feat: WE V2 build (#242)

Closes: DEVP-221

This is a workaround to be able to build WEv2 projects from World CLI
using the `world build` command. It uses a new ARGUS_WEV2_GITHUB_TOKEN
environment variable to be able to pull from the go-ecs private repo for
dependencies, which is not a long term solution.

<!---
Add a prefix to indicate what kind of release this pull request
corresponds to:
  feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert
--->

## Overview

> Description of the overall background and high-level changes that this
PR introduces

<!---
Example: This pull request improves documentation of area A by adding
...
--->

## Brief Changelog

<!---
Example:
- The metadata is stored in the blob store on job creation time as a
persistent artifact
- Deployments RPC transmits only the blob storage reference
- Daemons retrieve the RPC data from the blob cache
--->

## Testing and Verifying

<!---
Pick one of the following options:

- This change is a trivial rework/code cleanup without any test
coverage.

- This change is already covered by existing tests, such as <describe
test>.

- This change added tests and can be verified as follows:
    - Added unit test that validates ...
    - Added integration tests for end-to-end deployment with ...
    - Extended integration test for ...
    - Manually verified the change by ...
--->

<!-- greptile_comment -->

## Greptile Summary

Implements a temporary workaround for building WE V2 projects via World
CLI by adding GitHub token authentication and modifying build processes.

- Modified `common/docker/client_image.go` to support private repo
access by adding SSH keys and GitHub token handling
- Updated `common/docker/service/cardinal.Dockerfile` to use GitHub
token auth and removed debug build stage
- Changed `cmd/world/cardinal/build.go` to create default config when
none exists, with infinite build timeout
- Disabled parallel test execution in `cmd_setup_test.go` to prevent
race conditions
- Security concern: SSH keys are being copied into Docker build context,
which requires careful handling



<!-- /greptile_comment -->

---------

Co-authored-by: Test User <test@example.com>
Co-authored-by: Ed Zavada <edmund@argus.gg>

Author: 3 people

cmd/world/cardinal/build.go

@@ -3,6 +3,7 @@ package cardinal
 import (
 	"context"
 	"fmt"
+	"os"
 
 	"github.com/docker/docker/api/types/registry"
 	"github.com/rotisserie/eris"
@@ -18,7 +19,25 @@ import (
 func (h *Handler) Build(ctx context.Context, f models.BuildCardinalFlags) error {
 	cfg, err := config.GetConfig(&f.Config)
 	if err != nil {
-		return err
+		// No config file found, create a default config
+		printer.Infoln("No config file found, creating a default config")
+
+		// Get current working directory for Cardinal v2 projects
+		cwd, err := os.Getwd()
+		if err != nil {
+			return eris.Wrap(err, "Failed to get current working directory")
+		}
+
+		// Create a default config
+		cfg = &config.Config{
+			RootDir:   cwd,
+			GameDir:   cwd,
+			Detach:    false,
+			Build:     true,
+			DockerEnv: make(map[string]string),
+		}
+
+		cfg.DockerEnv[DockerCardinalEnvLogLevel] = zerolog.DebugLevel.String()
 	}
 	cfg.Timeout = -1
 
@@ -50,6 +69,12 @@ func (h *Handler) Build(ctx context.Context, f models.BuildCardinalFlags) error
 	printer.Infoln("Building Cardinal game shard image...")
 	printer.Infoln("This may take a few minutes.")
 
+	// Set the namespace
+	if cfg.DockerEnv["CARDINAL_NAMESPACE"] == "" {
+		cfg.DockerEnv["CARDINAL_NAMESPACE"] = "defaultnamespace"
+	}
+	printer.Infof("Namespace: %s\n", cfg.DockerEnv["CARDINAL_NAMESPACE"])
+
 	group, groupCtx := errgroup.WithContext(ctx)
 
 	// Create docker client

cmd/world/internal/controllers/cmd_setup/cmd_setup_test.go

@@ -59,7 +59,7 @@ func TestSetupCommandSuite(t *testing.T) {
 
 // TestLoginScenarios tests various login scenarios.
 func (s *SetupCommandSuite) TestLoginScenarios() {
-	s.T().Parallel()
+	// s.T().Parallel()
 
 	testCases := []struct {
 		name           string
@@ -161,7 +161,7 @@ func (s *SetupCommandSuite) TestLoginScenarios() {
 
 // TestHandleOrganizationInvitationsAcceptInvitation tests accepting organization invitations.
 func (s *SetupCommandSuite) TestHandleOrganizationInvitationsAcceptInvitation() {
-	s.T().Parallel()
+	// s.T().Parallel()
 	controller, mockAPI, mockConfig, mockInput, mockRepo, mockOrgHandler, mockProjectHandler := s.createTestController()
 	ctx := context.Background()
 
