Refactor CI and runtime images to two-stage builds
This commit is contained in:
@@ -25,6 +25,7 @@ secrets/
|
||||
.ruff_cache/
|
||||
**/__pycache__/
|
||||
**/.pytest_cache/
|
||||
**/.venv/
|
||||
**/node_modules/
|
||||
**/dist/
|
||||
**/build/
|
||||
|
||||
@@ -1,478 +0,0 @@
|
||||
name: CICD Source Checks
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
head_sha:
|
||||
description: Commit SHA to process
|
||||
required: false
|
||||
source_workflow:
|
||||
description: Upstream workflow name
|
||||
required: false
|
||||
trace_id:
|
||||
description: Correlation id propagated across CICD dispatch chain
|
||||
required: false
|
||||
base_needed:
|
||||
description: Whether base rebuild is required downstream
|
||||
required: false
|
||||
base_hash:
|
||||
description: Immutable base hash to pass downstream
|
||||
required: false
|
||||
|
||||
env:
|
||||
GITEA_SSH_HOST: kankali.darkhelm.lan
|
||||
GITEA_SSH_PORT: "2222"
|
||||
GITEA_REPO_SSH_URL: ssh://git@kankali.darkhelm.lan:2222/DarkHelm.org/plex-playlist.git
|
||||
GITEA_REGISTRY: kankali.darkhelm.lan:3001
|
||||
GITEA_REGISTRY_IP: 10.18.75.2
|
||||
GITEA_REGISTRY_HOST: kankali.darkhelm.lan
|
||||
|
||||
concurrency:
|
||||
group: source-checks-${{ github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
setup:
|
||||
name: Setup Source Checks Context
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 10
|
||||
outputs:
|
||||
head_sha: ${{ steps.meta.outputs.head_sha }}
|
||||
trace_id: ${{ steps.meta.outputs.trace_id }}
|
||||
base_needed: ${{ steps.meta.outputs.base_needed }}
|
||||
base_hash: ${{ steps.meta.outputs.base_hash }}
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Audit trigger context
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
SOURCE_WORKFLOW: ${{ github.event.inputs.source_workflow }}
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
BASE_NEEDED_INPUT: ${{ github.event.inputs.base_needed }}
|
||||
BASE_HASH_INPUT: ${{ github.event.inputs.base_hash }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
RESOLVED_BASE_NEEDED="${BASE_NEEDED_INPUT:-true}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-source-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${RESOLVED_HEAD_SHA:0:8}}"
|
||||
echo "=== Dispatch Audit: CICD Source Checks ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "source_workflow=${SOURCE_WORKFLOW}"
|
||||
echo "head_sha_input=${HEAD_SHA_INPUT}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}"
|
||||
echo "base_needed=${RESOLVED_BASE_NEEDED}"
|
||||
echo "base_hash=${BASE_HASH_INPUT:-deferred}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
|
||||
- name: Resolve source check metadata
|
||||
id: meta
|
||||
env:
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
BASE_NEEDED_INPUT: ${{ github.event.inputs.base_needed }}
|
||||
BASE_HASH_INPUT: ${{ github.event.inputs.base_hash }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
RESOLVED_TRACE_ID="${TRACE_ID_INPUT:-cicd-source-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${RESOLVED_HEAD_SHA:0:8}}"
|
||||
RESOLVED_BASE_NEEDED="${BASE_NEEDED_INPUT:-true}"
|
||||
RESOLVED_BASE_HASH="${BASE_HASH_INPUT:-deferred}"
|
||||
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}" >> "$GITHUB_OUTPUT"
|
||||
echo "trace_id=${RESOLVED_TRACE_ID}" >> "$GITHUB_OUTPUT"
|
||||
echo "base_needed=${RESOLVED_BASE_NEEDED}" >> "$GITHUB_OUTPUT"
|
||||
echo "base_hash=${RESOLVED_BASE_HASH}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- &failure_diagnostics_step
|
||||
name: Failure diagnostics
|
||||
if: failure()
|
||||
run: |
|
||||
echo "=== Failure Diagnostics ==="
|
||||
date -u '+timestamp_utc=%Y-%m-%dT%H:%M:%SZ'
|
||||
echo "runner_name=${RUNNER_NAME:-unknown}"
|
||||
echo "runner_hostname=${HOSTNAME:-unknown}"
|
||||
uname -a || true
|
||||
cat /etc/os-release 2>/dev/null || true
|
||||
df -h || true
|
||||
free -h || true
|
||||
ps aux --sort=-%mem | head -n 30 || true
|
||||
|
||||
if command -v docker >/dev/null 2>&1; then
|
||||
echo "=== Docker Diagnostics ==="
|
||||
docker version || true
|
||||
docker info || true
|
||||
docker ps -a || true
|
||||
docker images --digests | head -n 50 || true
|
||||
else
|
||||
echo "docker not available on this runner"
|
||||
fi
|
||||
|
||||
echo "=== Kernel Tail ==="
|
||||
dmesg | tail -n 120 || true
|
||||
|
||||
source-precommit-checks-backend:
|
||||
name: Source Pre-commit Checks (backend)
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 40
|
||||
needs: setup
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Configure registry host resolution
|
||||
run: |
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
- name: Checkout source snapshot
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
set -e
|
||||
umask 022
|
||||
trap 'rm -f ~/.ssh/id_rsa' EXIT
|
||||
|
||||
mkdir -p ~/.ssh
|
||||
echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
|
||||
chmod 600 ~/.ssh/id_rsa
|
||||
ssh-keyscan -p "${GITEA_SSH_PORT}" "${GITEA_SSH_HOST}" >> ~/.ssh/known_hosts 2>/dev/null
|
||||
|
||||
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git clone --depth 1 --no-checkout "${GITEA_REPO_SSH_URL}" .
|
||||
|
||||
if GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git fetch --depth 1 origin "${HEAD_SHA}" >/dev/null 2>&1; then
|
||||
git checkout FETCH_HEAD -- .
|
||||
echo "Using fetched HEAD_SHA checkout: ${HEAD_SHA}"
|
||||
else
|
||||
git checkout HEAD -- .
|
||||
echo "Falling back to default branch HEAD for source checks checkout"
|
||||
fi
|
||||
|
||||
test -f .pre-commit-config.yaml || {
|
||||
echo "❌ Missing .pre-commit-config.yaml after checkout"
|
||||
exit 1
|
||||
}
|
||||
|
||||
test -f backend/pyproject.toml || {
|
||||
echo "❌ Missing backend/pyproject.toml after checkout"
|
||||
exit 1
|
||||
}
|
||||
|
||||
test -f frontend/package.json || {
|
||||
echo "❌ Missing frontend/package.json after checkout"
|
||||
find . -maxdepth 3 -type f | sort | head -n 80
|
||||
exit 1
|
||||
}
|
||||
|
||||
- name: Bootstrap backend toolchain
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if ! command -v curl >/dev/null 2>&1; then
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq curl ca-certificates
|
||||
fi
|
||||
|
||||
if ! command -v uv >/dev/null 2>&1; then
|
||||
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
fi
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
|
||||
|
||||
- name: Install backend dependencies
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
export UV_LINK_MODE=copy
|
||||
|
||||
cd backend
|
||||
uv sync --dev
|
||||
|
||||
- name: Run backend pre-commit source checks
|
||||
env:
|
||||
CI: "true"
|
||||
SKIP: "eslint,prettier,typescript-check,tsdoc-lint"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
cd backend
|
||||
uv run pre-commit run --all-files --show-diff-on-failure --config ../.pre-commit-config.yaml
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
source-precommit-checks-frontend:
|
||||
name: Source Pre-commit Checks (frontend)
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 40
|
||||
needs: setup
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Configure registry host resolution
|
||||
run: |
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
- name: Checkout source snapshot
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
set -e
|
||||
umask 022
|
||||
trap 'rm -f ~/.ssh/id_rsa' EXIT
|
||||
|
||||
mkdir -p ~/.ssh
|
||||
echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
|
||||
chmod 600 ~/.ssh/id_rsa
|
||||
ssh-keyscan -p "${GITEA_SSH_PORT}" "${GITEA_SSH_HOST}" >> ~/.ssh/known_hosts 2>/dev/null
|
||||
|
||||
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git clone --depth 1 --no-checkout "${GITEA_REPO_SSH_URL}" .
|
||||
|
||||
if GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git fetch --depth 1 origin "${HEAD_SHA}" >/dev/null 2>&1; then
|
||||
git checkout FETCH_HEAD -- .
|
||||
echo "Using fetched HEAD_SHA checkout: ${HEAD_SHA}"
|
||||
else
|
||||
git checkout HEAD -- .
|
||||
echo "Falling back to default branch HEAD for source checks checkout"
|
||||
fi
|
||||
|
||||
test -f .pre-commit-config.yaml || {
|
||||
echo "❌ Missing .pre-commit-config.yaml after checkout"
|
||||
exit 1
|
||||
}
|
||||
|
||||
test -f frontend/package.json || {
|
||||
echo "❌ Missing frontend/package.json after checkout"
|
||||
find . -maxdepth 3 -type f | sort | head -n 80
|
||||
exit 1
|
||||
}
|
||||
|
||||
- name: Bootstrap frontend toolchain
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if ! command -v curl >/dev/null 2>&1; then
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq curl ca-certificates
|
||||
fi
|
||||
|
||||
if ! command -v uv >/dev/null 2>&1; then
|
||||
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
fi
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
|
||||
|
||||
if ! command -v node >/dev/null 2>&1; then
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq nodejs npm
|
||||
fi
|
||||
if ! command -v corepack >/dev/null 2>&1; then
|
||||
npm install -g corepack
|
||||
fi
|
||||
|
||||
corepack enable
|
||||
|
||||
- name: Install frontend dependencies
|
||||
run: |
|
||||
set -euo pipefail
|
||||
export NODE_OPTIONS="--max-old-space-size=512"
|
||||
export YARN_NETWORK_CONCURRENCY=1
|
||||
cd frontend
|
||||
if ! yarn install --immutable --mode=skip-build; then
|
||||
echo "Yarn install failed; retrying with npm fallback for constrained runner memory"
|
||||
rm -f package-lock.json
|
||||
npm install --ignore-scripts --no-audit --no-fund --prefer-offline
|
||||
fi
|
||||
|
||||
- name: Run frontend pre-commit source checks
|
||||
env:
|
||||
CI: "true"
|
||||
run: |
|
||||
set -euo pipefail
|
||||
cd frontend
|
||||
corepack yarn eslint . --max-warnings=0
|
||||
corepack yarn vue-tsc --noEmit
|
||||
corepack yarn prettier --check .
