docs(session): focus HANDOVER on T14-remainder then 999_testing ecosystem CI
Sharpen the living handover for the next context: concrete starting points + pre-surfaced blockers/decisions for (1) the stack-state-dependent CI pipelines (state-fetch-from-RustFS + Forgejo Actions secrets) and (2) the 999_testing ecosystem CI (reusable workflows, build matrix over the 5 candidates, semantic-release bump tests, eslint/yamllint, R5 runner-fencing first). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
eb005d5ca6
commit
430c55cdf6
1 changed files with 41 additions and 13 deletions
|
|
@ -48,17 +48,45 @@ on its runner (`.forgejo/workflows/ci.yml`: preflight + typecheck, in the baked
|
|||
- Don't `pulumi up` the `provision` stack against the LIVE VM (it would recreate the server — cloud-init
|
||||
changes only affect fresh provisions).
|
||||
|
||||
## Next work — pick up from SESSION_2026-07-01_001 "Known gaps"
|
||||
1. **T14 remainder (state-dependent CI)** — `pulumi preview` + weekly `backup-verify` workflows. Resolve the
|
||||
blocker first: `bootstrap/state/` is gitignored, so CI has no stack state. Either fetch state from RustFS
|
||||
in-job (the bundle carries `pulumi-state.json`; or push a dedicated `pulumi stack export` to RustFS each
|
||||
`up`), then set Forgejo Actions secrets (`PULUMI_CONFIG_PASSPHRASE`, the SSH key, RustFS/offsite creds).
|
||||
2. **Ecosystem CI (999_testing.md)** — reusable Forgejo workflows (chosen architecture) for docker/npm/bun
|
||||
builds, semantic-release bump tests, eslint + yamllint, exercised against the 5 candidate repos. Extend
|
||||
the CI image (shellcheck/eslint/yamllint/semantic-release) or add a sibling image.
|
||||
3. **T15** — `index.ts` orchestration polish + Gate A/B comments + `docs/DAY-ZERO-TIMELINE.md`.
|
||||
4. **Hardening** — pin floating refs (`IMAGE_REGISTRY` PIN_DIGEST, `IMAGE_RUSTFS` `latest`, `IMAGE_CI` tag);
|
||||
fence the runner to a separate privileged VM (R5); register in Olsitec MCP (D6); Stage-2 publish
|
||||
`packages/pulumi-*`.
|
||||
## Next work — THIS session: (1) finish T14, then (2) the 999_testing ecosystem CI
|
||||
|
||||
Validate each task live on the VM via `./run.sh up` (and the runner for CI), and commit per task.
|
||||
T14-core already shipped: the baked `foundation-ci` image, the runner `config.yaml`
|
||||
(`container.network=foundation-net`, `force_pull=false`), and `.forgejo/workflows/ci.yml`
|
||||
(preflight + typecheck, **green**). Build on exactly that.
|
||||
|
||||
### 1. T14 remainder — the stack-state-dependent pipelines
|
||||
Author `pulumi-preview` (on push/PR) and `backup-verify` (weekly `schedule`) workflows.
|
||||
**Blocker to solve first:** `bootstrap/state/` is gitignored, so a CI checkout has NO Pulumi
|
||||
stack state — `pulumi`/`backup` scripts can't `pulumi config get` or `stack select`.
|
||||
- **Recommended fix:** in `bootstrap/run.sh`, after a successful `up`, also `pulumi stack export`
|
||||
and `mc cp` it to a dedicated RustFS object (secrets stay passphrase-encrypted within). The CI
|
||||
job pulls it → `pulumi stack import` → `pulumi preview`. (Alternative: import the latest backup
|
||||
bundle's `pulumi-state.json`, but that needs the age identity in CI — avoid.)
|
||||
- **Forgejo Actions secrets** (set via the admin API, repo or org scope): `PULUMI_CONFIG_PASSPHRASE`,
|
||||
the operator SSH key (write to a file + `SSH_PRIVATE_KEY_PATH`), and RustFS/offsite creds. The
|
||||
scripts already read the passphrase from env and the key from `SSH_PRIVATE_KEY_PATH`.
|
||||
- Jobs: `runs-on: docker` + `container: foundation-ci:latest`. preview should be read-only; gate any
|
||||
`up` behind `workflow_dispatch` (never auto-`up` live infra from CI).
|
||||
- Validate: push → both jobs green on the runner. `backup-verify` = `backup.sh` then `restore.sh <ts> off`.
|
||||
|
||||
### 2. Ecosystem CI — the `999_testing.md` acceptance plan (architecture: REUSABLE workflows)
|
||||
Reusable Forgejo workflows in THIS repo (`uses: olsitec/foundation/.forgejo/workflows/<x>.yml@master`,
|
||||
`on: workflow_call`) that each project references. Cover, per `999_testing.md`:
|
||||
- **Build matrix** (5 named candidate repos — paths in the doc): docker-no-npm
|
||||
(`seaspots/services/seaspots-homepage`), npm pkg (`olsitec-nci/lib/olsicrypto`), bun pkg
|
||||
(`olsitec-nci/lib/document-engine`), non-artifact versioned (`olsitrack2/api`), docker+npm
|
||||
(`olsitrack2/services/token-service`, depends on olsicrypto).
|
||||
- **semantic-release** bump tests: init→`1.0.0`, `feat`→minor, `fix`/`chore`→patch, `feat!`→major,
|
||||
`BREAKING CHANGE`→major. (Olsitec uses Conventional Commits + semantic-release-monorepo.)
|
||||
- **Linters**: an eslint error and a yamllint error must each fail the job (non-zero exit).
|
||||
- **Toolchain**: extend `containers/ci-image/Dockerfile` (or add a sibling `ci-node` image) with
|
||||
`shellcheck`, `eslint`, `yamllint`, `semantic-release`; re-pin in `VERSIONS`.
|
||||
- **DO THIS FIRST (R5):** the runner still holds the host Docker socket (root-equivalent). **Fence it
|
||||
to a separate privileged VM before running any untrusted/ecosystem candidate**, or scope what runs.
|
||||
|
||||
### Later (after the above)
|
||||
- **T15** — `index.ts` orchestration polish + Gate A/B comments + `docs/DAY-ZERO-TIMELINE.md`.
|
||||
- **Hardening** — pin floating refs (`IMAGE_REGISTRY` PIN_DIGEST, `IMAGE_RUSTFS` `latest`, `IMAGE_CI` tag);
|
||||
register in Olsitec MCP (D6); Stage-2 publish `packages/pulumi-*`.
|
||||
|
||||
Validate each task live (VM `./run.sh up` + the runner for CI) and commit per task.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue