feat(ci): baked CI image + runner config + self-check workflow (T14)
Stand up the foundation's own CI on its Forgejo runner. The committed scope here is the self-contained half (toolchain + typecheck); the stack-state-dependent pipelines (pulumi preview, backup-verify) need CI secrets + a state fetch and land next. - containers/ci-image/Dockerfile + VERSIONS IMAGE_CI: one baked image carrying exactly what preflight validates (pulumi/bun/node/docker/git/age/zstd/jq/vault/ psql/mc). Built on the VM (like caddy-cloudflare) and used LOCALLY by the runner. - runner.ts: give act_runner a config.yaml — container.network=foundation-net (so job containers reach foundation-forgejo:3000 for checkout + the data plane) and force_pull=false (use the local foundation-ci image, no registry). Self-heals on up. - .forgejo/workflows/ci.yml: preflight (tools + versions vs VERSIONS pins) + typecheck (bun install + tsc --noEmit on bootstrap). Gates every push. - run.sh / backup.sh / restore.sh / dr: take PULUMI_CONFIG_PASSPHRASE from env when set (CI secret), falling back to `pass` (operator) — so the scripts run pass-free in CI. Reusable-workflows architecture (per the chosen direction) — the ecosystem CI (semantic-release, docker/npm/bun builds, eslint/yamllint over the 999_testing.md candidates) builds on this image + runner next phase. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
d807a45c79
commit
dda83bdc87
9 changed files with 125 additions and 6 deletions
32
.forgejo/workflows/ci.yml
Normal file
32
.forgejo/workflows/ci.yml
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
# CI — foundation self-checks (T14). Runs on the foundation's own runner, in the
|
||||
# baked foundation-ci image (VERSIONS IMAGE_CI; force_pull:false → local image).
|
||||
# These two jobs are self-contained (checkout + toolchain only) — no stack state or
|
||||
# secrets needed, so they gate every push. The stack-state-dependent pipelines
|
||||
# (pulumi preview, backup-verify) live in their own files and need CI secrets +
|
||||
# a state fetch (see those workflows' headers).
|
||||
name: CI
|
||||
on:
|
||||
push:
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
preflight:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: foundation-ci:latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Toolchain preflight (tools present + >= VERSIONS pins)
|
||||
run: ./preflight/preflight.sh tools versions
|
||||
|
||||
typecheck:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: foundation-ci:latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Install workspace deps
|
||||
run: bun install --frozen-lockfile || bun install
|
||||
- name: Typecheck bootstrap (tsc --noEmit)
|
||||
working-directory: bootstrap
|
||||
run: bunx tsc --noEmit
|
||||
Loading…
Add table
Add a link
Reference in a new issue