 additions & 0 deletions b/‎.github/workflows/build-base-images.yml‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎.github/workflows/techlabblog.yml‎
Lines changed: 112 additions & 0 deletions b/‎.github/workflows/techlabblog.yml‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
@@ -1,13 +1,67 @@
-# Include application-specific Dockerfiles e.g. charterafrica.Dockerfile
+
+# -----------------------------------------------------------------------------
+# Docker build context filtering for monorepo builds
+# Goal: keep context small while preserving files needed by turbo prune/build.
+# -----------------------------------------------------------------------------
+
+# Exclude Dockerfiles by default, then explicitly keep the ones bake uses.
 *Dockerfile
+!Dockerfile
+!docker/base.Dockerfile
+!docker/apps/*.Dockerfile
+
+# Docker metadata
 .dockerignore
+
+# VCS / CI / editor metadata (not needed in image builds)
+.git
+.github
+.DS_Store
+**/.vscode
+**/.idea
+
+# Dependency directories
 **/node_modules
+**/.pnpm-store
+
+# Package manager / tooling logs
 npm-debug.log
 .pnpm-debug.log
+**/*.log
+
+# Local docs / notes not used for builds
 README.md
-**/.env.local
+docker/README.md
+
+# Local env overrides (sensitive / machine-specific)
+# Keep checked-in .env files included; only ignore .env.local
+**/.env*.local
+
+# Framework/build caches and outputs
 **/.next
 **/.turbo
-**/.vscode
+**/.cache
+**/.swc
+**/.eslintcache
+**/.nyc_output
 **/build
+**/coverage
+**/dist
+**/storybook-static
+**/*.tsbuildinfo
+
+# App/static media export folders (if generated)
 **/media
+
+# Databases / sqlite artifacts
+**/*.db
+**/*.sqlite
+**/*.sqlite3
+
+# Temp folders
+**/tmp
+**/temp
+
+# Local-only repo artifacts
+mongo-keyfile
+
@@ -0,0 +1,104 @@
+name: Bake and Push
+
+# Reusable workflow for building and pushing a bake target.
+# Replaces build-docker-image.yml for apps migrated to docker-bake.hcl.
+#
+# Callers pass app-specific build args via the `set` input using GitHub Variables
+# (vars.*) for NEXT_PUBLIC_* values — these are public by design and belong in
+# vars, not secrets. Sentry secrets are declared explicitly below.
+
+on:
+  workflow_call:
+    inputs:
+      target:
+        required: true
+        type: string
+        description: "Bake target name (e.g. techlabblog)"
+      tag:
+        required: true
+        type: string
+        description: "Image tag to push (e.g. git SHA or semver)"
+      base_tag:
+        required: false
+        type: string
+        default: ""
+        description: >
+          Pre-built base image tag (BASE_TAG). When set, pulls ui-builder-base
+          and ui-runner-base from the registry instead of building them inline.
+          Use this in CI to avoid rebuilding base images on every app push.
+          Omit (or leave empty) to build base images inline — useful when
+          testing base image changes locally via act or in build-base-images.yml.
+      platforms:
+        required: false
+        type: string
+        default: "linux/amd64,linux/arm64"
+        description: "Target platforms (comma-separated). Override to build for a single platform."
+      set:
+        required: false
+        type: string
+        default: ""
+        description: >
+          Extra bake --set overrides (newline-separated target.field=value pairs).
+          Use this to inject app-specific build args, e.g.:
+            techlabblog.args.NEXT_PUBLIC_APP_URL=${{ vars.TECHLABBLOG_APP_URL }}
+          Note: GitHub Variables (vars.*) are available here; secrets are not —
+          pass truly secret build args via the declared secrets inputs below.
+    secrets:
+      DOCKER_HUB_USERNAME:
+        required: true
+      DOCKER_HUB_ACCESS_TOKEN:
+        required: true
+      # Sentry secrets: sourced from env by BuildKit secret mounts in Dockerfiles
+      # (--mount=type=secret,id=sentry_auth_token,env=SENTRY_AUTH_TOKEN).
+      # Mark required: false so apps without Sentry can use this workflow too.
+      SENTRY_AUTH_TOKEN:
+        required: false
+      SENTRY_ORG:
+        required: false
+      SENTRY_PROJECT:
+        required: false
+
+jobs:
+  bake:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Build metadata
+        id: meta
+        run: echo "date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build and push
+        uses: docker/bake-action@v6
+        env:
+          TAG: ${{ inputs.tag }}
+          BASE_TAG: ${{ inputs.base_tag }}
+          GIT_REVISION: ${{ github.sha }}
+          BUILD_DATE: ${{ steps.meta.outputs.date }}
+          # Sentry secrets: exposed to BuildKit as secret mounts (not build args).
+          # See --mount=type=secret,id=sentry_auth_token,env=SENTRY_AUTH_TOKEN
+          # in app Dockerfiles.
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+        with:
+          files: docker-bake.hcl
+          targets: ${{ inputs.target }}
+          push: true
+          set: |
+            *.cache-from=type=gha,scope=${{ inputs.target }}
+            *.cache-to=type=gha,mode=max,scope=${{ inputs.target }}
+            *.platforms=${{ inputs.platforms }}
+            ${{ inputs.set }}
@@ -0,0 +1,58 @@
+name: Build Base Images
+
+# Builds and pushes ui-builder-base and ui-runner-base to DockerHub.
+#
+# Base images have an independent version lifecycle from apps — they only change
+# when Node.js, pnpm, Alpine, or turbo tooling changes. They are NOT rebuilt on
+# every app push. See docker/README.md for the full rationale.
+#
+# Workflow:
+#   1. Update NODE_VERSION / PNPM_VERSION / TURBO_VERSION in docker-bake.hcl.