@@ -311,7 +311,7 @@ func (s *SetupCommandSuite) TestRepoLookupSuccess() {
 
 // TestRepoLookupNotLoggedIn tests repository lookup when user is not logged in.
 func (s *SetupCommandSuite) TestRepoLookupNotLoggedIn() {
-	s.T().Parallel()
+	// s.T().Parallel()
 	controller, mockAPI, mockConfig, mockInput, mockRepo, mockOrgHandler, mockProjectHandler := s.createTestController()
 	ctx := context.Background()
 
@@ -343,7 +343,7 @@ func (s *SetupCommandSuite) TestRepoLookupNotLoggedIn() {
 
 // TestNeedOrgDataNoOrgsCreateNew tests creating a new organization when none exist.
 func (s *SetupCommandSuite) TestNeedOrgDataNoOrgsCreateNew() {
-	s.T().Parallel()
+	// s.T().Parallel()
 	controller, mockAPI, mockConfig, mockInput, mockRepo, mockOrgHandler, mockProjectHandler := s.createTestController()
 	ctx := context.Background()
 
@@ -777,7 +777,7 @@ func (s *SetupCommandSuite) TestRepoLookupNewProjectDiscovered() {
 
 // TestOrganizationInvitationScenarios tests organization invitation handling.
 func (s *SetupCommandSuite) TestOrganizationInvitationScenarios() {
-	s.T().Parallel()
+	// s.T().Parallel()
 
 	testCases := []struct {
 		name         string
@@ -852,7 +852,7 @@ func (s *SetupCommandSuite) TestOrganizationInvitationScenarios() {
 
 // TestOrganizationDataScenarios tests organization data handling scenarios.
 func (s *SetupCommandSuite) TestOrganizationDataScenarios() {
-	s.T().Parallel()
+	// s.T().Parallel()
 
 	testCases := []struct {
 		name          string
@@ -1004,7 +1004,7 @@ func (s *SetupCommandSuite) TestOrganizationDataScenarios() {
 
 // TestProjectDataScenarios tests project data handling scenarios.
 func (s *SetupCommandSuite) TestProjectDataScenarios() {
-	s.T().Parallel()
+	// s.T().Parallel()
 
 	testCases := []struct {
 		name              string
@@ -1199,7 +1199,7 @@ func (s *SetupCommandSuite) TestProjectDataScenarios() {
 
 // TestExistingDataScenarios tests existing data handling scenarios.
 func (s *SetupCommandSuite) TestExistingDataScenarios() {
-	s.T().Parallel()
+	// s.T().Parallel()
 
 	testCases := []struct {
 		name              string

common/docker/client_image.go

@@ -147,10 +147,19 @@ func (c *Client) buildImage(ctx context.Context, dockerService service.Service)
 	// Read the tar archive
 	tarReader := bytes.NewReader(buf.Bytes())
 
+	sourcePath := "."
+	githubToken := os.Getenv("ARGUS_WEV2_GITHUB_TOKEN")
+	if githubToken == "" {
+		return nil, eris.New("ARGUS_WEV2_GITHUB_TOKEN is not set")
+	}
 	buildOptions := build.ImageBuildOptions{
 		Dockerfile: "Dockerfile",
 		Tags:       []string{dockerService.Image},
 		Target:     dockerService.BuildTarget,
+		BuildArgs: map[string]*string{
+			"SOURCE_PATH":  &sourcePath,
+			"GITHUB_TOKEN": &githubToken,
+		},
 	}
 
 	if service.BuildkitSupport {
@@ -178,9 +187,10 @@ func (c *Client) addFileToTarWriter(baseDir string, tw *tar.Writer) error {
 		if err != nil {
 			return eris.Wrapf(err, "Failed to get relative path %s", path)
 		}
-		// Skip files that are not world.toml or inside the cardinal directory
-		if info.Name() != "world.toml" && !strings.HasPrefix(filepath.ToSlash(relPath), "cardinal/") {
-			return nil
+
+		// Skip .git directory and all files inside it
+		if info.Name() == ".git" {
+			return filepath.SkipDir
 		}
 
 		// Create a tar header for the file or directory

common/docker/client_internal_test.go

@@ -211,6 +211,11 @@ func TestStartUndetach(t *testing.T) {
 func TestBuild(t *testing.T) {
 	t.Parallel()
 
+	// Skip test if GitHub token is not available
+	if os.Getenv("ARGUS_WEV2_GITHUB_TOKEN") == "" {
+		t.Skip("Skipping build test - ARGUS_WEV2_GITHUB_TOKEN not set")
+	}
+
 	namespace := getUniqueNamespace(t)
 
 	// Create a temporary directory

common/docker/client_util.go

@@ -32,7 +32,7 @@ func checkBuildkitSupport(cli *client.Client) bool {
 		return false
 	}
 
-	// Check if DOCKER_BUILDKIT environment variable is set to 1
+	// Always return true to enable BuildKit (or check environment variable)
 	buildKitEnv := os.Getenv("DOCKER_BUILDKIT")
-	return buildKitEnv == "1"
+	return buildKitEnv == "1" || buildKitEnv == ""
 }

common/docker/service/cardinal.Dockerfile

@@ -1,61 +1,39 @@
 ################################
 # Build Image - Normal
 ################################
-FROM golang:1.24-bookworm AS build
+FROM golang:1.24 AS build
+
+ARG SOURCE_PATH
+ARG GITHUB_TOKEN
 
