foundation/bootstrap/state-publish.sh
Andreas Niemann 8603177096
All checks were successful
CI / preflight (push) Successful in 4s
CI / typecheck (push) Successful in 15s
pulumi-preview / preview (push) Successful in 19s
feat(ci): state-dependent pulumi-preview + backup-verify pipelines (T14)
Completes T14: the two CI pipelines that need Pulumi stack state, which
bootstrap/state/ is gitignored from. Solves the blocker by publishing a
fresh `pulumi stack export` to RustFS after every `up`, then having CI
pull + import it.

- state-publish.sh: ships the stack export to rfs/foundation-ci-state/
  foundation-stack.json via a throwaway mc container on foundation-net
  (ADR-007), exactly like backup.sh. Secrets inside the export stay
  passphrase-encrypted; config travels in the committed (encrypted)
  Pulumi.foundation.yaml. run.sh invokes it best-effort after `up`.
- rustfs.ts + Pulumi.foundation.yaml: declare the foundation-ci-state
  bucket (created belt-and-suspenders by state-publish on first run).
- pulumi-preview.yml (push/PR): read-only drift/PR check. Pulls + imports
  state, materializes the operator key from the SSH_PRIVATE_KEY secret
  (the provider + index.ts read it), `pulumi preview` — never `up`. A diff
  is informational so the job fails only on a program/preview error.
- backup-verify.yml (weekly + dispatch): reuses backup.sh/restore.sh
  unchanged to produce a bundle and restore-verify it from offsite
  (CONTRACT_004 §4.6). Imports real state so the bundle's pulumi-state.json
  is real, not an empty deployment.

Repo-scoped Actions secrets set via the admin API: PULUMI_CONFIG_PASSPHRASE,
SSH_PRIVATE_KEY, RUSTFS_ACCESS_KEY, RUSTFS_SECRET_KEY. Both pipelines
validated end-to-end in a foundation-ci container on the VM (preview exit 0;
backup-verify RESTORE VERIFY PASS from offsite).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-01 00:50:16 +02:00

51 lines
2.8 KiB
Bash
Executable file

#!/usr/bin/env bash
# state-publish.sh — publish the latest Pulumi stack export to RustFS so CI has
# stack state (T14). `bootstrap/state/` is gitignored, so a CI checkout has NO
# Pulumi deployment to `preview` against; this pushes a fresh `pulumi stack export`
# to a dedicated RustFS object after every `up` (invoked by run.sh; also runnable
# standalone to re-publish without a deploy).
#
# WHAT TRAVELS: only the resource DEPLOYMENT (stack export). Config + secrets stay
# in the committed Pulumi.foundation.yaml (passphrase-encrypted) that CI gets from
# the git checkout; secrets inside the export itself are likewise passphrase-
# encrypted (`secure:` ciphertext), so the object carries NO plaintext secret.
#
# WHERE: rfs/foundation-ci-state/foundation-stack.json (internal RustFS; the bucket
# is declared in components/rustfs.ts BUCKET_SETUP and created here belt-and-suspenders).
# The push runs ON the VM via a throwaway `mc` container on foundation-net (ADR-007),
# exactly like backup.sh — RustFS 9000 is NOT published off-host. RustFS root creds
# are read on the VM from the running container and never transit the wire.
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
DIR="$ROOT/bootstrap"
export PULUMI_BACKEND_URL="file://${DIR}/state"
export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}"
KEY="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
MC_IMAGE="$(grep '^IMAGE_MC=' "$ROOT/VERSIONS" | cut -d= -f2-)"
BUCKET=foundation-ci-state
OBJECT=foundation-stack.json
cd "$DIR"
pulumi stack select foundation >/dev/null
HOST=$(pulumi config get foundation:vm.host)
PORT=$(pulumi config get foundation:vm.sshPort)
SUSER=$(pulumi config get foundation:vm.user)
SSHX="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=15 -i $KEY -p $PORT $SUSER@$HOST"
echo "state-publish: exporting stack -> rfs/$BUCKET/$OBJECT"
pulumi stack export | $SSHX "cat > /tmp/ci-stack.json"
# Push from the VM through a throwaway mc container (RAK/RSK read on the VM, not sent).
$SSHX "MC_IMAGE='$MC_IMAGE' BUCKET='$BUCKET' OBJECT='$OBJECT' sh -s" <<'REMOTE'
set -eu
RAK=$(docker inspect foundation-rustfs --format '{{range .Config.Env}}{{println .}}{{end}}' | sed -n 's/^RUSTFS_ACCESS_KEY=//p')
RSK=$(docker inspect foundation-rustfs --format '{{range .Config.Env}}{{println .}}{{end}}' | sed -n 's/^RUSTFS_SECRET_KEY=//p')
docker run --rm --network foundation-net --entrypoint sh -v /tmp:/w \
-e RAK="$RAK" -e RSK="$RSK" -e BUCKET="$BUCKET" -e OBJECT="$OBJECT" "$MC_IMAGE" -c '
set -e
mc alias set rfs http://foundation-rustfs:9000 "$RAK" "$RSK" >/dev/null
mc mb --ignore-existing "rfs/$BUCKET" >/dev/null
mc cp /w/ci-stack.json "rfs/$BUCKET/$OBJECT" >/dev/null
'
rm -f /tmp/ci-stack.json
REMOTE
echo "state-publish: published rfs/$BUCKET/$OBJECT"