All checks were successful
CI / preflight (push) Successful in 7s
CI / typecheck (push) Successful in 17s
ecosystem-selftest / semantic-release-bumptest (push) Successful in 12s
pulumi-preview / preview (push) Successful in 20s
ecosystem-selftest / eslint-gate (push) Successful in 5s
ecosystem-selftest / yamllint-gate (push) Successful in 4s
The ecosystem-CI architecture: reusable Forgejo workflows (on: workflow_call) that downstream repos reference as `uses: olsitec/foundation/.forgejo/workflows/<x>.yml@master`. - reusable-node-build.yml: install + build for npm/bun/none — covers the npm package (olsicrypto), bun package (document-engine), and no-artifact versioned (olsitrack/api) shapes. - reusable-docker-build.yml: docker build via the host socket (R5: trusted repos only until the runner is fenced) — the seaspots-homepage / token-service shape. - reusable-lint.yml: eslint + yamllint gate (either error → job non-zero). - reusable-semantic-release.yml: conventionalcommits-preset version probe (dry-run), faithful to the GitLab template; outputs the computed next version. Real Forgejo publishing deferred (no @semantic-release/forgejo analogue yet). - ecosystem-selftest.yml + ci/semantic-release-bumptest.sh: self-contained proof on the runner of the 999_testing acceptance criteria that need no external repo — the semantic-release bump sequence (1.0.0→1.1.0→1.1.1→2.0.0→3.0.0) and the eslint/yamllint non-zero-exit gates. Validated in a foundation-ci container. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
67 lines
2.3 KiB
YAML
67 lines
2.3 KiB
YAML
# reusable-docker-build — build a Docker image (999_testing candidates C1/C5).
|
|
#
|
|
# A REUSABLE workflow (on: workflow_call) downstream repos call:
|
|
# jobs:
|
|
# image:
|
|
# uses: olsitec/foundation/.forgejo/workflows/reusable-docker-build.yml@master
|
|
# with: { image: "olsitec/seaspots-homepage:ci", push: false }
|
|
#
|
|
# Builds against the HOST Docker daemon via the mounted socket (the foundation-ci
|
|
# image ships the docker CLI; the runner's valid_volumes allows the mount). NOTE
|
|
# (R5): the host socket is root-equivalent on the forge VM — this is acceptable
|
|
# ONLY for trusted first-party repos until the runner is fenced to its own VM.
|
|
#
|
|
# Candidates C1 (seaspots-homepage) and C5 (token-service) depend on @olsitec
|
|
# packages from a private registry that is not published yet (Stage-2). Their real
|
|
# builds need a registry / npmrc; this workflow proves the docker-build path and
|
|
# accepts a `build-args`/`npmrc` hook for when the registry exists.
|
|
name: reusable-docker-build
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
context:
|
|
type: string
|
|
default: "."
|
|
dockerfile:
|
|
type: string
|
|
default: "Dockerfile"
|
|
image:
|
|
description: "image ref to tag, e.g. name:tag"
|
|
type: string
|
|
required: true
|
|
build-args:
|
|
description: "newline-separated KEY=VALUE docker --build-arg pairs"
|
|
type: string
|
|
default: ""
|
|
push:
|
|
description: "push to the foundation registry after build (registry must exist)"
|
|
type: boolean
|
|
default: false
|
|
|
|
jobs:
|
|
image:
|
|
runs-on: docker
|
|
container:
|
|
image: foundation-ci:latest
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Docker build
|
|
run: |
|
|
args=""
|
|
if [ -n "${{ inputs.build-args }}" ]; then
|
|
while IFS= read -r kv; do
|
|
[ -z "$kv" ] && continue
|
|
args="$args --build-arg $kv"
|
|
done <<'EOF'
|
|
${{ inputs.build-args }}
|
|
EOF
|
|
fi
|
|
echo "+ docker build -f ${{ inputs.dockerfile }} -t ${{ inputs.image }} $args ${{ inputs.context }}"
|
|
docker build -f "${{ inputs.dockerfile }}" -t "${{ inputs.image }}" $args "${{ inputs.context }}"
|
|
|
|
- name: Push
|
|
if: ${{ inputs.push }}
|
|
run: docker push "${{ inputs.image }}"
|