Stand up the foundation's own CI on its Forgejo runner. The committed scope here is the self-contained half (toolchain + typecheck); the stack-state-dependent pipelines (pulumi preview, backup-verify) need CI secrets + a state fetch and land next. - containers/ci-image/Dockerfile + VERSIONS IMAGE_CI: one baked image carrying exactly what preflight validates (pulumi/bun/node/docker/git/age/zstd/jq/vault/ psql/mc). Built on the VM (like caddy-cloudflare) and used LOCALLY by the runner. - runner.ts: give act_runner a config.yaml — container.network=foundation-net (so job containers reach foundation-forgejo:3000 for checkout + the data plane) and force_pull=false (use the local foundation-ci image, no registry). Self-heals on up. - .forgejo/workflows/ci.yml: preflight (tools + versions vs VERSIONS pins) + typecheck (bun install + tsc --noEmit on bootstrap). Gates every push. - run.sh / backup.sh / restore.sh / dr: take PULUMI_CONFIG_PASSPHRASE from env when set (CI secret), falling back to `pass` (operator) — so the scripts run pass-free in CI. Reusable-workflows architecture (per the chosen direction) — the ecosystem CI (semantic-release, docker/npm/bun builds, eslint/yamllint over the 999_testing.md candidates) builds on this image + runner next phase. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
61 lines
3.2 KiB
Docker
61 lines
3.2 KiB
Docker
# foundation-ci — the baked CI toolchain image (T14).
|
|
#
|
|
# A single, pinnable image carrying every tool the foundation's own pipelines need
|
|
# so jobs don't install a toolchain on each run. Referenced by .forgejo/workflows/*
|
|
# via `container: foundation-ci:<tag>`. Built on the VM (like caddy-cloudflare) and
|
|
# used locally by the runner (force_pull:false) — see runner.ts / VERSIONS IMAGE_CI.
|
|
#
|
|
# Carries exactly what preflight/checks/tools.sh validates: pulumi, bun, node,
|
|
# docker (cli), git, age, zstd, jq, vault, psql, pg_dump, ssh, mc — plus pass-free
|
|
# operation (PULUMI_CONFIG_PASSPHRASE + SSH key arrive as CI secrets/env).
|
|
FROM node:20-bookworm
|
|
|
|
ARG PULUMI_VERSION=3.145.0
|
|
ARG VAULT_VERSION=1.18.5
|
|
ARG MC_RELEASE=RELEASE.2025-04-03T17-07-56Z
|
|
ARG TARGETARCH=amd64
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
# Install pulumi + bun into /usr/local/bin so they're on PATH for ANY shell/user
|
|
# (a login shell resets PATH, and jobs may not run as root).
|
|
ENV BUN_INSTALL=/usr/local
|
|
|
|
# --- base apt tools: git, ssh, age, zstd, jq, postgresql-client, docker CLI ----------
|
|
RUN set -eux; \
|
|
install -m 0755 -d /etc/apt/keyrings; \
|
|
apt-get update; \
|
|
apt-get install -y --no-install-recommends \
|
|
ca-certificates curl gnupg lsb-release unzip \
|
|
git openssh-client age zstd jq; \
|
|
# docker CE CLI (jobs build/push images via the mounted host socket)
|
|
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc; \
|
|
chmod a+r /etc/apt/keyrings/docker.asc; \
|
|
echo "deb [arch=$TARGETARCH signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" > /etc/apt/sources.list.d/docker.list; \
|
|
# postgresql-client 15 (psql + pg_dump) from pgdg
|
|
curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor -o /etc/apt/keyrings/pgdg.gpg; \
|
|
echo "deb [signed-by=/etc/apt/keyrings/pgdg.gpg] https://apt.postgresql.org/pub/repos/apt bookworm-pgdg main" > /etc/apt/sources.list.d/pgdg.list; \
|
|
apt-get update; \
|
|
apt-get install -y --no-install-recommends docker-ce-cli postgresql-client-16; \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# --- pulumi (pinned) → copy binaries to /usr/local/bin -------------------------------
|
|
RUN set -eux; curl -fsSL https://get.pulumi.com | sh -s -- --version "$PULUMI_VERSION"; \
|
|
cp /root/.pulumi/bin/* /usr/local/bin/; rm -rf /root/.pulumi; \
|
|
pulumi version
|
|
|
|
# --- bun (pinned via official installer; BUN_INSTALL=/usr/local) ---------------------
|
|
RUN set -eux; curl -fsSL https://bun.sh/install | bash; bun --version
|
|
|
|
# --- vault CLI (pinned) --------------------------------------------------------------
|
|
RUN set -eux; \
|
|
curl -fsSL "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${TARGETARCH}.zip" -o /tmp/vault.zip; \
|
|
unzip -d /usr/local/bin /tmp/vault.zip; rm -f /tmp/vault.zip; vault --version
|
|
|
|
# --- minio client mc (pinned release) ------------------------------------------------
|
|
RUN set -eux; \
|
|
curl -fsSL "https://dl.min.io/client/mc/release/linux-${TARGETARCH}/archive/mc.${MC_RELEASE}" -o /usr/local/bin/mc; \
|
|
chmod +x /usr/local/bin/mc; mc --version
|
|
|
|
# Forgejo Actions overrides the entrypoint with its job script; keep a sane default.
|
|
WORKDIR /workspace
|
|
CMD ["bash"]
|