 WORKDIR /go/src/app
 
-# Copy the go module files and download the dependencies
-# We do this before copying the rest of the source code to avoid
-# having to re-download the dependencies every time we build the image
-COPY /cardinal/go.mod /cardinal/go.sum ./
-RUN go mod download
+# Set Go environment variables for private repositories
+ENV GOPRIVATE=github.com/argus-labs/*,pkg.world.dev/*
+
+# Configure git to use HTTPS with GitHub token
+RUN --mount=type=secret,id=github_token \
+    git config --global url."https://$(cat /run/secrets/github_token):x-oauth-basic@github.com/".insteadOf "https://github.com/"
+
+# Copy the entire source code
+COPY /${SOURCE_PATH} ./
+
+# Download dependencies
+RUN go mod tidy
 
 # Set the GOCACHE environment variable to /root/.cache/go-build to speed up build
 ENV GOCACHE=/root/.cache/go-build
 
-# Copy the rest of the source code and build the binary
-COPY /cardinal ./
+# Build the binary
 RUN --mount=type=cache,target="/root/.cache/go-build" go build -v -o /go/bin/app
 
 ################################
 # Runtime Image - Normal
 ################################
 FROM gcr.io/distroless/base-debian12 AS runtime
 
-# Copy world.toml to the image
-COPY world.toml world.toml
-
 # Copy the binary from the build image
 COPY --from=build /go/bin/app /usr/bin
 
 # Run the binary
-CMD ["app"]
-
-################################
-# Runtime Image - Debug
-################################
-FROM golang:1.24-bookworm AS runtime-debug
-
-WORKDIR /go/src/app
-
-# Install delve
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
-
-# Copy the go module files and download the dependencies
-# We do this before copying the rest of the source code to avoid
-# having to re-download the dependencies every time we build the image
-COPY /cardinal/go.mod /cardinal/go.sum ./
-RUN go mod download
-
-# Set the GOCACHE environment variable to /root/.cache/go-build to speed up build
-ENV GOCACHE=/root/.cache/go-build
-
-# Copy the rest of the source code and build the binary with debugging symbols
-COPY /cardinal ./
-RUN --mount=type=cache,target="/root/.cache/go-build" go build -gcflags="all=-N -l" -v -o /usr/bin/app
-
-# Copy world.toml to the image
-COPY world.toml world.toml
-
-CMD ["dlv", "--listen=:40000", "--headless=true", "--api-version=2", "--accept-multiclient", "exec", "/usr/bin/app"]
+CMD ["app"]

common/docker/service/cardinal.go

@@ -3,16 +3,27 @@ package service
 import (
 	_ "embed"
 	"fmt"
-	"strings"
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
 	"pkg.world.dev/world-cli/common/config"
 )
 
 const (
-	// mountCache is the Docker mount command to cache the go build cache.
-	mountCacheScript = `--mount=type=cache,target="/root/.cache/go-build"`
+// mountCache is the Docker mount command to cache the go build cache.
+// mountCacheScript = `--mount=type=cache,target="/root/.cache/go-build"`
+// mountSecret is the Docker mount command for GitHub token secret.
+// mountSecretScript = `--mount=type=secret,id=github_token`
+// gitConfigWithSecret is the git config command that uses the secret mount.
+//
+//	gitConfigWithSecret = `RUN --mount=type=secret,id=github_token \
+//	  git config --global \
+//	  url."https://$(cat /run/secrets/github_token):x-oauth-basic@github.com/".insteadOf "https://github.com/"`
+//
+// gitConfigWithEnv is the git config command that uses environment variable.
+//
+//	gitConfigWithEnv = `RUN git config --global \
+//	  url."https://${GITHUB_TOKEN}:x-oauth-basic@github.com/".insteadOf "https://github.com/"`
 )
 
 //nolint:gochecknoglobals // dockerfileContent is embedded at compile time and is read-only
@@ -36,7 +47,11 @@ func Cardinal(cfg *config.Config) Service {
 
 	dockerfile := dockerfileContent
 	if !BuildkitSupport {
-		dockerfile = strings.ReplaceAll(dockerfile, mountCacheScript, "")
+		// dockerfile = strings.ReplaceAll(dockerfile, mountCacheScript, "")
+		// dockerfile = strings.ReplaceAll(dockerfile, gitConfigWithSecret, gitConfigWithEnv)
+		// (not recommended) uncomment the lines above and comment out the panic if you want to support insecure builds
+		// without BuildKit. Insecure because this embeds the GitHub token value in the image layers
+		panic("BuildKit is required to build the Cardinal image. Please enable BuildKit in your Docker configuration.")
 	}
 
 	// Set env variables