docs(session): focus HANDOVER on T14-remainder then 999_testing ecosystem CI
All checks were successful
CI / preflight (push) Successful in 5s
CI / typecheck (push) Successful in 13s

Sharpen the living handover for the next context: concrete starting points +
pre-surfaced blockers/decisions for (1) the stack-state-dependent CI pipelines
(state-fetch-from-RustFS + Forgejo Actions secrets) and (2) the 999_testing
ecosystem CI (reusable workflows, build matrix over the 5 candidates,
semantic-release bump tests, eslint/yamllint, R5 runner-fencing first).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 00:28:57 +02:00
parent eb005d5ca6
commit 430c55cdf6

View file

@ -48,17 +48,45 @@ on its runner (`.forgejo/workflows/ci.yml`: preflight + typecheck, in the baked
- Don't `pulumi up` the `provision` stack against the LIVE VM (it would recreate the server — cloud-init
changes only affect fresh provisions).
## Next work — pick up from SESSION_2026-07-01_001 "Known gaps"
1. **T14 remainder (state-dependent CI)**`pulumi preview` + weekly `backup-verify` workflows. Resolve the
blocker first: `bootstrap/state/` is gitignored, so CI has no stack state. Either fetch state from RustFS
in-job (the bundle carries `pulumi-state.json`; or push a dedicated `pulumi stack export` to RustFS each
`up`), then set Forgejo Actions secrets (`PULUMI_CONFIG_PASSPHRASE`, the SSH key, RustFS/offsite creds).
2. **Ecosystem CI (999_testing.md)** — reusable Forgejo workflows (chosen architecture) for docker/npm/bun
builds, semantic-release bump tests, eslint + yamllint, exercised against the 5 candidate repos. Extend
the CI image (shellcheck/eslint/yamllint/semantic-release) or add a sibling image.
3. **T15**`index.ts` orchestration polish + Gate A/B comments + `docs/DAY-ZERO-TIMELINE.md`.
4. **Hardening** — pin floating refs (`IMAGE_REGISTRY` PIN_DIGEST, `IMAGE_RUSTFS` `latest`, `IMAGE_CI` tag);
fence the runner to a separate privileged VM (R5); register in Olsitec MCP (D6); Stage-2 publish
`packages/pulumi-*`.
## Next work — THIS session: (1) finish T14, then (2) the 999_testing ecosystem CI
Validate each task live on the VM via `./run.sh up` (and the runner for CI), and commit per task.
T14-core already shipped: the baked `foundation-ci` image, the runner `config.yaml`
(`container.network=foundation-net`, `force_pull=false`), and `.forgejo/workflows/ci.yml`
(preflight + typecheck, **green**). Build on exactly that.
### 1. T14 remainder — the stack-state-dependent pipelines
Author `pulumi-preview` (on push/PR) and `backup-verify` (weekly `schedule`) workflows.
**Blocker to solve first:** `bootstrap/state/` is gitignored, so a CI checkout has NO Pulumi
stack state — `pulumi`/`backup` scripts can't `pulumi config get` or `stack select`.
- **Recommended fix:** in `bootstrap/run.sh`, after a successful `up`, also `pulumi stack export`
and `mc cp` it to a dedicated RustFS object (secrets stay passphrase-encrypted within). The CI
job pulls it → `pulumi stack import``pulumi preview`. (Alternative: import the latest backup
bundle's `pulumi-state.json`, but that needs the age identity in CI — avoid.)
- **Forgejo Actions secrets** (set via the admin API, repo or org scope): `PULUMI_CONFIG_PASSPHRASE`,
the operator SSH key (write to a file + `SSH_PRIVATE_KEY_PATH`), and RustFS/offsite creds. The
scripts already read the passphrase from env and the key from `SSH_PRIVATE_KEY_PATH`.
- Jobs: `runs-on: docker` + `container: foundation-ci:latest`. preview should be read-only; gate any
`up` behind `workflow_dispatch` (never auto-`up` live infra from CI).
- Validate: push → both jobs green on the runner. `backup-verify` = `backup.sh` then `restore.sh <ts> off`.
### 2. Ecosystem CI — the `999_testing.md` acceptance plan (architecture: REUSABLE workflows)
Reusable Forgejo workflows in THIS repo (`uses: olsitec/foundation/.forgejo/workflows/<x>.yml@master`,
`on: workflow_call`) that each project references. Cover, per `999_testing.md`:
- **Build matrix** (5 named candidate repos — paths in the doc): docker-no-npm
(`seaspots/services/seaspots-homepage`), npm pkg (`olsitec-nci/lib/olsicrypto`), bun pkg
(`olsitec-nci/lib/document-engine`), non-artifact versioned (`olsitrack2/api`), docker+npm
(`olsitrack2/services/token-service`, depends on olsicrypto).
- **semantic-release** bump tests: init→`1.0.0`, `feat`→minor, `fix`/`chore`→patch, `feat!`→major,
`BREAKING CHANGE`→major. (Olsitec uses Conventional Commits + semantic-release-monorepo.)
- **Linters**: an eslint error and a yamllint error must each fail the job (non-zero exit).
- **Toolchain**: extend `containers/ci-image/Dockerfile` (or add a sibling `ci-node` image) with
`shellcheck`, `eslint`, `yamllint`, `semantic-release`; re-pin in `VERSIONS`.
- **DO THIS FIRST (R5):** the runner still holds the host Docker socket (root-equivalent). **Fence it
to a separate privileged VM before running any untrusted/ecosystem candidate**, or scope what runs.
### Later (after the above)
- **T15**`index.ts` orchestration polish + Gate A/B comments + `docs/DAY-ZERO-TIMELINE.md`.
- **Hardening** — pin floating refs (`IMAGE_REGISTRY` PIN_DIGEST, `IMAGE_RUSTFS` `latest`, `IMAGE_CI` tag);
register in Olsitec MCP (D6); Stage-2 publish `packages/pulumi-*`.
Validate each task live (VM `./run.sh up` + the runner for CI) and commit per task.