foundation/.forgejo/workflows/reusable-docker-build.yml
Andreas Niemann f9aecf1b18
All checks were successful
CI / preflight (push) Successful in 7s
CI / typecheck (push) Successful in 17s
ecosystem-selftest / semantic-release-bumptest (push) Successful in 12s
pulumi-preview / preview (push) Successful in 20s
ecosystem-selftest / eslint-gate (push) Successful in 5s
ecosystem-selftest / yamllint-gate (push) Successful in 4s
feat(ci): reusable ecosystem workflows + selftest (999_testing)
The ecosystem-CI architecture: reusable Forgejo workflows (on: workflow_call)
that downstream repos reference as
`uses: olsitec/foundation/.forgejo/workflows/<x>.yml@master`.

- reusable-node-build.yml: install + build for npm/bun/none — covers the npm
  package (olsicrypto), bun package (document-engine), and no-artifact versioned
  (olsitrack/api) shapes.
- reusable-docker-build.yml: docker build via the host socket (R5: trusted repos
  only until the runner is fenced) — the seaspots-homepage / token-service shape.
- reusable-lint.yml: eslint + yamllint gate (either error → job non-zero).
- reusable-semantic-release.yml: conventionalcommits-preset version probe (dry-run),
  faithful to the GitLab template; outputs the computed next version. Real Forgejo
  publishing deferred (no @semantic-release/forgejo analogue yet).

- ecosystem-selftest.yml + ci/semantic-release-bumptest.sh: self-contained proof
  on the runner of the 999_testing acceptance criteria that need no external repo —
  the semantic-release bump sequence (1.0.0→1.1.0→1.1.1→2.0.0→3.0.0) and the
  eslint/yamllint non-zero-exit gates. Validated in a foundation-ci container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-01 01:03:56 +02:00

67 lines
2.3 KiB
YAML

# reusable-docker-build — build a Docker image (999_testing candidates C1/C5).
#
# A REUSABLE workflow (on: workflow_call) downstream repos call:
# jobs:
# image:
# uses: olsitec/foundation/.forgejo/workflows/reusable-docker-build.yml@master
# with: { image: "olsitec/seaspots-homepage:ci", push: false }
#
# Builds against the HOST Docker daemon via the mounted socket (the foundation-ci
# image ships the docker CLI; the runner's valid_volumes allows the mount). NOTE
# (R5): the host socket is root-equivalent on the forge VM — this is acceptable
# ONLY for trusted first-party repos until the runner is fenced to its own VM.
#
# Candidates C1 (seaspots-homepage) and C5 (token-service) depend on @olsitec
# packages from a private registry that is not published yet (Stage-2). Their real
# builds need a registry / npmrc; this workflow proves the docker-build path and
# accepts a `build-args`/`npmrc` hook for when the registry exists.
name: reusable-docker-build
on:
workflow_call:
inputs:
context:
type: string
default: "."
dockerfile:
type: string
default: "Dockerfile"
image:
description: "image ref to tag, e.g. name:tag"
type: string
required: true
build-args:
description: "newline-separated KEY=VALUE docker --build-arg pairs"
type: string
default: ""
push:
description: "push to the foundation registry after build (registry must exist)"
type: boolean
default: false
jobs:
image:
runs-on: docker
container:
image: foundation-ci:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
steps:
- uses: actions/checkout@v4
- name: Docker build
run: |
args=""
if [ -n "${{ inputs.build-args }}" ]; then
while IFS= read -r kv; do
[ -z "$kv" ] && continue
args="$args --build-arg $kv"
done <<'EOF'
${{ inputs.build-args }}
EOF
fi
echo "+ docker build -f ${{ inputs.dockerfile }} -t ${{ inputs.image }} $args ${{ inputs.context }}"
docker build -f "${{ inputs.dockerfile }}" -t "${{ inputs.image }}" $args "${{ inputs.context }}"
- name: Push
if: ${{ inputs.push }}
run: docker push "${{ inputs.image }}"