+#   2. Run this workflow with the next version tag (e.g. v4).
+#   3. Update BASE_TAG in app CI workflows (e.g. techlabblog.yml) to the new tag.
+#
+# The tag (e.g. v3) is separate from app image tags and from the Node version
+# string. It tracks the iteration of the base image configuration.
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Base image tag to publish (e.g. v3)"
+        required: true
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build metadata
+        id: meta
+        run: echo "date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build and push base images
+        uses: docker/bake-action@v6
+        env:
+          TAG: ${{ inputs.tag }}
+          GIT_REVISION: ${{ github.sha }}
+          BUILD_DATE: ${{ steps.meta.outputs.date }}
+        with:
+          files: docker-bake.hcl
+          targets: base
+          push: true
+          set: |
+            *.cache-from=type=gha,scope=ui-base
+            *.cache-to=type=gha,mode=max,scope=ui-base
+            *.platforms=linux/amd64,linux/arm64
@@ -0,0 +1,112 @@
+name: TechLab Blog
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "apps/techlabblog/**"
+      - "docker/apps/techlabblog.Dockerfile"
+      - "docker/base.Dockerfile"
+      - "docker-bake.hcl"
+      - ".github/workflows/techlabblog.yml"
+      - ".github/workflows/bake-and-push.yml"
+
+# Cancel in-progress runs for the same branch so a fast-follow push doesn't
+# queue behind a slow build.
+concurrency:
+  group: "${{ github.workflow }} @ ${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  # Checks whether apps/techlabblog/package.json has a version bump.
+  # The prod deploy is gated on this: every push triggers a build, but only
+  # a version bump triggers a prod deploy.
+  version-check:
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.check.outputs.changed }}
+      version: ${{ steps.check.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # EndBug/version-check requires Node.js — it ships as a JS action.
+      # https://github.com/EndBug/version-check#github-workflow
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+
+      - name: Check if version is bumped
+        id: check
+        uses: EndBug/version-check@v2
+        with:
+          # Search every commit's diff, not just the commit message. This catches
+          # version bumps that aren't mentioned in the commit message.
+          diff-search: true
+          file-name: apps/techlabblog/package.json
+
+  # Builds the techlabblog image and pushes it to DockerHub. Always tagged with
+  # the git SHA. When the version is bumped, also tagged with the semver and
+  # `latest` — all three pushed in a single bake invocation.
+  #
+  # Tag strategy:
+  #   codeforafrica/techlabblog:<sha>      — every push (immutable, for tracing)
+  #   codeforafrica/techlabblog:<version>  — version bump only (immutable, for releases)
+  #   codeforafrica/techlabblog:latest     — version bump only (mutable, for convenience)
+  #
+  # NEXT_PUBLIC_* vars are baked into the JS bundle at build time and cannot
+  # be changed by restarting the container. Configure them as GitHub Variables
+  # (Settings > Variables > Actions) rather than secrets since they are public
+  # by definition (they ship to the browser).
+  #
+  # Required GitHub Variables:
+  #   TECHLABBLOG_SENTRY_DSN    — public Sentry DSN (safe to use vars, not secrets)
+  #
+  # Required GitHub Secrets (for Sentry source map upload during build):
+  #   SENTRY_AUTH_TOKEN, SENTRY_ORG, TECHLABBLOG_SENTRY_PROJECT
+  #
+  # TODO: Set BASE_TAG below to a published base image version (e.g. v3) once
+  # base images are built and pushed via build-base-images.yml. Until then,
+  # base images are built inline (slower but correct).
+  build:
+    needs: version-check
+    uses: ./.github/workflows/bake-and-push.yml
+    with:
+      target: techlabblog
+      tag: ${{ github.sha }}
+      # base_tag: v3
+      set: |
+        techlabblog.args.NEXT_PUBLIC_SENTRY_DSN=${{ vars.TECHLABBLOG_SENTRY_DSN }}
+        ${{ needs.version-check.outputs.changed == 'true' && format('techlabblog.tags[]=codeforafrica/techlabblog:{0}', needs.version-check.outputs.version) || '' }}
+        ${{ needs.version-check.outputs.changed == 'true' && 'techlabblog.tags[]=codeforafrica/techlabblog:latest' || '' }}
+    secrets:
+      DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
+      DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+      SENTRY_PROJECT: ${{ secrets.TECHLABBLOG_SENTRY_PROJECT }}
+
+  # TODO: No DEV Dokku app exists for techlabblog yet.
+  # Enable this job (remove `if: false`) when the app is created on ui-1.dev
+  # and update the git_remote_url below.
+  deploy-dev:
+    if: false
+    needs: build
+    uses: ./.github/workflows/push-to-dokku.yml
+    with:
+      git_remote_url: "ssh://azureuser@ui-1.dev.codeforafrica.org/techlabblog-ui"
+      deploy_docker_image: "codeforafrica/techlabblog:${{ github.sha }}"
+    secrets: inherit
+
+  # Deploys to production when the package.json version is bumped.
+  # Both version-check and build must pass before this job runs.
+  deploy-prod:
+    needs: [version-check, build]
+    if: needs.version-check.outputs.changed == 'true'
+    uses: ./.github/workflows/push-to-dokku.yml
+    with:
+      git_remote_url: "ssh://dokku@ui-2.prod.codeforafrica.org/techlabblog-ui"
+      deploy_docker_image: "codeforafrica/techlabblog:${{ needs.version-check.outputs.version }}"
+    secrets: inherit
@@ -37,7 +37,7 @@ roboshield:
 	./scripts/dc.sh roboshield
 
 techlabblog:
-	./scripts/dc.sh techlabblog
+	./scripts/bake-up.sh techlabblog
 
 trustlab:
 	./scripts/dc.sh trustlab