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
dispatch-build:
|
||||
name: Dispatch Downstream Build
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 10
|
||||
needs: [setup, source-precommit-checks-backend, source-precommit-checks-frontend]
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Configure registry host resolution
|
||||
run: |
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
- name: Dispatch downstream workflow
|
||||
env:
|
||||
ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }}
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
BASE_NEEDED: ${{ needs.setup.outputs.base_needed }}
|
||||
BASE_HASH: ${{ needs.setup.outputs.base_hash }}
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
TRACE_ID: ${{ needs.setup.outputs.trace_id }}
|
||||
REPO_FULL: ${{ github.repository }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
run: |
|
||||
set -e
|
||||
|
||||
DISPATCH_TOKEN="${ACTIONS_TRIGGER_TOKEN:-${PACKAGE_ACCESS_TOKEN:-}}"
|
||||
|
||||
if [ -z "${DISPATCH_TOKEN}" ]; then
|
||||
echo "❌ Missing dispatch token. Set ACTIONS_TRIGGER_TOKEN (repo write scope) or ensure PACKAGE_ACCESS_TOKEN has Actions workflow-dispatch permissions."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
REPO_OWNER="${REPO_FULL%/*}"
|
||||
REPO_NAME="${REPO_FULL#*/}"
|
||||
TARGET_REF="${HEAD_REF:-${REF_NAME}}"
|
||||
|
||||
if [ "${BASE_NEEDED}" = "true" ]; then
|
||||
TARGET_WORKFLOW="docker-build-base.yaml"
|
||||
else
|
||||
TARGET_WORKFLOW="docker-build-main.yaml"
|
||||
fi
|
||||
|
||||
echo "route_decision workflow=${TARGET_WORKFLOW} head_sha=${HEAD_SHA} base_needed=${BASE_NEEDED} trace_id=${TRACE_ID}"
|
||||
|
||||
CANDIDATE_API_BASES=()
|
||||
if [ -n "${GITHUB_SERVER_URL:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("${GITHUB_SERVER_URL%/}/api/v1")
|
||||
fi
|
||||
if [ -n "${GITEA_SSH_HOST:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_SSH_HOST}:3001/api/v1")
|
||||
fi
|
||||
if [ -n "${GITEA_REGISTRY_HOST:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_HOST}:3001/api/v1")
|
||||
fi
|
||||
if [ -n "${GITEA_REGISTRY_IP:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_IP}:3001/api/v1")
|
||||
fi
|
||||
|
||||
ensure_curl() {
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq curl ca-certificates
|
||||
fi
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "❌ curl is required for dispatch and could not be installed"
|
||||
return 1
|
||||
}
|
||||
|
||||
ensure_curl
|
||||
|
||||
HELPER_PATH="/tmp/dispatch-workflow.sh"
|
||||
|
||||
fetch_dispatch_helper() {
|
||||
local helper_ref="$1"
|
||||
local api_base
|
||||
for api_base in "${CANDIDATE_API_BASES[@]}"; do
|
||||
helper_url="${api_base}/repos/${REPO_OWNER}/${REPO_NAME}/raw/scripts/dispatch-workflow.sh?ref=${helper_ref}"
|
||||
if curl -fsS --connect-timeout 5 --max-time 20 \
|
||||
-H "Authorization: token ${DISPATCH_TOKEN}" \
|
||||
-H "User-Agent: plex-playlist-cicd-source-checks" \
|
||||
-o "${HELPER_PATH}" \
|
||||
"${helper_url}"; then
|
||||
chmod +x "${HELPER_PATH}"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
if ! fetch_dispatch_helper "${TARGET_REF}" && ! fetch_dispatch_helper "${HEAD_SHA}"; then
|
||||
echo "❌ Failed to fetch scripts/dispatch-workflow.sh from repository"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DISPATCH_ARGS=(
|
||||
--token "${DISPATCH_TOKEN}"
|
||||
--repo "${REPO_FULL}"
|
||||
--workflow "${TARGET_WORKFLOW}"
|
||||
--ref "${TARGET_REF}"
|
||||
--head-sha "${HEAD_SHA}"
|
||||
--source-workflow "CICD Source Checks"
|
||||
--trace-id "${TRACE_ID}"
|
||||
--base-needed "${BASE_NEEDED}"
|
||||
--base-hash "${BASE_HASH}"
|
||||
)
|
||||
|
||||
for API_BASE in "${CANDIDATE_API_BASES[@]}"; do
|
||||
DISPATCH_ARGS+=(--api-base "${API_BASE}")
|
||||
done
|
||||
|
||||
echo "✅ Source checks passed; dispatching ${TARGET_WORKFLOW}"
|
||||
"${HELPER_PATH}" "${DISPATCH_ARGS[@]}"
|
||||
|
||||
- *failure_diagnostics_step
|
||||
@@ -1,228 +0,0 @@
|
||||
name: CICD Start
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ '**' ]
|
||||
pull_request:
|
||||
branches: [ main, develop ]
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
trace_id:
|
||||
description: Correlation id propagated across CICD dispatch chain
|
||||
required: false
|
||||
|
||||
env:
|
||||
GITEA_SSH_HOST: kankali.darkhelm.lan
|
||||
GITEA_SSH_PORT: "2222"
|
||||
GITEA_REPO_SSH_URL: ssh://git@kankali.darkhelm.lan:2222/DarkHelm.org/plex-playlist.git
|
||||
GITEA_REGISTRY: kankali.darkhelm.lan:3001
|
||||
GITEA_REGISTRY_IP: 10.18.75.2
|
||||
GITEA_REGISTRY_HOST: kankali.darkhelm.lan
|
||||
|
||||
concurrency:
|
||||
group: start-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
sanity-and-routing:
|
||||
name: Sanity and Base Decision
|
||||
# Keep startup lightweight to avoid runner image setup stalls.
|
||||
# Use the same stable self-hosted label as the downstream CICD jobs.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 12
|
||||
outputs:
|
||||
base_needed: ${{ steps.base-decision.outputs.base_needed }}
|
||||
head_sha: ${{ steps.base-decision.outputs.head_sha }}
|
||||
base_hash: ${{ steps.base-decision.outputs.base_hash }}
|
||||
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Audit trigger context
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
REPOSITORY: ${{ github.repository }}
|
||||
ACTOR: ${{ github.actor }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
SHA: ${{ github.sha }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-start-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${SHA:0:8}}"
|
||||
echo "=== Dispatch Audit: CICD Start ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "repository=${REPOSITORY}"
|
||||
echo "actor=${ACTOR}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "sha=${SHA}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
|
||||
- name: Configure registry host resolution
|
||||
run: |
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
- name: Compute routing signal
|
||||
id: base-decision
|
||||
run: |
|
||||
set -e
|
||||
|
||||
# Keep this workflow container-agnostic: do not rely on checkout/actions/node.
|
||||
# docker-build-base handles canonical base hash/existence checks.
|
||||
echo "head_sha=${GITHUB_SHA}" >> "${GITHUB_OUTPUT}"
|
||||
echo "base_hash=deferred" >> "${GITHUB_OUTPUT}"
|
||||
echo "base_needed=true" >> "${GITHUB_OUTPUT}"
|
||||
|
||||
echo "Routing via docker-build-base.yaml"
|
||||
echo "Base hash delegated to Docker Build Base workflow"
|
||||
|
||||
- name: Dispatch downstream workflow
|
||||
if: steps.base-decision.outcome == 'success' && steps.base-decision.outputs.head_sha != '' && steps.base-decision.outputs.base_needed != ''
|
||||
env:
|
||||
ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }}
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
BASE_NEEDED: ${{ steps.base-decision.outputs.base_needed }}
|
||||
HEAD_SHA: ${{ steps.base-decision.outputs.head_sha }}
|
||||
BASE_HASH: ${{ steps.base-decision.outputs.base_hash }}
|
||||
REPO_FULL: ${{ github.repository }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
set -e
|
||||
|
||||
DISPATCH_TOKEN="${ACTIONS_TRIGGER_TOKEN:-${PACKAGE_ACCESS_TOKEN:-}}"
|
||||
|
||||
if [ -z "${DISPATCH_TOKEN}" ]; then
|
||||
echo "❌ Missing dispatch token. Set ACTIONS_TRIGGER_TOKEN (repo write scope) or ensure PACKAGE_ACCESS_TOKEN has Actions workflow-dispatch permissions."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
REPO_OWNER="${REPO_FULL%/*}"
|
||||
REPO_NAME="${REPO_FULL#*/}"
|
||||
TARGET_REF="${HEAD_REF:-${REF_NAME}}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-start-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${HEAD_SHA:0:8}}"
|
||||
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
echo "target_ref=${TARGET_REF}"
|
||||
|
||||
TARGET_WORKFLOW="cicd-source-checks.yaml"
|
||||
|
||||
echo "route_decision workflow=${TARGET_WORKFLOW} head_sha=${HEAD_SHA} base_needed=${BASE_NEEDED} trace_id=${TRACE_ID}"
|
||||
|
||||
CANDIDATE_API_BASES=()
|
||||
if [ -n "${GITHUB_SERVER_URL:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("${GITHUB_SERVER_URL%/}/api/v1")
|
||||
fi
|
||||
if [ -n "${GITEA_SSH_HOST:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_SSH_HOST}:3001/api/v1")
|
||||
fi
|
||||
if [ -n "${GITEA_REGISTRY_HOST:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_HOST}:3001/api/v1")
|
||||
fi
|
||||
if [ -n "${GITEA_REGISTRY_IP:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_IP}:3001/api/v1")
|
||||
fi
|
||||
|
||||
ensure_curl() {
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq curl ca-certificates
|
||||
fi
|
||||
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "❌ curl is required for dispatch and could not be installed"
|
||||
return 1
|
||||
}
|
||||
|
||||
ensure_curl
|
||||
|
||||
HELPER_PATH="/tmp/dispatch-workflow.sh"
|
||||
|
||||
fetch_dispatch_helper() {
|
||||
local helper_ref="$1"
|
||||
local api_base
|
||||
for api_base in "${CANDIDATE_API_BASES[@]}"; do
|
||||
helper_url="${api_base}/repos/${REPO_OWNER}/${REPO_NAME}/raw/scripts/dispatch-workflow.sh?ref=${helper_ref}"
|
||||
if curl -fsS --connect-timeout 5 --max-time 20 \
|
||||
-H "Authorization: token ${DISPATCH_TOKEN}" \
|
||||
-H "User-Agent: plex-playlist-cicd-start" \
|
||||
-o "${HELPER_PATH}" \
|
||||
"${helper_url}"; then
|
||||
chmod +x "${HELPER_PATH}"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
if ! fetch_dispatch_helper "${TARGET_REF}" && ! fetch_dispatch_helper "${HEAD_SHA}"; then
|
||||
echo "❌ Failed to fetch scripts/dispatch-workflow.sh from repository"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DISPATCH_ARGS=(
|
||||
--token "${DISPATCH_TOKEN}"
|
||||
--repo "${REPO_FULL}"
|
||||
--workflow "${TARGET_WORKFLOW}"
|
||||
--ref "${TARGET_REF}"
|
||||
--head-sha "${HEAD_SHA}"
|
||||
--source-workflow "CICD Start"
|
||||
--trace-id "${TRACE_ID}"
|
||||
--base-needed "${BASE_NEEDED}"
|
||||
--base-hash "${BASE_HASH}"
|
||||
)
|
||||
|
||||
for API_BASE in "${CANDIDATE_API_BASES[@]}"; do
|
||||
DISPATCH_ARGS+=(--api-base "${API_BASE}")
|
||||
done
|
||||
|
||||
"${HELPER_PATH}" "${DISPATCH_ARGS[@]}"
|
||||
|
||||
- name: Failure diagnostics
|
||||
if: failure()
|
||||
run: |
|
||||
echo "=== Failure Diagnostics ==="
|
||||
date -u '+timestamp_utc=%Y-%m-%dT%H:%M:%SZ'
|
||||
echo "runner_name=${RUNNER_NAME:-unknown}"
|
||||
echo "runner_hostname=${HOSTNAME:-unknown}"
|
||||
uname -a || true
|
||||
cat /etc/os-release 2>/dev/null || true
|
||||
df -h || true
|
||||
free -h || true
|
||||
ps aux --sort=-%mem | head -n 30 || true
|
||||
|
||||
if command -v docker >/dev/null 2>&1; then
|
||||
echo "=== Docker Diagnostics ==="
|
||||
docker version || true
|
||||
docker info || true
|
||||
docker ps -a || true
|
||||
docker images --digests | head -n 50 || true
|
||||
else
|
||||
echo "docker not available on this runner"
|
||||
fi
|
||||
|
||||
echo "=== Kernel Tail ==="
|
||||
dmesg | tail -n 120 || true
|
||||
@@ -1,575 +0,0 @@
|
||||
name: CICD Tests
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
head_sha:
|
||||
description: Commit SHA to process
|
||||
required: false
|
||||
deployable_backend_tag_ref:
|
||||
description: Deployable backend image tag reference
|
||||
required: false
|
||||
deployable_backend_digest_ref:
|
||||
description: Deployable backend image digest reference
|
||||
required: false
|
