Stand up the foundation's own CI on its Forgejo runner. The committed scope here is the self-contained half (toolchain + typecheck); the stack-state-dependent pipelines (pulumi preview, backup-verify) need CI secrets + a state fetch and land next. - containers/ci-image/Dockerfile + VERSIONS IMAGE_CI: one baked image carrying exactly what preflight validates (pulumi/bun/node/docker/git/age/zstd/jq/vault/ psql/mc). Built on the VM (like caddy-cloudflare) and used LOCALLY by the runner. - runner.ts: give act_runner a config.yaml — container.network=foundation-net (so job containers reach foundation-forgejo:3000 for checkout + the data plane) and force_pull=false (use the local foundation-ci image, no registry). Self-heals on up. - .forgejo/workflows/ci.yml: preflight (tools + versions vs VERSIONS pins) + typecheck (bun install + tsc --noEmit on bootstrap). Gates every push. - run.sh / backup.sh / restore.sh / dr: take PULUMI_CONFIG_PASSPHRASE from env when set (CI secret), falling back to `pass` (operator) — so the scripts run pass-free in CI. Reusable-workflows architecture (per the chosen direction) — the ecosystem CI (semantic-release, docker/npm/bun builds, eslint/yamllint over the 999_testing.md candidates) builds on this image + runner next phase. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
31 lines
1.7 KiB
Bash
Executable file
31 lines
1.7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Reproducible foundation deploy. Master passphrase = the single external secret.
|
|
set -euo pipefail
|
|
DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
# Pin the backend PER-PROCESS via env — NEVER `pulumi login` (that mutates the
|
|
# GLOBAL backend pointer in ~/.pulumi and would misdirect other projects' run.sh).
|
|
export PULUMI_BACKEND_URL="file://${DIR}/state"
|
|
export PULUMI_CONFIG_PASSPHRASE="${PULUMI_CONFIG_PASSPHRASE:-$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)}"
|
|
export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
|
|
cd "$DIR"
|
|
pulumi stack select foundation 2>/dev/null || pulumi stack init foundation
|
|
pulumi "$@"
|
|
|
|
# After a successful `up`, capture Vault's unseal keys + root token (emitted by the
|
|
# foundation-vault-init command as secret stack outputs) back into the
|
|
# passphrase-encrypted config (vaultCredentials:*). This is the proven
|
|
# olsitec-core/run.sh pattern and the ONE bootstrap secret that cannot live in
|
|
# Vault (CONTRACT_002 §2.4). Idempotent: only writes when the value actually
|
|
# changes, so Pulumi.foundation.yaml is not churned on every deploy.
|
|
if [ "${1:-}" = "up" ]; then
|
|
uk=$(pulumi stack output vaultUnsealKeys --show-secrets 2>/dev/null || true)
|
|
rt=$(pulumi stack output vaultRootToken --show-secrets 2>/dev/null || true)
|
|
if [ -n "$uk" ] && [ -n "$rt" ]; then
|
|
cur=$(pulumi config get vaultCredentials:unsealKeys 2>/dev/null || true)
|
|
if [ "$cur" != "$uk" ]; then
|
|
pulumi config set vaultCredentials:unsealKeys --secret "$uk"
|
|
pulumi config set vaultCredentials:rootToken --secret "$rt"
|
|
echo "run.sh: captured Vault unseal keys + root token into encrypted config"
|
|
fi
|
|
fi
|
|
fi
|