foundation/bootstrap/run.sh
Andreas Niemann dda83bdc87
All checks were successful
CI / preflight (push) Successful in 19s
CI / typecheck (push) Successful in 27s
feat(ci): baked CI image + runner config + self-check workflow (T14)
Stand up the foundation's own CI on its Forgejo runner. The committed scope here
is the self-contained half (toolchain + typecheck); the stack-state-dependent
pipelines (pulumi preview, backup-verify) need CI secrets + a state fetch and
land next.

- containers/ci-image/Dockerfile + VERSIONS IMAGE_CI: one baked image carrying
  exactly what preflight validates (pulumi/bun/node/docker/git/age/zstd/jq/vault/
  psql/mc). Built on the VM (like caddy-cloudflare) and used LOCALLY by the runner.
- runner.ts: give act_runner a config.yaml — container.network=foundation-net (so
  job containers reach foundation-forgejo:3000 for checkout + the data plane) and
  force_pull=false (use the local foundation-ci image, no registry). Self-heals on up.
- .forgejo/workflows/ci.yml: preflight (tools + versions vs VERSIONS pins) +
  typecheck (bun install + tsc --noEmit on bootstrap). Gates every push.
- run.sh / backup.sh / restore.sh / dr: take PULUMI_CONFIG_PASSPHRASE from env when
  set (CI secret), falling back to `pass` (operator) — so the scripts run pass-free
  in CI.

Reusable-workflows architecture (per the chosen direction) — the ecosystem CI
(semantic-release, docker/npm/bun builds, eslint/yamllint over the 999_testing.md
candidates) builds on this image + runner next phase.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-01 00:15:01 +02:00

31 lines
1.7 KiB
Bash
Executable file

#!/usr/bin/env bash
# Reproducible foundation deploy. Master passphrase = the single external secret.
set -euo pipefail
DIR="$(cd "$(dirname "$0")" && pwd)"
# Pin the backend PER-PROCESS via env — NEVER `pulumi login` (that mutates the
# GLOBAL backend pointer in ~/.pulumi and would misdirect other projects' run.sh).
export PULUMI_BACKEND_URL="file://${DIR}/state"
export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}"
export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
cd "$DIR"
pulumi stack select foundation 2>/dev/null || pulumi stack init foundation
pulumi "$@"
# After a successful `up`, capture Vault's unseal keys + root token (emitted by the
# foundation-vault-init command as secret stack outputs) back into the
# passphrase-encrypted config (vaultCredentials:*). This is the proven
# olsitec-core/run.sh pattern and the ONE bootstrap secret that cannot live in
# Vault (CONTRACT_002 §2.4). Idempotent: only writes when the value actually
# changes, so Pulumi.foundation.yaml is not churned on every deploy.
if [ "${1:-}" = "up" ]; then
uk=$(pulumi stack output vaultUnsealKeys --show-secrets 2>/dev/null || true)
rt=$(pulumi stack output vaultRootToken --show-secrets 2>/dev/null || true)
if [ -n "$uk" ] && [ -n "$rt" ]; then
cur=$(pulumi config get vaultCredentials:unsealKeys 2>/dev/null || true)
if [ "$cur" != "$uk" ]; then
pulumi config set vaultCredentials:unsealKeys --secret "$uk"
pulumi config set vaultCredentials:rootToken --secret "$rt"
echo "run.sh: captured Vault unseal keys + root token into encrypted config"
fi
fi
fi