||||
source_workflow:
|
||||
description: Upstream workflow name
|
||||
required: false
|
||||
trace_id:
|
||||
description: Correlation id propagated across CICD dispatch chain
|
||||
required: false
|
||||
|
||||
env:
|
||||
GITEA_REGISTRY: kankali.darkhelm.lan:3001
|
||||
GITEA_REGISTRY_IP: 10.18.75.2
|
||||
GITEA_REGISTRY_HOST: kankali.darkhelm.lan
|
||||
|
||||
concurrency:
|
||||
group: tests-${{ github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
setup:
|
||||
name: Setup Tests Context
|
||||
# Use the same stable runner label as the test jobs.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 8
|
||||
outputs:
|
||||
head_sha: ${{ steps.meta.outputs.head_sha }}
|
||||
deployable_backend_tag_ref: ${{ steps.meta.outputs.deployable_backend_tag_ref }}
|
||||
deployable_backend_digest_ref: ${{ steps.meta.outputs.deployable_backend_digest_ref }}
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Audit trigger context
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
SOURCE_WORKFLOW: ${{ github.event.inputs.source_workflow }}
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
DEPLOYABLE_BACKEND_TAG_REF_INPUT: ${{ github.event.inputs.deployable_backend_tag_ref }}
|
||||
DEPLOYABLE_BACKEND_DIGEST_REF_INPUT: ${{ github.event.inputs.deployable_backend_digest_ref }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-tests-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${RESOLVED_HEAD_SHA:0:8}}"
|
||||
echo "=== Dispatch Audit: CICD Tests ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "source_workflow=${SOURCE_WORKFLOW}"
|
||||
echo "head_sha_input=${HEAD_SHA_INPUT}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}"
|
||||
echo "deployable_backend_tag_ref_input=${DEPLOYABLE_BACKEND_TAG_REF_INPUT}"
|
||||
echo "deployable_backend_digest_ref_input=${DEPLOYABLE_BACKEND_DIGEST_REF_INPUT}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
|
||||
- name: Resolve head SHA
|
||||
id: meta
|
||||
env:
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
DEPLOYABLE_BACKEND_TAG_REF_INPUT: ${{ github.event.inputs.deployable_backend_tag_ref }}
|
||||
DEPLOYABLE_BACKEND_DIGEST_REF_INPUT: ${{ github.event.inputs.deployable_backend_digest_ref }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}" >> "$GITHUB_OUTPUT"
|
||||
echo "deployable_backend_tag_ref=${DEPLOYABLE_BACKEND_TAG_REF_INPUT}" >> "$GITHUB_OUTPUT"
|
||||
echo "deployable_backend_digest_ref=${DEPLOYABLE_BACKEND_DIGEST_REF_INPUT}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- &failure_diagnostics_step
|
||||
name: Failure diagnostics
|
||||
if: failure()
|
||||
run: |
|
||||
echo "=== Failure Diagnostics ==="
|
||||
date -u '+timestamp_utc=%Y-%m-%dT%H:%M:%SZ'
|
||||
echo "runner_name=${RUNNER_NAME:-unknown}"
|
||||
echo "runner_hostname=${HOSTNAME:-unknown}"
|
||||
uname -a || true
|
||||
cat /etc/os-release 2>/dev/null || true
|
||||
df -h || true
|
||||
free -h || true
|
||||
ps aux --sort=-%mem | head -n 30 || true
|
||||
|
||||
if command -v docker >/dev/null 2>&1; then
|
||||
echo "=== Docker Diagnostics ==="
|
||||
docker version || true
|
||||
docker info || true
|
||||
docker ps -a || true
|
||||
docker images --digests | head -n 50 || true
|
||||
else
|
||||
echo "docker not available on this runner"
|
||||
fi
|
||||
|
||||
echo "=== Kernel Tail ==="
|
||||
dmesg | tail -n 120 || true
|
||||
|
||||
backend-tests:
|
||||
name: Backend Tests
|
||||
# Use ubuntu-act runner pool for consistent availability.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 25
|
||||
needs: setup
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- &configure_registry_host_step
|
||||
name: Configure registry host resolution
|
||||
run: |
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
- &ensure_cicd_image_step
|
||||
name: Ensure CICD image is available
|
||||
env:
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
IMAGE="${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}"
|
||||
if docker image inspect "${IMAGE}" >/dev/null 2>&1; then
|
||||
echo "Using cached CICD image: ${IMAGE}"
|
||||
else
|
||||
echo "${{ secrets.PACKAGE_ACCESS_TOKEN }}" | docker login "http://${GITEA_REGISTRY}" -u "${{ github.actor }}" --password-stdin
|
||||
pulled=false
|
||||
for i in 1 2 3; do
|
||||
echo "Pull attempt ${i}/3 for ${IMAGE}"
|
||||
if docker pull "${IMAGE}"; then
|
||||
pulled=true
|
||||
break
|
||||
fi
|
||||
if [ "${i}" -lt 3 ]; then
|
||||
sleep_seconds=$((5 * i))
|
||||
echo "Pull failed; retrying in ${sleep_seconds}s"
|
||||
sleep "${sleep_seconds}"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "${pulled}" != "true" ]; then
|
||||
echo "❌ Failed to pull CICD image after 3 attempts: ${IMAGE}"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
- name: Run backend tests with coverage
|
||||
env:
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
set -o pipefail
|
||||
LOG_FILE="$(mktemp)"
|
||||
|
||||
docker run --rm "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}" bash -c "
|
||||
cd /workspace/backend &&
|
||||
source .venv/bin/activate &&
|
||||
uv run pytest -v --tb=short --cov=src --cov-report=term-missing --cov-fail-under=95
|
||||
" 2>&1 | tee "${LOG_FILE}"
|
||||
|
||||
TEST_STATUS=${PIPESTATUS[0]}
|
||||
if [ "${TEST_STATUS}" -ne 0 ]; then
|
||||
echo "❌ Backend tests failed (exit=${TEST_STATUS})"
|
||||
echo "--- Last 200 lines of backend test output ---"
|
||||
tail -n 200 "${LOG_FILE}" || true
|
||||
exit "${TEST_STATUS}"
|
||||
fi
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
frontend-tests:
|
||||
name: Frontend Tests
|
||||
# Use ubuntu-act runner pool for consistent availability.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 25
|
||||
needs: setup
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- *configure_registry_host_step
|
||||
- *ensure_cicd_image_step
|
||||
- name: Run frontend tests with coverage
|
||||
env:
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
set -o pipefail
|
||||
LOG_FILE="$(mktemp)"
|
||||
|
||||
docker run --rm "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}" bash -c "
|
||||
cd /workspace/frontend &&
|
||||
yarn test:coverage --run --reporter=verbose --coverage.reporter=text --coverage.reporter=text-summary --coverage.thresholds.lines=85 --coverage.thresholds.functions=85 --coverage.thresholds.branches=85 --coverage.thresholds.statements=85
|
||||
" 2>&1 | tee "${LOG_FILE}"
|
||||
|
||||
TEST_STATUS=${PIPESTATUS[0]}
|
||||
if [ "${TEST_STATUS}" -ne 0 ]; then
|
||||
echo "❌ Frontend tests failed (exit=${TEST_STATUS})"
|
||||
echo "--- Last 200 lines of frontend test output ---"
|
||||
tail -n 200 "${LOG_FILE}" || true
|
||||
exit "${TEST_STATUS}"
|
||||
fi
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
xdoctest:
|
||||
name: Backend Doctests
|
||||
# Use ubuntu-act runner pool for consistent availability.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 15
|
||||
needs: setup
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- *configure_registry_host_step
|
||||
- *ensure_cicd_image_step
|
||||
- name: Run backend doctests
|
||||
env:
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
set -o pipefail
|
||||
LOG_FILE="$(mktemp)"
|
||||
|
||||
docker run --rm "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}" bash -c "
|
||||
cd /workspace/backend &&
|
||||
source .venv/bin/activate &&
|
||||
uv run xdoctest src/ --quiet
|
||||
" 2>&1 | tee "${LOG_FILE}"
|
||||
|
||||
TEST_STATUS=${PIPESTATUS[0]}
|
||||
if [ "${TEST_STATUS}" -ne 0 ]; then
|
||||
echo "❌ Backend doctests failed (exit=${TEST_STATUS})"
|
||||
echo "--- Last 200 lines of doctest output ---"
|
||||
tail -n 200 "${LOG_FILE}" || true
|
||||
exit "${TEST_STATUS}"
|
||||
fi
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
integration-tests:
|
||||
name: Runtime Black-Box Integration Tests
|
||||
# Pin integration tests to high-memory worker to reduce setup-stage runner churn.
|
||||
runs-on: ubuntu-act-8gb
|
||||
timeout-minutes: 20
|
||||
needs: [setup, backend-tests]
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- *configure_registry_host_step
|
||||
- name: Run runtime black-box integration checks
|
||||
env:
|
||||
DEPLOYABLE_BACKEND_TAG_REF: ${{ needs.setup.outputs.deployable_backend_tag_ref }}
|
||||
DEPLOYABLE_BACKEND_DIGEST_REF: ${{ needs.setup.outputs.deployable_backend_digest_ref }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
set -o pipefail
|
||||
|
||||
RUN_ID="${GITHUB_RUN_ID:-local}"
|
||||
RUN_ATTEMPT="${GITHUB_RUN_ATTEMPT:-1}"
|
||||
LOG_FILE="$(mktemp)"
|
||||
NETWORK_NAME="plex-blackbox-${RUN_ID}-${RUN_ATTEMPT}"
|
||||
DB_CONTAINER="plex-blackbox-db-${RUN_ID}-${RUN_ATTEMPT}"
|
||||
BACKEND_CONTAINER="plex-blackbox-backend-${RUN_ID}-${RUN_ATTEMPT}"
|
||||
DB_PASSWORD="plex_password"
|
||||
DB_URL="postgresql://plex_user:${DB_PASSWORD}@${DB_CONTAINER}:5432/plex_playlist"
|
||||
|
||||
fetch_backend_endpoint() {
|
||||
endpoint_path="$1"
|
||||
output_file="$2"
|
||||
probe_tmp="$(mktemp)"
|
||||
|
||||
if ! docker exec "${BACKEND_CONTAINER}" python -c "$(printf '%s\n' \
|
||||
'import sys' \
|
||||
'import urllib.error' \
|
||||
'import urllib.request' \
|
||||
'endpoint_path = sys.argv[1]' \
|
||||
'url = f"http://127.0.0.1:8000{endpoint_path}"' \
|
||||
'try:' \
|
||||
' with urllib.request.urlopen(url, timeout=2) as response:' \
|
||||
' body = response.read().decode("utf-8", errors="replace")' \
|
||||
' print(response.status)' \
|
||||
' print(body)' \
|
||||
'except urllib.error.HTTPError as err:' \
|
||||
' body = err.read().decode("utf-8", errors="replace")' \
|
||||
' print(err.code)' \
|
||||
' print(body)' \
|
||||
'except Exception:' \
|
||||
' print("000")' \
|
||||
' print("")'
|
||||
)" "${endpoint_path}" >"${probe_tmp}" 2>/dev/null
|
||||
then
|
||||
: >"${output_file}"
|
||||
rm -f "${probe_tmp}"
|
||||
echo "000"
|
||||
return 0
|
||||
fi
|
||||
|
||||
http_code="$(head -n 1 "${probe_tmp}")"
|
||||
tail -n +2 "${probe_tmp}" >"${output_file}"
|
||||
rm -f "${probe_tmp}"
|
||||
echo "${http_code}"
|
||||
}
|
||||
|
||||
dump_failure_context() {
|
||||
echo "=== Runtime Integration Failure Context ==="
|
||||
docker ps -a || true
|
||||
echo "--- Backend logs (tail 200) ---"
|
||||
docker logs "${BACKEND_CONTAINER}" 2>&1 | tail -n 200 || true
|
||||
echo "--- Database logs (tail 200) ---"
|
||||
docker logs "${DB_CONTAINER}" 2>&1 | tail -n 200 || true
|
||||
echo "--- Backend inspect (status/image) ---"
|
||||
docker inspect --format '{{json .State}} {{.Image}}' "${BACKEND_CONTAINER}" || true
|
||||
echo "--- Database inspect (status/image) ---"
|
||||
docker inspect --format '{{json .State}} {{.Image}}' "${DB_CONTAINER}" || true
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
docker rm -f "${BACKEND_CONTAINER}" >/dev/null 2>&1 || true
|
||||
docker rm -f "${DB_CONTAINER}" >/dev/null 2>&1 || true
|
||||
docker network rm "${NETWORK_NAME}" >/dev/null 2>&1 || true
|
||||
}
|
||||
|
||||
trap cleanup EXIT
|
||||
|
||||
{
|
||||
if [ -z "${DEPLOYABLE_BACKEND_TAG_REF}" ] || [ -z "${DEPLOYABLE_BACKEND_DIGEST_REF}" ]; then
|
||||
echo "❌ Missing deployable backend image references from dispatch inputs"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "${{ secrets.PACKAGE_ACCESS_TOKEN }}" | docker login "http://${GITEA_REGISTRY}" -u "${{ github.actor }}" --password-stdin
|
||||
|
||||
docker pull "${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
