refactor: no builds in Dockerfiles, CI builds all artifacts

Dockerfiles now only COPY pre-built artifacts:
- Dockerfile (SaaS): just COPY target/*.jar, no multi-stage build
- ui/sign-in/Dockerfile (Logto): just FROM logto + COPY dist/
- Removed docker/logto.Dockerfile (had node build stage)

CI pipeline builds everything:
- docker job: builds frontend, JAR, sign-in UI, then packages
  into images using the simple Dockerfiles
- Uses cameleer-build:1 (has node + maven + docker)
- build job: also builds sign-in UI for testing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -27,7 +27,7 @@ jobs:
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-maven-
 
-      - name: Build Frontend
+      - name: Build SaaS frontend
         run: |
           cd ui
           echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
@@ -42,21 +42,33 @@ jobs:
           mvn clean verify -B
           -Dsurefire.excludes="**/AuthControllerTest.java,**/TenantControllerTest.java,**/LicenseControllerTest.java,**/AuditRepositoryTest.java,**/CameleerSaasApplicationTest.java,**/EnvironmentControllerTest.java,**/AppControllerTest.java,**/DeploymentControllerTest.java,**/AgentStatusControllerTest.java"
 
+      - name: Build sign-in UI
+        run: |
+          cd ui/sign-in
+          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
+          npm ci
+          npm run build
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+
   docker:
     needs: build
     runs-on: ubuntu-latest
     if: github.event_name == 'push'
     container:
-      image: gitea.siegeln.net/cameleer/cameleer-docker-builder:1
+      image: gitea.siegeln.net/cameleer/cameleer-build:1
       credentials:
         username: cameleer
         password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
-      - name: Checkout
+      - uses: actions/checkout@v4
-        run: |
+
-          git clone --depth=1 --branch=${GITHUB_REF_NAME} https://cameleer:${REGISTRY_TOKEN}@gitea.siegeln.net/${GITHUB_REPOSITORY}.git .
+      - name: Cache Maven dependencies
-        env:
+        uses: actions/cache@v4
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-maven-
 
       - name: Login to registry
         run: echo "$REGISTRY_TOKEN" | docker login gitea.siegeln.net -u cameleer --password-stdin
@@ -80,25 +92,42 @@ jobs:
             echo "IMAGE_TAGS=branch-$SLUG" >> "$GITHUB_ENV"
           fi
 
-      - name: Set up QEMU for cross-platform builds
+      - name: Build SaaS frontend
-        run: docker run --rm --privileged gitea.siegeln.net/cameleer/binfmt:1 --install all
+        run: |
+          cd ui
+          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
+          npm ci
+          npm run build
+          cp -r dist/ ../src/main/resources/static/
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build SaaS JAR
+        run: mvn package -DskipTests -B
+
+      - name: Build sign-in UI
+        run: |
+          cd ui/sign-in
+          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
+          npm ci
+          npm run build
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Set up Docker buildx
+        run: |
+          docker buildx create --use --name cibuilder 2>/dev/null || true
 
       - name: Build and push SaaS image
         run: |
-          docker buildx create --use --name cibuilder
           TAGS="-t gitea.siegeln.net/cameleer/cameleer-saas:${{ github.sha }}"
           for TAG in $IMAGE_TAGS; do
             TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-saas:$TAG"
           done
           docker buildx build --platform linux/amd64 \
-            --build-arg REGISTRY_TOKEN="$REGISTRY_TOKEN" \
             $TAGS \
-            --cache-from type=registry,ref=gitea.siegeln.net/cameleer/cameleer-saas:buildcache \
-            --cache-to type=registry,ref=gitea.siegeln.net/cameleer/cameleer-saas:buildcache,mode=max \
             --provenance=false \
             --push .
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push Logto image
         run: |
@@ -107,12 +136,7 @@ jobs:
             TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-logto:$TAG"
           done
           docker buildx build --platform linux/amd64 \
-            --build-arg REGISTRY_TOKEN="$REGISTRY_TOKEN" \
+            -f ui/sign-in/Dockerfile \
-            -f docker/logto.Dockerfile \
             $TAGS \
-            --cache-from type=registry,ref=gitea.siegeln.net/cameleer/cameleer-logto:buildcache \
-            --cache-to type=registry,ref=gitea.siegeln.net/cameleer/cameleer-logto:buildcache,mode=max \
             --provenance=false \
-            --push .
+            --push ui/sign-in/
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

Dockerfile

@@ -1,30 +1,7 @@
-# syntax=docker/dockerfile:1
-
-# Frontend: runs natively on build host
-FROM --platform=$BUILDPLATFORM node:22-alpine AS frontend
-ARG REGISTRY_TOKEN
-WORKDIR /ui
-COPY ui/package.json ui/package-lock.json ui/.npmrc ./
-RUN echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
-COPY ui/ .
-RUN npm run build
-
-# Maven build: runs natively on build host (no QEMU emulation)
-FROM --platform=$BUILDPLATFORM eclipse-temurin:21-jdk-alpine AS build
-WORKDIR /build
-COPY .mvn/ .mvn/
-COPY mvnw pom.xml ./
-# Cache deps — only re-downloaded when POM changes
-RUN ./mvnw dependency:go-offline -B || true
-COPY src/ src/
-COPY --from=frontend /ui/dist/ src/main/resources/static/
-RUN ./mvnw package -DskipTests -B
-
-# Runtime: target platform (amd64)
 FROM eclipse-temurin:21-jre-alpine
 WORKDIR /app
 RUN addgroup -S cameleer && adduser -S cameleer -G cameleer
-COPY --from=build /build/target/*.jar app.jar
+COPY target/*.jar app.jar
 USER cameleer
 EXPOSE 8080
 ENTRYPOINT ["java", "-jar", "app.jar"]

docker/logto.Dockerfile

@@ -1,14 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# Build custom sign-in UI
-FROM --platform=$BUILDPLATFORM node:22-alpine AS sign-in
-ARG REGISTRY_TOKEN
-WORKDIR /ui
-COPY ui/sign-in/package.json ui/sign-in/package-lock.json ui/sign-in/.npmrc ./
-RUN echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
-COPY ui/sign-in/ .
-RUN npm run build
-
-# Custom Logto with baked-in sign-in UI
-FROM ghcr.io/logto-io/logto:latest
-COPY --from=sign-in /ui/dist/ /etc/logto/packages/experience/dist/

ui/sign-in/Dockerfile

@@ -0,0 +1,2 @@
+FROM ghcr.io/logto-io/logto:latest
+COPY dist/ /etc/logto/packages/experience/dist/