copilotcoder
7c06fa3474
Refactor CI and runtime images to two-stage builds
2026-07-06 10:29:31 -04:00
1f6cafa1bc
TASK: Replace integration lane with post-build backend runtime black-box tests ( #72 )
...
CICD Start / Sanity and Base Decision (push) Failing after 11m34s
Renovate Dependency Updates / Renovate Dependencies (push) Failing after 10m12s
## Summary
Replace the existing source-context integration lane with backend runtime black-box integration checks that run against started deployable containers.
This change wires deployable backend image references (both commit tag and immutable digest) from the build workflow into the tests workflow, then validates runtime behavior over network endpoints.
## Why
Integration confidence should come from testing running service artifacts, not only source-mounted or in-process execution.
## What Changed
- Build workflow now:
- Publishes deployable backend image tag reference and digest reference
- Exposes both as job outputs
- Passes both references into CICD Tests dispatch inputs
- CICD Tests workflow now:
- Accepts deployable backend tag and digest inputs
- Propagates these through setup outputs
- Replaces previous integration lane behavior with runtime black-box execution:
- Starts isolated Docker network
- Starts Postgres container
- Starts backend container from digest-pinned deployable image
- Enforces tag-to-digest consistency before running checks
- Runs endpoint checks against live container:
- GET /
- GET /compatibility
- GET /health
- Captures backend/db logs and container state on failure
- Cleans up containers and network via trap
- Documentation updated:
- Runtime contract enforcement section now includes runtime black-box integration checks
- CI success summary now reflects runtime integration lane behavior
## Scope
Included:
- Backend runtime black-box integration replacement for the existing integration lane
- Digest + tag identity enforcement
- Failure diagnostics for triage
Out of scope:
- Frontend runtime smoke checks
- E2E lane redesign
## Acceptance Criteria Mapping
- Integration tests execute against runtime container endpoints: ✅
- Integration lane consumes built image references (not source-mounted execution): ✅
- Failures surface service logs and test logs for triage: ✅
## Verification
- Workflow files pass local validation checks
- Pre-commit hooks pass on committed changes
- Branch pushed and ready for PR review
## Related
- Issue: #61
- Dependency context: #66
Co-authored-by: copilotcoder <copilotcoder@darkhelm.org >
Reviewed-on: #72
2026-07-05 22:48:57 -04:00
c7540e97ad
feat(ci): enforce runtime-validation image separation ( #69 )
...
CICD Start / Sanity and Base Decision (push) Successful in 17s
## Summary
Implements issue #59 by enforcing a hard boundary between CI validation tooling and deployable runtime images.
This PR:
- Adds automated deployable-runtime boundary checks in CI.
- Verifies deployable backend/frontend artifacts are free of CI/development tooling.
- Documents runtime-vs-validation ownership and enforcement behavior.
## What Changed
### CI workflow enforcement
- Updated `.gitea/workflows/docker-build-main.yaml` to:
- Checkout additional verification inputs (`Dockerfile.backend`, `Dockerfile.frontend`, scripts, backend/frontend directories).
- Run `scripts/check-dockerfile-boundaries.sh`.
- Build deployable runtime images (`Dockerfile.backend`, `Dockerfile.frontend --target production`).
- Run `scripts/verify-deployable-image-purity.sh` against both images before publishing CICD image.
- Updated `.gitea/workflows/cicd-checks.yaml` to add:
- `dockerfile-boundary-check` job.
- Boundary validation execution inside the CICD validation image.
### New enforcement scripts
- Added `scripts/check-dockerfile-boundaries.sh`:
- Ensures deployable Dockerfiles do **not** reference CICD image paths (`cicd-base`, `CICD_BASE_IMAGE`, `Dockerfile.cicd*`, etc.).
- Ensures deployable Dockerfiles do **not** include disallowed CI-only tooling tokens.
- Enforces runtime base expectations:
- Backend: `python:3.14-slim`
- Frontend production target: `nginx:alpine`
- Added `scripts/verify-deployable-image-purity.sh`:
- Baseline binary checks for disallowed tooling.
- Backend-specific deep checks:
- Python module import probes for disallowed CI/dev modules.
- `pip show` package metadata checks for disallowed CI/dev packages.
- Frontend-specific deep checks:
- OS package metadata checks (`apk`/`dpkg` when available) for disallowed runtime leaks.
- Directory-based checks for development package trees (`node_modules`, `.venv`, `site-packages`, `dist-packages` in sensitive paths).
## Documentation updates
- Updated `docs/DEVELOPMENT.md`:
- Clarifies runtime-vs-validation enforcement and where checks run.
- Notes purity checks include binaries and metadata artifacts.
- Updated `docs/CICD_MULTI_STAGE_BUILD.md`:
- Adds explicit “Runtime Boundary Enforcement” section.