docker pull "${DEPLOYABLE_BACKEND_DIGEST_REF}"
|
||||
|
||||
DEPLOYABLE_BACKEND_REPO="${DEPLOYABLE_BACKEND_DIGEST_REF%%@*}"
|
||||
EXPECTED_DIGEST_REF="${DEPLOYABLE_BACKEND_DIGEST_REF}"
|
||||
ACTUAL_TAG_DIGEST_REF="$({
|
||||
docker image inspect --format '{{range .RepoDigests}}{{println .}}{{end}}' "${DEPLOYABLE_BACKEND_TAG_REF}" \
|
||||
| grep "^${DEPLOYABLE_BACKEND_REPO}@sha256:" \
|
||||
| head -n 1
|
||||
} || true)"
|
||||
|
||||
if [ -z "${ACTUAL_TAG_DIGEST_REF}" ]; then
|
||||
echo "❌ Could not resolve digest from tag reference: ${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${ACTUAL_TAG_DIGEST_REF}" != "${EXPECTED_DIGEST_REF}" ]; then
|
||||
echo "❌ Tag and digest mismatch"
|
||||
echo "expected=${EXPECTED_DIGEST_REF}"
|
||||
echo "actual=${ACTUAL_TAG_DIGEST_REF}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Resolved deployable backend tag: ${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
echo "Resolved deployable backend digest: ${EXPECTED_DIGEST_REF}"
|
||||
|
||||
docker network create "${NETWORK_NAME}"
|
||||
|
||||
docker run -d \
|
||||
--name "${DB_CONTAINER}" \
|
||||
--network "${NETWORK_NAME}" \
|
||||
-e POSTGRES_DB=plex_playlist \
|
||||
-e POSTGRES_USER=plex_user \
|
||||
-e POSTGRES_PASSWORD="${DB_PASSWORD}" \
|
||||
postgres:16-alpine
|
||||
|
||||
db_ready=false
|
||||
for i in $(seq 1 30); do
|
||||
if docker exec "${DB_CONTAINER}" pg_isready -U plex_user -d plex_playlist >/dev/null 2>&1; then
|
||||
db_ready=true
|
||||
break
|
||||
fi
|
||||
sleep 2
|
||||
done
|
||||
if [ "${db_ready}" != "true" ]; then
|
||||
echo "❌ Database did not become ready"
|
||||
dump_failure_context
|
||||
exit 1
|
||||
fi
|
||||
|
||||
docker run -d \
|
||||
--name "${BACKEND_CONTAINER}" \
|
||||
--network "${NETWORK_NAME}" \
|
||||
-p 18000:8000 \
|
||||
-e DATABASE_URL="${DB_URL}" \
|
||||
-e ENVIRONMENT=production \
|
||||
"${EXPECTED_DIGEST_REF}"
|
||||
|
||||
backend_ready=false
|
||||
for i in $(seq 1 40); do
|
||||
backend_running="$(docker inspect -f '{{.State.Running}}' "${BACKEND_CONTAINER}" 2>/dev/null || echo false)"
|
||||
if [ "${backend_running}" != "true" ]; then
|
||||
echo "❌ Backend container exited before becoming healthy"
|
||||
dump_failure_context
|
||||
exit 1
|
||||
fi
|
||||
|
||||
health_code="$(fetch_backend_endpoint "/health" /tmp/blackbox-health.json)"
|
||||
if [ "${health_code}" = "200" ]; then
|
||||
backend_ready=true
|
||||
break
|
||||
fi
|
||||
sleep 2
|
||||
done
|
||||
if [ "${backend_ready}" != "true" ]; then
|
||||
echo "❌ Backend did not become healthy"
|
||||
cat /tmp/blackbox-health.json 2>/dev/null || true
|
||||
dump_failure_context
|
||||
exit 1
|
||||
fi
|
||||
|
||||
root_code="$(fetch_backend_endpoint "/" /tmp/blackbox-root.json)"
|
||||
if [ "${root_code}" != "200" ] || ! grep -q 'Plex Playlist Backend API' /tmp/blackbox-root.json; then
|
||||
echo "❌ Root endpoint validation failed"
|
||||
cat /tmp/blackbox-root.json 2>/dev/null || true
|
||||
dump_failure_context
|
||||
exit 1
|
||||
fi
|
||||
|
||||
compatibility_code="$(fetch_backend_endpoint "/compatibility" /tmp/blackbox-compatibility.json)"
|
||||
if [ "${compatibility_code}" != "200" ] || ! grep -q '"ok":true' /tmp/blackbox-compatibility.json; then
|
||||
echo "❌ Compatibility endpoint validation failed"
|
||||
cat /tmp/blackbox-compatibility.json 2>/dev/null || true
|
||||
dump_failure_context
|
||||
exit 1
|
||||
fi
|
||||
|
||||
health_code="$(fetch_backend_endpoint "/health" /tmp/blackbox-health.json)"
|
||||
if [ "${health_code}" != "200" ] || ! grep -q '"status":"healthy"' /tmp/blackbox-health.json; then
|
||||
echo "❌ Health endpoint validation failed"
|
||||
cat /tmp/blackbox-health.json 2>/dev/null || true
|
||||
dump_failure_context
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✅ Runtime black-box integration checks passed"
|
||||
} 2>&1 | tee "${LOG_FILE}"
|
||||
|
||||
TEST_STATUS=${PIPESTATUS[0]}
|
||||
if [ "${TEST_STATUS}" -ne 0 ]; then
|
||||
echo "❌ Runtime black-box integration checks failed (exit=${TEST_STATUS})"
|
||||
echo "--- Last 200 lines of runtime black-box integration output ---"
|
||||
tail -n 200 "${LOG_FILE}" || true
|
||||
exit "${TEST_STATUS}"
|
||||
fi
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
e2e-tests:
|
||||
name: End-to-End Tests
|
||||
# Use ubuntu-act runner pool for consistent availability.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 30
|
||||
needs: [setup, frontend-tests]
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- *configure_registry_host_step
|
||||
- *ensure_cicd_image_step
|
||||
- name: Run E2E tests
|
||||
env:
|
||||
HEAD_SHA: ${{ needs.setup.outputs.head_sha }}
|
||||
run: |
|
||||
set -o pipefail
|
||||
LOG_FILE="$(mktemp)"
|
||||
|
||||
docker run --rm -e CI=true "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}" bash -c "
|
||||
cd /workspace/frontend &&
|
||||
if [ -d 'tests/e2e' ] || grep -q 'playwright' package.json; then
|
||||
yarn playwright --version &&
|
||||
PW_BROWSER_PATH="\${PLAYWRIGHT_BROWSERS_PATH:-/root/.cache/ms-playwright}" &&
|
||||
if find "\${PW_BROWSER_PATH}" -maxdepth 1 -type d -name 'chromium-*' | grep -q .; then
|
||||
echo 'Using preinstalled Playwright Chromium from '"\${PW_BROWSER_PATH}"
|
||||
else
|
||||
browser_ok=false &&
|
||||
for i in 1 2 3; do
|
||||
echo 'Playwright browser install attempt' "\$i"'/3' &&
|
||||
if timeout 1800 yarn playwright install chromium; then
|
||||
browser_ok=true
|
||||
break
|
||||
fi
|
||||
if [ "\$i" -lt 3 ]; then
|
||||
echo 'Playwright install attempt failed; retrying in 20s'
|
||||
sleep 20
|
||||
fi
|
||||
done &&
|
||||
if [ "\$browser_ok" != 'true' ]; then
|
||||
echo '❌ Playwright browser install failed after 3 attempts'
|
||||
exit 1
|
||||
fi
|
||||
fi &&
|
||||
yarn test:e2e --reporter=list --timeout=90000
|
||||
else
|
||||
echo 'No E2E tests found'
|
||||
fi
|
||||
" 2>&1 | tee "${LOG_FILE}"
|
||||
|
||||
TEST_STATUS=${PIPESTATUS[0]}
|
||||
if [ "${TEST_STATUS}" -ne 0 ]; then
|
||||
echo "❌ E2E tests failed (exit=${TEST_STATUS})"
|
||||
echo "--- Last 200 lines of E2E output ---"
|
||||
tail -n 200 "${LOG_FILE}" || true
|
||||
exit "${TEST_STATUS}"
|
||||
fi
|
||||
|
||||
- *failure_diagnostics_step
|
||||
1172
.gitea/workflows/cicd.yaml
Normal file
1172
.gitea/workflows/cicd.yaml
Normal file
File diff suppressed because it is too large
Load Diff
@@ -1,537 +0,0 @@
|
||||
name: Docker Build Base
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
force_rebuild:
|
||||
description: Force a rebuild even when the immutable base tag already exists
|
||||
required: false
|
||||
default: "false"
|
||||
head_sha:
|
||||
description: Commit SHA to process
|
||||
required: false
|
||||
source_workflow:
|
||||
description: Upstream workflow name
|
||||
required: false
|
||||
trace_id:
|
||||
description: Correlation id propagated across CICD dispatch chain
|
||||
required: false
|
||||
|
||||
concurrency:
|
||||
group: base-${{ github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
env:
|
||||
GITEA_SSH_HOST: kankali.darkhelm.lan
|
||||
GITEA_SSH_PORT: "2222"
|
||||
GITEA_REPO_SSH_URL: ssh://git@kankali.darkhelm.lan:2222/DarkHelm.org/plex-playlist.git
|
||||
GITEA_REGISTRY: kankali.darkhelm.lan:3001
|
||||
GITEA_REGISTRY_IP: 10.18.75.2
|
||||
GITEA_REGISTRY_HOST: kankali.darkhelm.lan
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
jobs:
|
||||
publish-base:
|
||||
name: Build and Publish CICD Base Image
|
||||
# Use ubuntu-act runner pool which is known to be available.
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 35
|
||||
outputs:
|
||||
base_hash: ${{ steps.base-state.outputs.base_hash }}
|
||||
head_sha: ${{ steps.meta.outputs.head_sha }}
|
||||
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Emit startup diagnostics
|
||||
shell: sh
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
SOURCE_WORKFLOW: ${{ github.event.inputs.source_workflow }}
|
||||
FORCE_REBUILD: ${{ github.event.inputs.force_rebuild }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
TARGET_LABEL: ubuntu-act
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
TRACE_SUFFIX="$(printf '%s' "${RESOLVED_HEAD_SHA}" | cut -c1-8)"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-base-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${TRACE_SUFFIX}}"
|
||||
echo "=== Base Workflow Startup Audit ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "source_workflow=${SOURCE_WORKFLOW}"
|
||||
echo "force_rebuild=${FORCE_REBUILD}"
|
||||
echo "head_sha_input=${HEAD_SHA_INPUT}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
echo "target_runner_label=${TARGET_LABEL}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
echo "startup_audit=ok"
|
||||
|
||||
- name: Preflight Docker and registry connectivity
|
||||
env:
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
REGISTRY_USER: ${{ github.actor }}
|
||||
run: |
|
||||
set -e
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
echo "=== Docker Preflight ==="
|
||||
command -v docker
|
||||
docker --version
|
||||
docker info >/tmp/docker-info.log 2>&1 || (echo "❌ docker info failed" && tail -n 40 /tmp/docker-info.log && exit 1)
|
||||
grep -qi "${GITEA_REGISTRY}" /tmp/docker-info.log || echo "⚠ Registry not listed in docker info insecure registries: ${GITEA_REGISTRY}"
|
||||
|
||||
echo "=== Registry Login Preflight ==="
|
||||
if [ -z "${PACKAGE_ACCESS_TOKEN}" ]; then
|
||||
echo "❌ PACKAGE_ACCESS_TOKEN is empty"
|
||||
exit 1
|
||||
fi
|
||||
echo "${PACKAGE_ACCESS_TOKEN}" | docker login "http://${GITEA_REGISTRY}" -u "${REGISTRY_USER}" --password-stdin >/tmp/docker-login.log 2>&1 || (echo "❌ Registry login preflight failed" && tail -n 40 /tmp/docker-login.log && exit 1)
|
||||
echo "registry_login_preflight=ok"
|
||||
|
||||
- name: Audit trigger context
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
SOURCE_WORKFLOW: ${{ github.event.inputs.source_workflow }}
|
||||
FORCE_REBUILD: ${{ github.event.inputs.force_rebuild }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-base-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${RESOLVED_HEAD_SHA:0:8}}"
|
||||
echo "=== Dispatch Audit: CICD Base Image ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "source_workflow=${SOURCE_WORKFLOW}"
|
||||
echo "force_rebuild=${FORCE_REBUILD}"
|
||||
echo "head_sha_input=${HEAD_SHA_INPUT}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
|
||||
- name: Resolve head SHA
|
||||
id: meta
|
||||
env:
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Minimal checkout for base inputs
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
GITHUB_SHA: ${{ steps.meta.outputs.head_sha }}
|
||||
run: |
|
||||
umask 077
|
||||
trap 'rm -f ~/.ssh/id_rsa' EXIT
|
||||
echo "=== Minimal Repository Checkout for Base Inputs ==="
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
if [ -n "${SSH_PRIVATE_KEY}" ]; then
|
||||
mkdir -p ~/.ssh
|
||||
echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
|
||||
chmod 600 ~/.ssh/id_rsa
|
||||
echo "Loaded SSH key fingerprint: $(ssh-keygen -lf ~/.ssh/id_rsa | awk '{print $2}')"
|
||||
ssh-keyscan -p "${GITEA_SSH_PORT}" "${GITEA_SSH_HOST}" >> ~/.ssh/known_hosts 2>/dev/null
|
||||
else
|
||||
echo "❌ SSH_PRIVATE_KEY is empty"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git clone --depth 1 --no-checkout \
|
||||
"${GITEA_REPO_SSH_URL}" .
