1.2.7

Fix YAML indentation (on:/jobs: were nested under name:), correct
image name from shcizo/myapp to shcizo/pdga-rating, switch registry
auth from GITEA_TOKEN to PACKAGES_TOKEN (auto-injected token lacks
effective registry access), and add packages:write permission.

Remove docker-build.yml since deploy.yml now covers build + push +
deploy in one workflow — previously both triggered on tag push and
raced for the same image tags.

.gitea/workflows/deploy.yml

@@ -0,0 +1,42 @@
+name: Build and deploy
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Gitea registry
+        uses: docker/login-action@v3
+        with:
+          registry: gitea.shcizo.se
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.PACKAGES_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            gitea.shcizo.se/shcizo/pdga-rating:${{ gitea.ref_name }}
+            gitea.shcizo.se/shcizo/pdga-rating:latest
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build-and-push]
+    steps:
+      - uses: https://gitea.shcizo.se/shcizo/package-updater-action@v1
+        with:
+          endpoint: https://updater.shcizo.se/update
+          image: gitea.shcizo.se/shcizo/pdga-rating
+          tag: ${{ gitea.ref_name }}
+          token: ${{ secrets.UPDATER_API_KEY }}

.gitea/workflows/docker-build.yml

@@ -1,37 +0,0 @@
-name: Docker Build
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: docker/login-action@v3
-        with:
-          registry: gitea.shcizo.se
-          username: ${{ gitea.actor }}
-          password: ${{ secrets.PACKAGES_TOKEN }}
-
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: gitea.shcizo.se/shcizo/pdga-rating
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest
-
-      - uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}

CLAUDE.md

@@ -11,7 +11,7 @@ PDGA rating scraper and display app. Scrapes player ratings and course data from
 - **Frontend:** HTMX + vanilla JS (in `public/js/`)
 - **Scraping:** Puppeteer (with stealth plugin) + direct HTTP
 - **Logging:** Pino (JSON in production, pino-pretty in dev)
-- **CI/CD:** Gitea Actions (tag-triggered docker build/push to `gitea.shcizo.se/shcizo/pdga-rating`)
+- **CI/CD:** Gitea Actions (tag-triggered build + push + deploy via `.gitea/workflows/deploy.yml`)
 
 ## Project Structure
 
@@ -46,7 +46,7 @@ public/
 - **Logging:** Use `require('./logger')` (or relative path). Never use `console.log/error` in backend code. Use appropriate Pino levels: `debug` for verbose/diagnostic data, `info` for operational status, `warn` for retries/degraded state, `error` for failures, `fatal` for startup crashes.
 - **Frontend JS:** `console.error` is fine in `public/js/` — runs in browser, no Pino.
 - **Commits:** Conventional commits (`feat:`, `fix:`, `refactor:`, `chore:`, `ci:`).
-- **Releases:** Manual version bump — edit `version` in `package.json` + `package-lock.json`, commit as `<version>`, tag `v<version>`, push commit + tag (`git push origin main v<version>`). Triggers `.gitea/workflows/docker-build.yml` which builds and pushes the image. Auth uses repo secret `PACKAGES_TOKEN` (PAT with `write:package`) — the auto-injected `GITEA_TOKEN` does not have effective registry access.
+- **Releases:** Manual version bump — edit `version` in `package.json` + `package-lock.json`, commit as `<version>`, tag `v<version>`, push commit + tag (`git push origin main v<version>`). Triggers `.gitea/workflows/deploy.yml` which (1) builds and pushes the image to `gitea.shcizo.se/shcizo/pdga-rating:<tag>` + `:latest`, then (2) calls `package-updater-action` against `updater.shcizo.se/update` to roll out the new image. Required secrets: `PACKAGES_TOKEN` (PAT with `write:package`, for registry auth — the auto-injected `GITEA_TOKEN` does not have effective registry access) and `UPDATER_API_KEY` (for the updater endpoint). The action repo `shcizo/package-updater-action` is referenced via full Gitea URL (`https://gitea.shcizo.se/...`) since `uses:` defaults to GitHub.
 - **Scraping:** Two strategies per entity: direct HTTP (fast, preferred) with Puppeteer fallback (stealth plugin for anti-bot). Rate limiting must be respected.
 - **Database:** Migrations run automatically on startup in `db.js`. Schema changes go there.
 - **Templates:** EJS with shared layout in `views/partials/`. Pages use HTMX for dynamic content loading.

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "pdga-ratings",
-  "version": "1.2.3",
+  "version": "1.2.7",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "pdga-ratings",
-      "version": "1.2.3",
+      "version": "1.2.7",
       "dependencies": {
         "ejs": "^4.0.1",
         "express": "^4.18.2",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdga-ratings",
-  "version": "1.2.3",
+  "version": "1.2.7",
   "description": "PDGA rating scraper and display",
   "main": "server.js",
   "scripts": {