- Documents metadata-level purity probes.
- Updated `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`:
- Replaces future-only language with current enforcement hooks.
- Documents binary + metadata-level purity enforcement.
## Acceptance Criteria Mapping
1. **Deployable backend/frontend image paths do not require CI-only tool installation**
- Enforced by:
- `scripts/check-dockerfile-boundaries.sh`
- `scripts/verify-deployable-image-purity.sh`
- `docker-build-main.yaml` pre-publish gates
2. **Checks and tests execute in dedicated validation environment(s)**
- Reinforced by:
- `cicd-checks.yaml` boundary-check job running in CICD validation image
- Existing check/test workflow usage of CICD image
3. **Workflow docs identify runtime vs validation concerns**
- Addressed via updates to:
- `docs/DEVELOPMENT.md`
- `docs/CICD_MULTI_STAGE_BUILD.md`
- `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`
## Scope / Non-Goals
- Included:
- Structural separation enforcement
- Workflow-level guardrails
- Documentation clarity and traceability
- Not included:
- Full staging deployment wiring
- Security policy redesign
## Notes for Reviewers
- Main enforcement path is in `docker-build-main.yaml` before CICD image publish.
- New scripts are intentionally fail-fast and policy-oriented.
- Existing deployable Dockerfiles currently satisfy the new gates.
Co-authored-by: copilotcoder <copilotcoder@darkhelm.org >
Reviewed-on: #69
2026-06-22 12:45:20 -04:00
d02039a22e
Backend runtime upgraded to Python 3.14 with exact dependency pinning ( #57 )
...
CICD Start / Sanity and Base Decision (push) Successful in 18s
Runner Canary / Canary Heavy (ubuntu-act-8gb) (push) Has been skipped
Runner Canary / Canary Heavy (ubuntu-act-4gb) (push) Has been skipped
Runner Canary / Canary Burst (ubuntu-act (push) Failing after 11m10s
Runner Canary / Canary (ubuntu-latest) (push) Failing after 12m39s
Runner Canary / Canary (ubuntu-act) (push) Failing after 12m42s
Signed-off-by: Cliff Hill <xlorep@darkhelm.org >
## Summary
Upgrades backend runtime baseline and dependency management for issue #10 .
### Changes
1. **Python Baseline**: Updated from 3.13 to 3.14
- Updated `backend/pyproject.toml` requires-python constraint
- Updated `backend/pyrightconfig.json` pythonVersion
- Updated all Dockerfile and CI references
2. **Dependency Pinning**: Switched to exact version pins in `backend/pyproject.toml`
- All dev and runtime dependencies now use `==` instead of `>=`
- `fastapi==0.120.2`, `uvicorn==0.38.0`
- ruff, pyright, pytest suite pinned to current resolved versions
- Regenerated `backend/uv.lock` under Python 3.14
3. **Startup Compatibility Guard** (TDD via RED→GREEN)
- New `compatibility_status()` function evaluates runtime and pinned deps
- Startup raises `RuntimeError` if policy fails
- Implemented via FastAPI lifespan (non-deprecated) handler
4. **Compatibility Status Endpoint**
- New `GET /compatibility` returns policy status, runtime version, and package checks
- Shares single source of truth with startup validation
5. **Integration Tests**
- Added failing-then-passing tests for startup guard and endpoint behavior
- 100% coverage maintained
6. **Direnv Configuration**
- Added `UV_PYTHON="3.14"` pin to repo `.envrc`
- Ensures direnv creates/recreates venv with correct Python version
### Validation
- ✅ ruff format/check
- ✅ pyright strict (0 errors)
- ✅ pytest: 8 passed, 100% coverage (>=95 gate)
- ✅ pydoclint: pass
- ✅ xdoctest: pass
### Notes
- SQLAlchemy/SQLModel introduction deferred to next pass per scope
- Compatibility logic currently validates fastapi/uvicorn pins (runtime deps)
- Ready for container build validation and Renovate bot testing
Co-authored-by: copilotcoder <copilotcoder@darkhelm.org >
Reviewed-on: #57
Co-authored-by: Cliff Hill <xlorep@darkhelm.org >
Co-committed-by: Cliff Hill <xlorep@darkhelm.org >
2026-06-18 11:19:24 -04:00
0961001998
More adjustments.
...
CI/CD Pipeline / Backend Tests (Python) (push) Failing after 18m27s
CI/CD Pipeline / Frontend Tests (TypeScript/Vue) (push) Failing after 18m22s
CI/CD Pipeline / Integration Tests (push) Has been skipped
Signed-off-by: Cliff Hill <xlorep@darkhelm.org >
2025-10-21 00:19:59 -04:00
9c4a8d96bc
Initial commit.
...
Signed-off-by: Cliff Hill <xlorep@darkhelm.org >
2025-10-18 09:14:10 -04:00