Adds the toolchain the reusable ecosystem workflows (999_testing) need, so
jobs don't install it per run: shellcheck + yamllint (apt), eslint (global),
and semantic-release with the conventionalcommits PRESET + @semantic-release/
git + changelog — the plugin set Olsitec's GitLab release template uses
(olsitec/gitlab ci_templates/release-automation/semantic-release.yaml). Pinned
in VERSIONS for traceability (NOT in preflight's up-gating tool set — these are
downstream-job tools, not foundation-deploy tools).
Rebuild the image on the VM after this change.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The baked foundation-ci image pinned pulumi 3.145, which rejects the
`packagemanager: bun` project option (bootstrap/Pulumi.yaml) with
"packagemanager option must be one of auto, npm, yarn or pnpm, got bun" —
so `pulumi preview` could not even load the program in CI. 3.149 is the
floor for bun support; pin 3.243 to match the operator's CLI line for
preview parity. Bump TOOL_PULUMI_MIN to the bun-support floor.
Rebuild the image on the VM after this change (force_pull:false uses the
local tag): scp the Dockerfile + `docker build -t foundation-ci:latest .`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Stand up the foundation's own CI on its Forgejo runner. The committed scope here
is the self-contained half (toolchain + typecheck); the stack-state-dependent
pipelines (pulumi preview, backup-verify) need CI secrets + a state fetch and
land next.
- containers/ci-image/Dockerfile + VERSIONS IMAGE_CI: one baked image carrying
exactly what preflight validates (pulumi/bun/node/docker/git/age/zstd/jq/vault/
psql/mc). Built on the VM (like caddy-cloudflare) and used LOCALLY by the runner.
- runner.ts: give act_runner a config.yaml — container.network=foundation-net (so
job containers reach foundation-forgejo:3000 for checkout + the data plane) and
force_pull=false (use the local foundation-ci image, no registry). Self-heals on up.
- .forgejo/workflows/ci.yml: preflight (tools + versions vs VERSIONS pins) +
typecheck (bun install + tsc --noEmit on bootstrap). Gates every push.
- run.sh / backup.sh / restore.sh / dr: take PULUMI_CONFIG_PASSPHRASE from env when
set (CI secret), falling back to `pass` (operator) — so the scripts run pass-free
in CI.
Reusable-workflows architecture (per the chosen direction) — the ecosystem CI
(semantic-release, docker/npm/bun builds, eslint/yamllint over the 999_testing.md
candidates) builds on this image + runner next phase.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>