|
||||
|
||||
if [ -n "${GITHUB_SHA}" ] && \
|
||||
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git fetch --depth 1 origin "${GITHUB_SHA}" >/dev/null 2>&1; then
|
||||
git checkout FETCH_HEAD -- Dockerfile.cicd-base .dockerignore scripts/compute-cicd-base-hash.sh
|
||||
echo "✓ Checked out base inputs from commit ${GITHUB_SHA}"
|
||||
else
|
||||
git checkout HEAD -- Dockerfile.cicd-base .dockerignore scripts/compute-cicd-base-hash.sh
|
||||
echo "⚠ Falling back to default branch HEAD for base inputs checkout"
|
||||
fi
|
||||
|
||||
chmod +x scripts/compute-cicd-base-hash.sh
|
||||
rm -f ~/.ssh/id_rsa
|
||||
|
||||
- name: Compute base hash and inspect registry
|
||||
id: base-state
|
||||
env:
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
REGISTRY_USER: ${{ github.actor }}
|
||||
FORCE_REBUILD: ${{ github.event.inputs.force_rebuild }}
|
||||
run: |
|
||||
echo "=== Computing CICD Base Image Hash ==="
|
||||
|
||||
BASE_HASH=$(./scripts/compute-cicd-base-hash.sh)
|
||||
BASE_REF_HASH="${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd-base:${BASE_HASH}"
|
||||
BASE_REF_LATEST="${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd-base:latest"
|
||||
|
||||
echo "Base hash: ${BASE_HASH}"
|
||||
echo "base_hash=${BASE_HASH}" >> $GITHUB_OUTPUT
|
||||
echo "base_ref_hash=${BASE_REF_HASH}" >> $GITHUB_OUTPUT
|
||||
echo "base_ref_latest=${BASE_REF_LATEST}" >> $GITHUB_OUTPUT
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
if ! echo "${PACKAGE_ACCESS_TOKEN}" | docker login "http://${GITEA_REGISTRY}" -u "${REGISTRY_USER}" --password-stdin >/dev/null 2>&1; then
|
||||
echo "❌ Registry login failed during base inspection"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${FORCE_REBUILD}" = "true" ]; then
|
||||
echo "Manual force rebuild requested"
|
||||
echo "needs_build=true" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for i in 1 2 3; do
|
||||
echo "Existing base check ${i}/3 for ${BASE_REF_HASH}..."
|
||||
# Manifest inspect is unreliable on some runners; use pull as truth.
|
||||
if timeout 900 docker pull "${BASE_REF_HASH}" >/tmp/base-state-pull.log 2>&1; then
|
||||
echo "✓ Immutable base image already exists and is pullable: ${BASE_REF_HASH}"
|
||||
echo "needs_build=false" >> $GITHUB_OUTPUT
|
||||
exit 0
|
||||
else
|
||||
pull_exit=$?
|
||||
echo "Existing base pull check failed with exit code ${pull_exit}"
|
||||
if [ "${pull_exit}" -eq 124 ]; then
|
||||
echo "Existing base pull timed out after 900s"
|
||||
fi
|
||||
if [ -s /tmp/base-state-pull.log ]; then
|
||||
tail -n 20 /tmp/base-state-pull.log || true
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "${i}" -lt 3 ]; then
|
||||
sleep 10
|
||||
fi
|
||||
done
|
||||
|
||||
echo "ℹ Immutable base image missing or not yet pullable: ${BASE_REF_HASH}"
|
||||
echo "needs_build=true" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Write registry push helpers
|
||||
run: |
|
||||
cat > /tmp/registry-push-helpers.sh <<'EOF'
|
||||
#!/bin/bash
|
||||
|
||||
ensure_skopeo() {
|
||||
if command -v skopeo >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
apt-get update && apt-get install -y skopeo
|
||||
elif command -v apk >/dev/null 2>&1; then
|
||||
apk add --no-cache skopeo
|
||||
fi
|
||||
|
||||
if ! command -v skopeo >/dev/null 2>&1; then
|
||||
echo "❌ skopeo not available for fallback push"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
push_ref_with_fallback() {
|
||||
ref="$1"
|
||||
local_image="$2"
|
||||
archive_path="$3"
|
||||
registry_user="$4"
|
||||
package_access_token="$5"
|
||||
|
||||
for i in 1 2 3; do
|
||||
echo "Docker push attempt ${i}/3 for ${ref}..."
|
||||
if docker push "${ref}"; then
|
||||
echo "✓ Docker push succeeded for ${ref}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "${i}" -lt 3 ]; then
|
||||
sleep 10
|
||||
fi
|
||||
done
|
||||
|
||||
echo "⚠ Docker push failed for ${ref}; trying skopeo fallback"
|
||||
|
||||
if ! ensure_skopeo; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ ! -f "${archive_path}" ]; then
|
||||
echo "Creating local image archive for fallback push..."
|
||||
if ! docker save "${local_image}" -o "${archive_path}"; then
|
||||
echo "❌ Failed to create docker archive for fallback push"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if skopeo copy \
|
||||
--dest-creds "${registry_user}:${package_access_token}" \
|
||||
--dest-tls-verify=false \
|
||||
"docker-archive:${archive_path}" \
|
||||
"docker://${ref}"; then
|
||||
echo "✓ Skopeo fallback push succeeded for ${ref}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "❌ Skopeo fallback push failed for ${ref}"
|
||||
return 1
|
||||
}
|
||||
EOF
|
||||
|
||||
chmod 700 /tmp/registry-push-helpers.sh
|
||||
|
||||
- name: Build and push base image
|
||||
if: steps.base-state.outputs.needs_build == 'true'
|
||||
env:
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
REGISTRY_USER: ${{ github.actor }}
|
||||
BASE_HASH: ${{ steps.base-state.outputs.base_hash }}
|
||||
BASE_REF_HASH: ${{ steps.base-state.outputs.base_ref_hash }}
|
||||
BASE_REF_LATEST: ${{ steps.base-state.outputs.base_ref_latest }}
|
||||
run: |
|
||||
echo "=== Building CICD Base Image ==="
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
if ! echo "${PACKAGE_ACCESS_TOKEN}" | docker login "http://${GITEA_REGISTRY}" -u "${REGISTRY_USER}" --password-stdin; then
|
||||
echo "❌ Registry login failed before build"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PLAYWRIGHT_BROWSERS_MIRROR_TAG="${GITEA_REGISTRY}/darkhelm.org/playwright-browsers:v1.56.1-jammy"
|
||||
echo "playwright_browsers_mirror_tag=${PLAYWRIGHT_BROWSERS_MIRROR_TAG}"
|
||||
|
||||
if ! docker pull "${PLAYWRIGHT_BROWSERS_MIRROR_TAG}" >/tmp/playwright-mirror-pull.log 2>&1; then
|
||||
echo "❌ Required internal Playwright browsers mirror image is missing: ${PLAYWRIGHT_BROWSERS_MIRROR_TAG}"
|
||||
echo "Mirror this image into your internal registry before running base builds."
|
||||
tail -n 80 /tmp/playwright-mirror-pull.log || true
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PLAYWRIGHT_BROWSERS_IMAGE=$(docker image inspect --format='{{index .RepoDigests 0}}' "${PLAYWRIGHT_BROWSERS_MIRROR_TAG}" 2>/dev/null || true)
|
||||
if [ -z "${PLAYWRIGHT_BROWSERS_IMAGE}" ]; then
|
||||
echo "❌ Failed to resolve immutable digest for ${PLAYWRIGHT_BROWSERS_MIRROR_TAG}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "playwright_browsers_image=${PLAYWRIGHT_BROWSERS_IMAGE}"
|
||||
|
||||
export DOCKER_BUILDKIT=1
|
||||
|
||||
BUILD_TIMEOUT_SECONDS=5400
|
||||
BUILD_START_EPOCH=$(date +%s)
|
||||
echo "docker_build_timeout_seconds=${BUILD_TIMEOUT_SECONDS}"
|
||||
echo "docker_build_started_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
timeout "${BUILD_TIMEOUT_SECONDS}" docker build --progress=plain -f Dockerfile.cicd-base \
|
||||
--build-arg BASE_IMAGE_VERSION="v1.0.0-${BASE_HASH}" \
|
||||
--build-arg BASE_IMAGE_HASH="${BASE_HASH}" \
|
||||
--build-arg PLAYWRIGHT_BROWSERS_IMAGE="${PLAYWRIGHT_BROWSERS_IMAGE}" \
|
||||
-t cicd-base:latest .
|
||||
BUILD_EXIT_CODE=$?
|
||||
if [ "${BUILD_EXIT_CODE}" -ne 0 ]; then
|
||||
if [ "${BUILD_EXIT_CODE}" -eq 124 ]; then
|
||||
echo "❌ docker build timed out after ${BUILD_TIMEOUT_SECONDS}s"
|
||||
else
|
||||
echo "❌ docker build failed with exit code ${BUILD_EXIT_CODE}"
|
||||
fi
|
||||
exit "${BUILD_EXIT_CODE}"
|
||||
fi
|
||||
|
||||
BUILD_END_EPOCH=$(date +%s)
|
||||
BUILD_ELAPSED=$((BUILD_END_EPOCH - BUILD_START_EPOCH))
|
||||
echo "docker_build_elapsed_seconds=${BUILD_ELAPSED}"
|
||||
|
||||
ARCHIVE_PATH="/tmp/cicd-base.tar"
|
||||
source /tmp/registry-push-helpers.sh
|
||||
|
||||
docker tag cicd-base:latest "${BASE_REF_HASH}"
|
||||
docker tag cicd-base:latest "${BASE_REF_LATEST}"
|
||||
|
||||
push_ref_with_fallback "${BASE_REF_HASH}" "cicd-base:latest" "${ARCHIVE_PATH}" "${REGISTRY_USER}" "${PACKAGE_ACCESS_TOKEN}"
|
||||
push_ref_with_fallback "${BASE_REF_LATEST}" "cicd-base:latest" "${ARCHIVE_PATH}" "${REGISTRY_USER}" "${PACKAGE_ACCESS_TOKEN}"
|
||||
|
||||
- name: Verify published base image
|
||||
env:
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
REGISTRY_USER: ${{ github.actor }}
|
||||
BASE_REF_HASH: ${{ steps.base-state.outputs.base_ref_hash }}
|
||||
run: |
|
||||
echo "=== Verifying Published CICD Base Image ==="
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
if ! echo "${PACKAGE_ACCESS_TOKEN}" | docker login "http://${GITEA_REGISTRY}" -u "${REGISTRY_USER}" --password-stdin; then
|
||||
echo "❌ Registry login failed during verification"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for i in 1 2 3 4 5 6; do
|
||||
echo "Verification attempt ${i}/6 for ${BASE_REF_HASH}..."
