From feec130685f6ab742bdc4a12ba1af1cf3f26eb39 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Date: Thu, 16 Apr 2026 09:31:51 -0700
Subject: [PATCH] fix(ci): use Dockerfile.tenant for Fly registry image (Go +
 Canvas)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The publish workflow was pushing platform/Dockerfile (Go-only) to the
Fly registry, but tenant machines run the combined image (Go + Canvas
reverse proxy). This caused "canvas unavailable" after machine update.

Changes:
- Fly registry build: platform/Dockerfile → platform/Dockerfile.tenant
- GHCR: keeps Go-only image (for self-hosted/dev use)
- Path triggers: add canvas/** and manifest.json (tenant image includes both)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-platform-image.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish-platform-image.yml b/.github/workflows/publish-platform-image.yml
index 11ee1aa7..10363226 100644
--- a/.github/workflows/publish-platform-image.yml
+++ b/.github/workflows/publish-platform-image.yml
@@ -12,6 +12,8 @@ on:
       # Only rebuild when something platform-relevant changes — saves GHA
       # minutes on docs-only / canvas-only / MCP-only PRs.
       - 'platform/**'
+      - 'canvas/**'
+      - 'manifest.json'
       - '.github/workflows/publish-platform-image.yml'
       # Templates now live in standalone repos — template changes no longer
       # trigger a platform rebuild. Use workflow_dispatch to manually rebuild
@@ -133,15 +135,15 @@ jobs:
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.description=Molecule AI tenant platform (one instance per org)
 
-      - name: Build & push to Fly registry
-        # Continues even if GHCR push failed — `if: always()` ensures the
-        # private control plane's tenant-image mirror lands regardless of
-        # any GHCR-side flakiness.
+      - name: Build & push tenant image to Fly registry
+        # Tenant image = Go platform + Canvas (Next.js) in one container.
+        # Uses Dockerfile.tenant which includes the canvas build + reverse proxy.
+        # Continues even if GHCR push failed.
         if: always()
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: ./platform/Dockerfile
+          file: ./platform/Dockerfile.tenant
           platforms: linux/amd64
           push: true
           tags: |
@@ -151,7 +153,7 @@ jobs:
           labels: |
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.description=Molecule AI tenant platform (one instance per org)
+            org.opencontainers.image.description=Molecule AI tenant platform + canvas (one instance per org)
 
       - name: Install flyctl
         uses: superfly/flyctl-actions/setup-flyctl@master