|
||||
|
||||
if docker pull "${BASE_REF_HASH}"; then
|
||||
echo "✓ Published base image is pullable: ${BASE_REF_HASH}"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "${i}" -lt 6 ]; then
|
||||
echo "⚠ Pull failed; waiting 20s before retry"
|
||||
sleep 20
|
||||
fi
|
||||
done
|
||||
|
||||
echo "❌ Published base image could not be pulled after 6 attempts: ${BASE_REF_HASH}"
|
||||
exit 1
|
||||
|
||||
- name: Dispatch main build workflow
|
||||
env:
|
||||
ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }}
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
HEAD_SHA: ${{ steps.meta.outputs.head_sha }}
|
||||
BASE_HASH: ${{ steps.base-state.outputs.base_hash }}
|
||||
REPO_FULL: ${{ github.repository }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
set -e
|
||||
|
||||
DISPATCH_TOKEN="${ACTIONS_TRIGGER_TOKEN:-${PACKAGE_ACCESS_TOKEN:-}}"
|
||||
|
||||
if [ -z "${DISPATCH_TOKEN}" ]; then
|
||||
echo "❌ Missing dispatch token. Set ACTIONS_TRIGGER_TOKEN (repo write scope) or ensure PACKAGE_ACCESS_TOKEN has Actions workflow-dispatch permissions."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
REPO_OWNER="${REPO_FULL%/*}"
|
||||
REPO_NAME="${REPO_FULL#*/}"
|
||||
TARGET_REF="${HEAD_REF:-${REF_NAME}}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-base-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${HEAD_SHA:0:8}}"
|
||||
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
echo "target_ref=${TARGET_REF}"
|
||||
|
||||
CANDIDATE_API_BASES=()
|
||||
if [ -n "${GITHUB_SERVER_URL:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("${GITHUB_SERVER_URL%/}/api/v1")
|
||||
fi
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_IP}:3001/api/v1")
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_HOST}:3001/api/v1")
|
||||
|
||||
if ! command -v curl >/dev/null 2>&1; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq curl ca-certificates
|
||||
fi
|
||||
|
||||
HELPER_PATH="/tmp/dispatch-workflow.sh"
|
||||
|
||||
fetch_dispatch_helper() {
|
||||
local helper_ref="$1"
|
||||
local api_base
|
||||
for api_base in "${CANDIDATE_API_BASES[@]}"; do
|
||||
helper_url="${api_base}/repos/${REPO_OWNER}/${REPO_NAME}/raw/scripts/dispatch-workflow.sh?ref=${helper_ref}"
|
||||
if curl -fsS --connect-timeout 5 --max-time 20 \
|
||||
-H "Authorization: token ${DISPATCH_TOKEN}" \
|
||||
-H "User-Agent: plex-playlist-cicd-base" \
|
||||
-o "${HELPER_PATH}" \
|
||||
"${helper_url}"; then
|
||||
chmod +x "${HELPER_PATH}"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
if ! fetch_dispatch_helper "${TARGET_REF}" && ! fetch_dispatch_helper "${HEAD_SHA}"; then
|
||||
echo "❌ Failed to fetch scripts/dispatch-workflow.sh from repository"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DISPATCH_ARGS=(
|
||||
--token "${DISPATCH_TOKEN}"
|
||||
--repo "${REPO_FULL}"
|
||||
--workflow "docker-build-main.yaml"
|
||||
--ref "${TARGET_REF}"
|
||||
--head-sha "${HEAD_SHA}"
|
||||
--source-workflow "CICD Base Image"
|
||||
--trace-id "${TRACE_ID}"
|
||||
--base-needed "true"
|
||||
--base-hash "${BASE_HASH}"
|
||||
)
|
||||
|
||||
for API_BASE in "${CANDIDATE_API_BASES[@]}"; do
|
||||
DISPATCH_ARGS+=(--api-base "${API_BASE}")
|
||||
done
|
||||
|
||||
"${HELPER_PATH}" "${DISPATCH_ARGS[@]}"
|
||||
|
||||
- name: Failure diagnostics
|
||||
if: failure()
|
||||
run: |
|
||||
echo "=== Failure Diagnostics ==="
|
||||
date -u '+timestamp_utc=%Y-%m-%dT%H:%M:%SZ'
|
||||
echo "runner_name=${RUNNER_NAME:-unknown}"
|
||||
echo "runner_hostname=${HOSTNAME:-unknown}"
|
||||
uname -a || true
|
||||
cat /etc/os-release 2>/dev/null || true
|
||||
df -h || true
|
||||
free -h || true
|
||||
ps aux --sort=-%mem | head -n 30 || true
|
||||
|
||||
if command -v docker >/dev/null 2>&1; then
|
||||
echo "=== Docker Diagnostics ==="
|
||||
docker version || true
|
||||
docker info || true
|
||||
docker ps -a || true
|
||||
docker images --digests | head -n 50 || true
|
||||
else
|
||||
echo "docker not available on this runner"
|
||||
fi
|
||||
|
||||
echo "=== Kernel Tail ==="
|
||||
dmesg | tail -n 120 || true
|
||||
@@ -1,481 +0,0 @@
|
||||
name: Docker Build Main
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
head_sha:
|
||||
description: Commit SHA to process
|
||||
required: false
|
||||
base_hash:
|
||||
description: Immutable base hash to use for CICD base image
|
||||
required: false
|
||||
source_workflow:
|
||||
description: Upstream workflow name
|
||||
required: false
|
||||
base_needed:
|
||||
description: Whether base rebuild was required
|
||||
required: false
|
||||
trace_id:
|
||||
description: Correlation id propagated across CICD dispatch chain
|
||||
required: false
|
||||
|
||||
env:
|
||||
GITEA_SSH_HOST: kankali.darkhelm.lan
|
||||
GITEA_SSH_PORT: "2222"
|
||||
GITEA_REPO_SSH_URL: ssh://git@kankali.darkhelm.lan:2222/DarkHelm.org/plex-playlist.git
|
||||
GITEA_REGISTRY: kankali.darkhelm.lan:3001
|
||||
GITEA_REGISTRY_IP: 10.18.75.2
|
||||
GITEA_REGISTRY_HOST: kankali.darkhelm.lan
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
concurrency:
|
||||
group: main-build-${{ github.sha }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
startup-audit:
|
||||
name: Main Workflow Startup Audit
|
||||
# Pin startup audit to high-memory worker to avoid setup-stage runner churn.
|
||||
runs-on: ubuntu-act-8gb
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- name: Identify runner
|
||||
shell: sh
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Emit startup diagnostics
|
||||
shell: sh
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
SOURCE_WORKFLOW: ${{ github.event.inputs.source_workflow }}
|
||||
BASE_NEEDED: ${{ github.event.inputs.base_needed }}
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
BASE_HASH_INPUT: ${{ github.event.inputs.base_hash }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
TARGET_LABEL: ubuntu-act-8gb
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
TRACE_SUFFIX="$(printf '%s' "${RESOLVED_HEAD_SHA}" | cut -c1-8)"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-main-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${TRACE_SUFFIX}}"
|
||||
echo "=== Main Workflow Startup Audit ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "source_workflow=${SOURCE_WORKFLOW}"
|
||||
echo "base_needed=${BASE_NEEDED}"
|
||||
echo "head_sha_input=${HEAD_SHA_INPUT}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}"
|
||||
echo "base_hash_input=${BASE_HASH_INPUT}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
echo "target_runner_label=${TARGET_LABEL}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
echo "startup_audit=ok"
|
||||
|
||||
- name: Check control-plane reachability
|
||||
shell: sh
|
||||
run: |
|
||||
SERVER_URL="${GITHUB_SERVER_URL:-}"
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
if [ -n "${SERVER_URL}" ] && curl -fsS --connect-timeout 5 --max-time 10 "${SERVER_URL%/}/api/v1/version" >/tmp/gitea-version.json 2>/dev/null; then
|
||||
echo "gitea_api_reachable=true"
|
||||
cat /tmp/gitea-version.json || true
|
||||
else
|
||||
echo "gitea_api_reachable=false"
|
||||
fi
|
||||
else
|
||||
echo "curl unavailable; skipping reachability check"
|
||||
fi
|
||||
|
||||
- &failure_diagnostics_step
|
||||
name: Failure diagnostics
|
||||
if: failure()
|
||||
run: |
|
||||
echo "=== Failure Diagnostics ==="
|
||||
date -u '+timestamp_utc=%Y-%m-%dT%H:%M:%SZ'
|
||||
echo "runner_name=${RUNNER_NAME:-unknown}"
|
||||
echo "runner_hostname=${HOSTNAME:-unknown}"
|
||||
uname -a || true
|
||||
cat /etc/os-release 2>/dev/null || true
|
||||
df -h || true
|
||||
free -h || true
|
||||
ps aux --sort=-%mem | head -n 30 || true
|
||||
|
||||
if command -v docker >/dev/null 2>&1; then
|
||||
echo "=== Docker Diagnostics ==="
|
||||
docker version || true
|
||||
docker info || true
|
||||
docker ps -a || true
|
||||
docker images --digests | head -n 50 || true
|
||||
else
|
||||
echo "docker not available on this runner"
|
||||
fi
|
||||
|
||||
echo "=== Kernel Tail ==="
|
||||
dmesg | tail -n 120 || true
|
||||
|
||||
build:
|
||||
name: Build and Push CICD Complete Image
|
||||
# Pin main image build to high-memory worker to reduce setup-time failures.
|
||||
runs-on: ubuntu-act-8gb
|
||||
needs: startup-audit
|
||||
timeout-minutes: 60
|
||||
outputs:
|
||||
head_sha: ${{ steps.meta.outputs.head_sha }}
|
||||
deployable_backend_tag_ref: ${{ steps.deployable_backend_ref.outputs.deployable_backend_tag_ref }}
|
||||
deployable_backend_digest_ref: ${{ steps.deployable_backend_ref.outputs.deployable_backend_digest_ref }}
|
||||
|
||||
steps:
|
||||
- name: Identify runner
|
||||
run: |
|
||||
echo "=== Runner Identity ==="
|
||||
echo "runner_name=${RUNNER_NAME:-}"
|
||||
echo "runner_name_hint=${GITEA_RUNNER_NAME:-${ACT_RUNNER_NAME:-${RUNNER_NAME:-unknown}}}"
|
||||
echo "runner_hostname_env=${HOSTNAME:-unknown}"
|
||||
echo "runner_uname_n=$(uname -n 2>/dev/null || echo unknown)"
|
||||
echo "runner_etc_hostname=$(cat /etc/hostname 2>/dev/null || echo unknown)"
|
||||
echo "runner_os=${RUNNER_OS:-unknown}"
|
||||
echo "runner_arch=${RUNNER_ARCH:-unknown}"
|
||||
echo "timestamp_utc=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
||||
|
||||
- name: Audit trigger context
|
||||
env:
|
||||
EVENT_NAME: ${{ github.event_name }}
|
||||
SOURCE_WORKFLOW: ${{ github.event.inputs.source_workflow }}
|
||||
BASE_NEEDED: ${{ github.event.inputs.base_needed }}
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
BASE_HASH_INPUT: ${{ github.event.inputs.base_hash }}
|
||||
REF: ${{ github.ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-main-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${RESOLVED_HEAD_SHA:0:8}}"
|
||||
echo "=== Dispatch Audit: CICD Main Build ==="
|
||||
echo "event_name=${EVENT_NAME}"
|
||||
echo "source_workflow=${SOURCE_WORKFLOW}"
|
||||
echo "base_needed=${BASE_NEEDED}"
|
||||
echo "head_sha_input=${HEAD_SHA_INPUT}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}"
|
||||
echo "base_hash_input=${BASE_HASH_INPUT}"
|
||||
echo "ref=${REF}"
|
||||
echo "ref_name=${REF_NAME}"
|
||||
echo "head_ref=${HEAD_REF}"
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
|
||||
- name: Resolve head SHA
|
||||
id: meta
|
||||
env:
|
||||
HEAD_SHA_INPUT: ${{ github.event.inputs.head_sha }}
|
||||
HEAD_SHA_FALLBACK: ${{ github.sha }}
|
||||
run: |
|
||||
RESOLVED_HEAD_SHA="${HEAD_SHA_INPUT:-${HEAD_SHA_FALLBACK}}"
|
||||
echo "head_sha=${RESOLVED_HEAD_SHA}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Minimal checkout for build and verification inputs
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
HEAD_SHA: ${{ steps.meta.outputs.head_sha }}
|
||||
run: |
|
||||
set -e
|
||||
umask 077
|
||||
trap 'rm -f ~/.ssh/id_rsa' EXIT
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
mkdir -p ~/.ssh
|
||||
echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
|
||||
chmod 600 ~/.ssh/id_rsa
|
||||
ssh-keyscan -p "${GITEA_SSH_PORT}" "${GITEA_SSH_HOST}" >> ~/.ssh/known_hosts 2>/dev/null
|
||||
|
||||
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git clone --depth 1 --no-checkout "${GITEA_REPO_SSH_URL}" .
|
||||
|
||||
GIT_SSH_COMMAND="ssh -i ~/.ssh/id_rsa -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" \
|
||||
git fetch --depth 1 origin "${HEAD_SHA}" >/dev/null 2>&1 || true
|
||||
|
||||
git checkout FETCH_HEAD -- \
|
||||
.dockerignore \
|
||||
Dockerfile.backend \
|
||||
Dockerfile.frontend \
|
||||
Dockerfile.cicd \
|
||||
Dockerfile.cicd-base \
|
||||
backend \
|
||||
frontend \
|
||||
scripts/compute-cicd-base-hash.sh \
|
||||
scripts/check-dockerfile-boundaries.sh \
|
||||
scripts/verify-deployable-image-purity.sh
|
||||
chmod +x scripts/compute-cicd-base-hash.sh
|
||||
|
||||
- name: Verify deployable runtime boundaries
|
||||
run: |
|
||||
set -e
|
||||
bash ./scripts/check-dockerfile-boundaries.sh
|
||||
|
||||
- name: Build and verify deployable runtime image purity
|
||||
env:
|
||||
HEAD_SHA: ${{ steps.meta.outputs.head_sha }}
|
||||
run: |
|
||||
set -e
|
||||
|
||||
docker build -f Dockerfile.backend \
|
||||
-t deployable-backend:"${HEAD_SHA}" .
|
||||
|
||||
docker build -f Dockerfile.frontend \
|
||||
--target production \
|
||||
-t deployable-frontend:"${HEAD_SHA}" .
|
||||
|
||||
bash ./scripts/verify-deployable-image-purity.sh \
|
||||
--image deployable-backend:"${HEAD_SHA}" \
|
||||
--profile backend
|
||||
|
||||
bash ./scripts/verify-deployable-image-purity.sh \
|
||||
--image deployable-frontend:"${HEAD_SHA}" \
|
||||
--profile frontend
|
||||
|
||||
- name: Push deployable backend runtime image
|
||||
id: deployable_backend_ref
|
||||
env:
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
REGISTRY_USER: ${{ github.actor }}
|
||||
HEAD_SHA: ${{ steps.meta.outputs.head_sha }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
echo "${PACKAGE_ACCESS_TOKEN}" | docker login "http://${GITEA_REGISTRY}" -u "${REGISTRY_USER}" --password-stdin
|
||||
|
||||
DEPLOYABLE_BACKEND_REPO="${GITEA_REGISTRY}/darkhelm.org/deployable-backend"
|
||||
DEPLOYABLE_BACKEND_TAG_REF="${DEPLOYABLE_BACKEND_REPO}:${HEAD_SHA}"
|
||||
|
||||
docker tag "deployable-backend:${HEAD_SHA}" "${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
docker push "${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
docker pull "${DEPLOYABLE_BACKEND_TAG_REF}" >/dev/null
|
||||
|
||||
DEPLOYABLE_BACKEND_DIGEST_REF="$({
|
||||
docker image inspect --format '{{range .RepoDigests}}{{println .}}{{end}}' "${DEPLOYABLE_BACKEND_TAG_REF}" \
|
||||
| grep "^${DEPLOYABLE_BACKEND_REPO}@sha256:" \
|
||||
| head -n 1
|
||||
} || true)"
|
||||
|
||||
if [ -z "${DEPLOYABLE_BACKEND_DIGEST_REF}" ]; then
|
||||
echo "❌ Unable to resolve deployable backend digest reference"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "deployable_backend_tag_ref=${DEPLOYABLE_BACKEND_TAG_REF}" >> "$GITHUB_OUTPUT"
|
||||
echo "deployable_backend_digest_ref=${DEPLOYABLE_BACKEND_DIGEST_REF}" >> "$GITHUB_OUTPUT"
|
||||
echo "deployable_backend_tag_ref=${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
echo "deployable_backend_digest_ref=${DEPLOYABLE_BACKEND_DIGEST_REF}"
|
||||
|
||||
- name: Build and push complete CICD image
|
||||
env:
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
REGISTRY_USER: ${{ github.actor }}
|
||||
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
HEAD_SHA: ${{ steps.meta.outputs.head_sha }}
|
||||
BASE_HASH_INPUT: ${{ github.event.inputs.base_hash }}
|
||||
run: |
|
||||
set -e
|
||||
umask 077
|
||||
trap 'rm -f /tmp/ssh_key' EXIT
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
echo "${PACKAGE_ACCESS_TOKEN}" | docker login "http://${GITEA_REGISTRY}" -u "${REGISTRY_USER}" --password-stdin
|
||||
|
||||
if [ -n "${BASE_HASH_INPUT}" ]; then
|
||||
BASE_HASH="${BASE_HASH_INPUT}"
|
||||
echo "Using provided immutable base hash from upstream workflow dispatch: ${BASE_HASH}"
|
||||
else
|
||||
BASE_HASH=$(./scripts/compute-cicd-base-hash.sh)
|
||||
echo "No base_hash input provided; computed base hash locally: ${BASE_HASH}"
|
||||
fi
|
||||
|
||||
BASE_IMAGE="${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd-base:${BASE_HASH}"
|
||||
|
||||
verify_base_image() {
|
||||
# Fast path: base image already present locally.
|
||||
if docker image inspect "${BASE_IMAGE}" >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Manifest inspect unreliable on these runners; use pull as truth.
|
||||
timeout 1800 docker pull "${BASE_IMAGE}" >/tmp/base-image-pull.log 2>&1
|
||||
}
|
||||
|
||||
max_attempts=2
|
||||
sleep_seconds=15
|
||||
for i in $(seq 1 "${max_attempts}"); do
|
||||
echo "Base availability check ${i}/${max_attempts}..."
|
||||
if verify_base_image; then
|
||||
echo "✓ Base image available and hash matched: ${BASE_IMAGE}"
|
||||
break
|
||||
else
|
||||
pull_exit=$?
|
||||
echo "Base pull attempt ${i} failed with exit code ${pull_exit}"
|
||||
if [ "${pull_exit}" -eq 124 ]; then
|
||||
echo "Pull timed out after 1800s while downloading base image"
|
||||
fi
|
||||
if [ -s /tmp/base-image-pull.log ]; then
|
||||
tail -n 40 /tmp/base-image-pull.log || true
|
||||
fi
|
||||
|
||||
if [ "${i}" -eq "${max_attempts}" ]; then
|
||||
echo "❌ Required immutable base image is not available or mismatched: ${BASE_IMAGE}"
|
||||
exit 1
|
||||
fi
|
||||
sleep "${sleep_seconds}"
|
||||
fi
|
||||
done
|
||||
|
||||
echo "✓ Base image ready: ${BASE_IMAGE}"
|
||||
|
||||
echo "${SSH_PRIVATE_KEY}" > /tmp/ssh_key
|
||||
chmod 600 /tmp/ssh_key
|
||||
export DOCKER_BUILDKIT=1
|
||||
|
||||
docker build -f Dockerfile.cicd \
|
||||
--secret id=ssh_private_key,src=/tmp/ssh_key \
|
||||
--add-host "${GITEA_SSH_HOST}:${GITEA_REGISTRY_IP}" \
|
||||
--build-arg GITHUB_SHA="${HEAD_SHA}" \
|
||||
--build-arg CICD_BASE_IMAGE="${BASE_IMAGE}" \
|
||||
-t cicd:latest .
|
||||
|
||||
docker tag cicd:latest "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:latest"
|
||||
docker tag cicd:latest "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}"
|
||||
|
||||
docker push "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:latest"
|
||||
docker push "${GITEA_REGISTRY}/darkhelm.org/plex-playlist-cicd:${HEAD_SHA}"
|
||||
|
||||
- *failure_diagnostics_step
|
||||
|
||||
dispatch-tests:
|
||||
name: Dispatch CICD Tests
|
||||
runs-on: ubuntu-act
|
||||
timeout-minutes: 15
|
||||
needs: build
|
||||
if: needs.build.result == 'success'
|
||||
steps:
|
||||
- name: Dispatch tests workflow
|
||||
env:
|
||||
ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }}
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
HEAD_SHA: ${{ needs.build.outputs.head_sha }}
|
||||
DEPLOYABLE_BACKEND_TAG_REF: ${{ needs.build.outputs.deployable_backend_tag_ref }}
|
||||
DEPLOYABLE_BACKEND_DIGEST_REF: ${{ needs.build.outputs.deployable_backend_digest_ref }}
|
||||
REPO_FULL: ${{ github.repository }}
|
||||
HEAD_REF: ${{ github.head_ref }}
|
||||
REF_NAME: ${{ github.ref_name }}
|
||||
TRACE_ID_INPUT: ${{ github.event.inputs.trace_id }}
|
||||
run: |
|
||||
set -e
|
||||
|
||||
DISPATCH_TOKEN="${ACTIONS_TRIGGER_TOKEN:-${PACKAGE_ACCESS_TOKEN:-}}"
|
||||
|
||||
if [ -z "${DISPATCH_TOKEN}" ]; then
|
||||
echo "❌ Missing dispatch token. Set ACTIONS_TRIGGER_TOKEN (repo write scope) or ensure PACKAGE_ACCESS_TOKEN has Actions workflow-dispatch permissions."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! grep -q "${GITEA_REGISTRY_HOST}" /etc/hosts; then
|
||||
echo "${GITEA_REGISTRY_IP} ${GITEA_REGISTRY_HOST}" >> /etc/hosts
|
||||
fi
|
||||
|
||||
REPO_OWNER="${REPO_FULL%/*}"
|
||||
REPO_NAME="${REPO_FULL#*/}"
|
||||
TARGET_REF="${HEAD_REF:-${REF_NAME}}"
|
||||
TRACE_ID="${TRACE_ID_INPUT:-cicd-main-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}-${HEAD_SHA:0:8}}"
|
||||
|
||||
echo "trace_id=${TRACE_ID}"
|
||||
echo "target_ref=${TARGET_REF}"
|
||||
|
||||
CANDIDATE_API_BASES=()
|
||||
if [ -n "${GITHUB_SERVER_URL:-}" ]; then
|
||||
CANDIDATE_API_BASES+=("${GITHUB_SERVER_URL%/}/api/v1")
|
||||
fi
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_IP}:3001/api/v1")
|
||||
CANDIDATE_API_BASES+=("http://${GITEA_REGISTRY_HOST}:3001/api/v1")
|
||||
|
||||
ensure_curl() {
|
||||
if command -v curl >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
if command -v apt-get >/dev/null 2>&1; then
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -qq
|
||||
apt-get install -y -qq curl ca-certificates
|
||||
fi
|
||||
command -v curl >/dev/null 2>&1
|
||||
}
|
||||
|
||||
ensure_curl || { echo "❌ curl unavailable for dispatch"; exit 1; }
|
||||
|
||||
HELPER_PATH="/tmp/dispatch-workflow.sh"
|
||||
|
||||
fetch_dispatch_helper() {
|
||||
local helper_ref="$1"
|
||||
local api_base
|
||||
for api_base in "${CANDIDATE_API_BASES[@]}"; do
|
||||
helper_url="${api_base}/repos/${REPO_OWNER}/${REPO_NAME}/raw/scripts/dispatch-workflow.sh?ref=${helper_ref}"
|
||||
if curl -fsS --connect-timeout 5 --max-time 20 \
|
||||
-H "Authorization: token ${DISPATCH_TOKEN}" \
|
||||
-H "User-Agent: plex-playlist-cicd-main" \
|
||||
-o "${HELPER_PATH}" \
|
||||
"${helper_url}"; then
|
||||
chmod +x "${HELPER_PATH}"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
if ! fetch_dispatch_helper "${TARGET_REF}" && ! fetch_dispatch_helper "${HEAD_SHA}"; then
|
||||
echo "❌ Failed to fetch scripts/dispatch-workflow.sh from repository"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DISPATCH_ARGS=(
|
||||
--token "${DISPATCH_TOKEN}"
|
||||
--repo "${REPO_FULL}"
|
||||
--workflow "cicd-tests.yaml"
|
||||
--ref "${TARGET_REF}"
|
||||
--head-sha "${HEAD_SHA}"
|
||||
--source-workflow "CICD Main Build"
|
||||
--trace-id "${TRACE_ID}"
|
||||
--input "deployable_backend_tag_ref=${DEPLOYABLE_BACKEND_TAG_REF}"
|
||||
--input "deployable_backend_digest_ref=${DEPLOYABLE_BACKEND_DIGEST_REF}"
|
||||
)
|
||||
|
||||
for API_BASE in "${CANDIDATE_API_BASES[@]}"; do
|
||||
DISPATCH_ARGS+=(--api-base "${API_BASE}")
|
||||
done
|
||||
|
||||
"${HELPER_PATH}" "${DISPATCH_ARGS[@]}"
|
||||
|
||||
- *failure_diagnostics_step
|
||||
@@ -1,37 +1,30 @@
|
||||
# Backend Dockerfile for FastAPI with Python 3.14
|
||||
FROM python:3.14-slim
|
||||
FROM python:3.14-slim AS dependencies
|
||||
|
||||
# Set working directory
|
||||
WORKDIR /app
|
||||
|
||||
# Install system dependencies
|
||||
RUN apt-get update && apt-get install -y \
|
||||
curl \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Install uv
|
||||
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
|
||||
|
||||
# Create and activate virtual environment
|
||||
ENV VIRTUAL_ENV=/app/.venv
|
||||
RUN uv venv $VIRTUAL_ENV
|
||||
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
|
||||
|
||||
# Copy dependency files first for better caching
|
||||
COPY backend/pyproject.toml backend/uv.lock* ./
|
||||
# Hatchling resolves the readme path ../README.md relative to the backend
|
||||
# package root (/app). Create a stub so metadata validation succeeds without
|
||||
# requiring the file to pass through .dockerignore.
|
||||
RUN echo '# plex-playlist' > /README.md
|
||||
RUN uv venv "$VIRTUAL_ENV" && uv sync --frozen --no-dev
|
||||
|
||||
# Install runtime dependencies only
|
||||
RUN uv sync --frozen --no-dev
|
||||
FROM python:3.14-slim AS runtime
|
||||
|
||||
# Copy application code
|
||||
COPY backend/ .
|
||||
WORKDIR /app
|
||||
|
||||
ENV VIRTUAL_ENV=/app/.venv
|
||||
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
|
||||
|
||||
COPY --from=dependencies /app/.venv /app/.venv
|
||||
COPY backend/src ./src
|
||||
|
||||
# Expose port
|
||||
EXPOSE 8000
|
||||
|
||||
# Default command - can be overridden in compose for development
|
||||
CMD ["uvicorn", "backend.main:app", "--app-dir", "/app/src", "--host", "0.0.0.0", "--port", "8000"]
|
||||
|
||||
@@ -1,40 +1,20 @@
|
||||
# Frontend Dockerfile for Vue/Vite TypeScript project
|
||||
FROM node:20-alpine AS base
|
||||
FROM node:24-alpine AS build
|
||||
|
||||
# Set working directory
|
||||
WORKDIR /app
|
||||
|
||||
# Copy package files first for better caching
|
||||
COPY frontend/package*.json ./
|
||||
COPY frontend/.yarnrc.yml ./
|
||||
COPY frontend/yarn.lock* frontend/pnpm-lock.yaml* ./
|
||||
COPY frontend/package.json frontend/yarn.lock frontend/.yarnrc.yml ./
|
||||
COPY frontend/.yarn/ ./.yarn/
|
||||
RUN corepack enable && yarn install --immutable
|
||||
|
||||
# Install dependencies
|
||||
RUN if [ -f yarn.lock ]; then corepack enable && corepack yarn install; \
|
||||
elif [ -f pnpm-lock.yaml ]; then npm install -g pnpm && pnpm install; \
|
||||
else npm install; fi
|
||||
|
||||
# Copy application code
|
||||
COPY frontend/ .
|
||||
RUN yarn build
|
||||
|
||||
# Development stage
|
||||
FROM base AS development
|
||||
EXPOSE 5173
|
||||
CMD ["npm", "run", "dev", "--", "--host", "0.0.0.0"]
|
||||
|
||||
# Production build stage
|
||||
FROM base AS build
|
||||
RUN if [ -f yarn.lock ]; then corepack yarn build; \
|
||||
elif [ -f pnpm-lock.yaml ]; then pnpm build; \
|
||||
else npm run build; fi
|
||||
|
||||
# Production stage
|
||||
FROM nginx:alpine AS production
|
||||
# Copy built assets from build stage
|
||||
|
||||
COPY --from=build /app/dist /usr/share/nginx/html
|
||||
# Copy nginx configuration
|
||||
COPY frontend/nginx.conf /etc/nginx/nginx.conf
|
||||
# Expose port
|
||||
|
||||
EXPOSE 80
|
||||
# Start nginx
|
||||
|
||||
CMD ["nginx", "-g", "daemon off;"]
|
||||
|
||||
55
backend/tests/integration/test_runtime_blackbox.py
Normal file
55
backend/tests/integration/test_runtime_blackbox.py
Normal file
@@ -0,0 +1,55 @@
|
||||
"""Runtime black-box integration tests executed over the container network."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
import os
|
||||
import urllib.error
|
||||
import urllib.request
|
||||
|
||||
import pytest
|
||||
|
||||
BACKEND_BASE_URL = os.getenv("INTEGRATION_BACKEND_URL", "http://backend:8000").rstrip(
|
||||
"/"
|
||||
)
|
||||
|
||||
|
||||
def _fetch(path: str) -> tuple[int, str]:
|
||||
"""Fetch an endpoint and return status code and body text."""
|
||||
url = f"{BACKEND_BASE_URL}{path}"
|
||||
request = urllib.request.Request(url=url, method="GET")
|
||||
try:
|
||||
with urllib.request.urlopen(request, timeout=5) as response:
|
||||
body = response.read().decode("utf-8", errors="replace")
|
||||
return response.status, body
|
||||
except urllib.error.HTTPError as exc:
|
||||
body = exc.read().decode("utf-8", errors="replace")
|
||||
return exc.code, body
|
||||
|
||||
|
||||
@pytest.mark.integration
|
||||
def test_root_endpoint_runtime() -> None:
|
||||
"""Runtime root endpoint should return backend API message."""
|
||||
status, body = _fetch("/")
|
||||
assert status == 200
|
||||
payload = json.loads(body)
|
||||
assert payload == {"message": "Plex Playlist Backend API"}
|
||||
|
||||
|
||||
@pytest.mark.integration
|
||||
def test_health_endpoint_runtime() -> None:
|
||||
"""Runtime health endpoint should report healthy database connectivity."""
|
||||
status, body = _fetch("/health")
|
||||
assert status == 200
|
||||
payload = json.loads(body)
|
||||
assert payload.get("status") == "healthy"
|
||||
assert payload.get("database") == "connected"
|
||||
|
||||
|
||||
@pytest.mark.integration
|
||||
def test_compatibility_endpoint_runtime() -> None:
|
||||
"""Runtime compatibility endpoint should report policy check success."""
|
||||
status, body = _fetch("/compatibility")
|
||||
assert status == 200
|
||||
payload = json.loads(body)
|
||||
assert payload.get("ok") is True
|
||||
@@ -142,14 +142,10 @@ jobs:
|
||||
|
||||
### Responsibility Split
|
||||
|
||||
- `.gitea/workflows/cicd-start.yaml` owns startup routing and trace propagation.
|
||||
- `.gitea/workflows/cicd-source-checks.yaml` owns early source-level
|
||||
format/lint/type gating before any promotion dispatch.
|
||||
- `.gitea/workflows/docker-build-base.yaml` owns base publication and verification.
|
||||
- `.gitea/workflows/docker-build-main.yaml` owns complete-image publication.
|
||||
- `.gitea/workflows/cicd-checks.yaml` and `.gitea/workflows/cicd-tests.yaml`
|
||||
own post-build CI validation and tests.
|
||||
- Main CI never rebuilds the base image locally.
|
||||
- `.gitea/workflows/cicd.yaml` owns the full CI pipeline: base image publish,
|
||||
CICD image publish, source checks, unit tests, runtime image publication,
|
||||
integration tests, and E2E tests.
|
||||
- The older split workflows remain only as deprecated/manual helper paths.
|
||||
|
||||
### Runtime Boundary Enforcement
|
||||
|
||||
@@ -173,7 +169,7 @@ and deployable runtime artifacts before publishing the complete CICD image.
|
||||
|
||||
Workflow location:
|
||||
|
||||
- `.gitea/workflows/docker-build-main.yaml`
|
||||
- `.gitea/workflows/cicd.yaml`
|
||||
- `Verify deployable runtime boundaries`
|
||||
- `Build and verify deployable runtime image purity`
|
||||
|
||||
|
||||
@@ -30,6 +30,7 @@ Excluded:
|
||||
### Runtime Artifact Definition
|
||||
|
||||
- Container build source: `Dockerfile.backend`.
|
||||
- Build shape: two-stage build with a dependency stage and a minimal runtime stage.
|
||||
- Runtime base image: `python:3.14-slim`.
|
||||
- Runtime process: `uvicorn backend.main:app --app-dir /app/src --host 0.0.0.0 --port 8000`.
|
||||
- Exposed runtime port: `8000`.
|
||||
@@ -79,6 +80,7 @@ The lockfile in `backend/uv.lock` is the dependency source of truth.
|
||||
### Frontend Runtime Artifact Definition
|
||||
|
||||
- Container build source: `Dockerfile.frontend` (target `production`).
|
||||
- Build shape: two-stage build with a dependency/build stage and a minimal nginx runtime stage.
|
||||
- Runtime base image: `nginx:alpine`.
|
||||
- Runtime process: `nginx -g "daemon off;"`.
|
||||
- Exposed runtime port: `80`.
|
||||
@@ -151,14 +153,14 @@ Current enforcement implemented in CI:
|
||||
|
||||
- Dockerfile target boundary checks:
|
||||
- Script: `scripts/check-dockerfile-boundaries.sh`
|
||||
- Workflow: `.gitea/workflows/docker-build-main.yaml`
|
||||
- Workflow: `.gitea/workflows/cicd.yaml`
|
||||
- Deployable runtime image purity checks:
|
||||
- Script: `scripts/verify-deployable-image-purity.sh`
|
||||
- Workflow: `.gitea/workflows/docker-build-main.yaml`
|
||||
- Workflow: `.gitea/workflows/cicd.yaml`
|
||||
- Checks include binary presence and profile-specific package metadata probes
|
||||
to detect CI/development tooling leakage.
|
||||
- Runtime black-box integration checks against deployed backend container:
|
||||
- Workflow: `.gitea/workflows/cicd-tests.yaml` (`integration-tests` job)
|
||||
- Workflow: `.gitea/workflows/cicd.yaml` (`integration-tests` job)
|
||||
- Inputs: deployable backend commit tag reference and immutable digest
|
||||
reference from main build dispatch.
|
||||
- Assertions: digest/tag consistency and live endpoint behavior for `/`,
|
||||
|
||||
@@ -36,7 +36,7 @@ Scope boundary:
|
||||
|
||||
- Contract definition lives in `DEPLOYABLE_RUNTIME_CONTRACT.md`.
|
||||
- CI enforcement now includes Dockerfile boundary checks and deployable image
|
||||
purity checks in `.gitea/workflows/docker-build-main.yaml`.
|
||||
purity checks in `.gitea/workflows/cicd.yaml`.
|
||||
- Broader workflow redesign and deployment wiring remain out of scope for this
|
||||
repository's runtime contract document and belong to follow-up work under
|
||||
epic #66.
|
||||
@@ -60,8 +60,8 @@ Automated checks:
|
||||
and fails if CI/development binaries or package metadata artifacts are
|
||||
present.
|
||||
|
||||
These checks run in `.gitea/workflows/docker-build-main.yaml` before publishing
|
||||
the complete CICD image.
|
||||
These checks run in `.gitea/workflows/cicd.yaml` before publishing the
|
||||
complete CICD image.
|
||||
|
||||
## Quick Start
|
||||
|
||||
|
||||
@@ -1,5 +1,10 @@
|
||||
import { defineConfig, devices } from '@playwright/test';
|
||||
|
||||
const runtimeBaseURL = process.env.PLAYWRIGHT_BASE_URL;
|
||||
const useRuntimeServices = Boolean(runtimeBaseURL);
|
||||
const junitOutputFile = process.env.PLAYWRIGHT_JUNIT_OUTPUT_FILE ?? 'playwright-results.xml';
|
||||
const outputDir = process.env.PLAYWRIGHT_OUTPUT_DIR ?? 'playwright-artifacts';
|
||||
|
||||
export default defineConfig({
|
||||
testDir: './tests/e2e',
|
||||
timeout: process.env.CI ? 60 * 1000 : 30 * 1000, // Longer timeout in CI
|
||||
@@ -10,11 +15,10 @@ export default defineConfig({
|
||||
forbidOnly: !!process.env.CI,
|
||||
retries: process.env.CI ? 2 : 0,
|
||||
workers: process.env.CI ? 1 : undefined,
|
||||
reporter: process.env.CI
|
||||
? [['list'], ['junit', { outputFile: 'playwright-results.xml' }]]
|
||||
: 'html',
|
||||
reporter: process.env.CI ? [['list'], ['junit', { outputFile: junitOutputFile }]] : 'html',
|
||||
outputDir,
|
||||
use: {
|
||||
baseURL: 'http://localhost:5173',
|
||||
baseURL: runtimeBaseURL ?? 'http://localhost:5173',
|
||||
trace: 'on-first-retry',
|
||||
headless: process.env.CI ? true : false,
|
||||
// CI-specific browser optimizations
|
||||
@@ -78,12 +82,16 @@ export default defineConfig({
|
||||
},
|
||||
},
|
||||
],
|
||||
webServer: {
|
||||
command: 'yarn dev --host 0.0.0.0 --port 5173 --strictPort',
|
||||
url: 'http://localhost:5173',
|
||||
reuseExistingServer: !process.env.CI,
|
||||
timeout: process.env.CI ? 180 * 1000 : 120 * 1000, // Longer startup timeout in CI
|
||||
stderr: 'pipe',
|
||||
stdout: 'pipe',
|
||||
},
|
||||
...(useRuntimeServices
|
||||
? {}
|
||||
: {
|
||||
webServer: {
|
||||
command: 'yarn dev --host 0.0.0.0 --port 5173 --strictPort',
|
||||
url: 'http://localhost:5173',
|
||||
reuseExistingServer: !process.env.CI,
|
||||
timeout: process.env.CI ? 180 * 1000 : 120 * 1000, // Longer startup timeout in CI
|
||||
stderr: 'pipe',
|
||||
stdout: 'pipe',
|
||||
},
|
||||
}),
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user