6aadca5df2a07d36a67faaa2ebbe7dfc5e78251f
11 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
7c06fa3474 | Refactor CI and runtime images to two-stage builds | ||
| 549469f105 |
CI: Establish source-first quality gate and simplify pipeline flow (#71)
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 24s
This PR establishes a deterministic source-level quality gate before any build promotion and removes redundant post-build quality checks. The new flow makes local developer workflow and CI behavior align: - Developers run pre-commit locally (with auto-fix where appropriate) - CI runs a check-only smoke gate to validate pre-commit cleanliness - Build/test promotion only proceeds after source checks pass ## What Changed ### 1. Added a source-first quality gate - Added a dedicated source gate workflow: - `.gitea/workflows/cicd-source-checks.yaml` - Gate now: - Checks out target SHA - Bootstraps backend/frontend toolchains - Installs dependencies (`backend` via `uv`, `frontend` via `yarn`) - Runs `pre-commit --all-files` as the quality smoke test - Downstream build dispatch only occurs if this gate passes. ### 2. Updated pipeline routing - `cicd-start.yaml` now dispatches the source gate first. - `cicd-start.yaml` push trigger now includes all branches so feature branches run the same gate. - Added explicit routing logs in dispatch steps (route decision, SHA, trace id) for easier debugging. ### 3. Removed redundant checks workflow - Removed: - `.gitea/workflows/cicd-checks.yaml` - Updated: - `.gitea/workflows/docker-build-main.yaml` now dispatches `cicd-tests.yaml` directly after successful main build. ### 4. CI check-only behavior vs local auto-fix behavior Updated `.pre-commit-config.yaml` so hooks that can auto-fix behave as: - **Local developer pre-commit**: auto-fix enabled - **CI source gate**: check-only (no auto-fix) Applied to: - `ruff` / `ruff-format` - `eslint` - `prettier` - `tsdoc-lint` - `markdownlint` - `pretty-format-toml` This keeps CI as a true smoke validation of local pre-commit compliance. ### 5. Renovate workflow hardening - Improved auth/token handling and diagnostics in: - `.gitea/workflows/renovate.yml` - Added support for internal/self-signed TLS endpoints used by this environment. ## Why - Faster, earlier feedback on source quality failures - Avoid expensive build/test progression when source hygiene fails - Align CI with developer habits for predictable outcomes - Remove duplicated quality checks and reduce pipeline complexity ## New Effective CI Flow 1. `cicd-start.yaml` 2. `cicd-source-checks.yaml` (pre-commit smoke gate) 3. `docker-build-base.yaml` / `docker-build-main.yaml` 4. `cicd-tests.yaml` ## Acceptance Criteria Mapping (Issue #60) - Source-level lane runs independently and consistently: **Implemented** - Source-lane failure blocks promotion: **Implemented** - Outputs/logging are clear and actionable: **Implemented** ## Notes - Source gate is intentionally check-only in CI. - Developers should continue running local pre-commit before pushing. - Any remaining failures in source gate indicate local pre-commit was not fully clean. Co-authored-by: copilotcoder <copilotcoder@darkhelm.org> Reviewed-on: #71 |
|||
| c7540e97ad |
feat(ci): enforce runtime-validation image separation (#69)
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 17s
## Summary Implements issue #59 by enforcing a hard boundary between CI validation tooling and deployable runtime images. This PR: - Adds automated deployable-runtime boundary checks in CI. - Verifies deployable backend/frontend artifacts are free of CI/development tooling. - Documents runtime-vs-validation ownership and enforcement behavior. ## What Changed ### CI workflow enforcement - Updated `.gitea/workflows/docker-build-main.yaml` to: - Checkout additional verification inputs (`Dockerfile.backend`, `Dockerfile.frontend`, scripts, backend/frontend directories). - Run `scripts/check-dockerfile-boundaries.sh`. - Build deployable runtime images (`Dockerfile.backend`, `Dockerfile.frontend --target production`). - Run `scripts/verify-deployable-image-purity.sh` against both images before publishing CICD image. - Updated `.gitea/workflows/cicd-checks.yaml` to add: - `dockerfile-boundary-check` job. - Boundary validation execution inside the CICD validation image. ### New enforcement scripts - Added `scripts/check-dockerfile-boundaries.sh`: - Ensures deployable Dockerfiles do **not** reference CICD image paths (`cicd-base`, `CICD_BASE_IMAGE`, `Dockerfile.cicd*`, etc.). - Ensures deployable Dockerfiles do **not** include disallowed CI-only tooling tokens. - Enforces runtime base expectations: - Backend: `python:3.14-slim` - Frontend production target: `nginx:alpine` - Added `scripts/verify-deployable-image-purity.sh`: - Baseline binary checks for disallowed tooling. - Backend-specific deep checks: - Python module import probes for disallowed CI/dev modules. - `pip show` package metadata checks for disallowed CI/dev packages. - Frontend-specific deep checks: - OS package metadata checks (`apk`/`dpkg` when available) for disallowed runtime leaks. - Directory-based checks for development package trees (`node_modules`, `.venv`, `site-packages`, `dist-packages` in sensitive paths). ## Documentation updates - Updated `docs/DEVELOPMENT.md`: - Clarifies runtime-vs-validation enforcement and where checks run. - Notes purity checks include binaries and metadata artifacts. - Updated `docs/CICD_MULTI_STAGE_BUILD.md`: - Adds explicit “Runtime Boundary Enforcement” section. - Documents metadata-level purity probes. - Updated `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`: - Replaces future-only language with current enforcement hooks. - Documents binary + metadata-level purity enforcement. ## Acceptance Criteria Mapping 1. **Deployable backend/frontend image paths do not require CI-only tool installation** - Enforced by: - `scripts/check-dockerfile-boundaries.sh` - `scripts/verify-deployable-image-purity.sh` - `docker-build-main.yaml` pre-publish gates 2. **Checks and tests execute in dedicated validation environment(s)** - Reinforced by: - `cicd-checks.yaml` boundary-check job running in CICD validation image - Existing check/test workflow usage of CICD image 3. **Workflow docs identify runtime vs validation concerns** - Addressed via updates to: - `docs/DEVELOPMENT.md` - `docs/CICD_MULTI_STAGE_BUILD.md` - `docs/DEPLOYABLE_RUNTIME_CONTRACT.md` ## Scope / Non-Goals - Included: - Structural separation enforcement - Workflow-level guardrails - Documentation clarity and traceability - Not included: - Full staging deployment wiring - Security policy redesign ## Notes for Reviewers - Main enforcement path is in `docker-build-main.yaml` before CICD image publish. - New scripts are intentionally fail-fast and policy-oriented. - Existing deployable Dockerfiles currently satisfy the new gates. Co-authored-by: copilotcoder <copilotcoder@darkhelm.org> Reviewed-on: #69 |
|||
| 9b742a5a6d |
feature/pp-58-runtime-image-contract (#68)
## Summary This PR tightens repository quality enforcement around markdown and documentation. It adds `markdownlint` to the `cicd-checks` workflow, expands pre-commit coverage so markdown files are checked repo-wide, and cleans up the PP-58 documentation set to keep it aligned with the new policy. ## What changed - Added a `Markdownlint Check` entry to `.gitea/workflows/cicd-checks.yaml` - Added `markdownlint` to pre-commit and widened prettier coverage to include markdown files across the repo - Updated `README.md` to satisfy markdownlint line-length rules - Normalized the PP-58 documentation set: - `docs/DEPLOYABLE_RUNTIME_CONTRACT.md` - `docs/adr/ADR003-deployable_runtime_image_contract.md` - `docs/DEVELOPMENT.md` - `docs/CICD_MULTI_STAGE_BUILD.md` - `docs/CICD_TROUBLESHOOTING_GUIDE.md` - `docs/SECURE_DOCKER_CICD.md` ## Validation - `pre-commit run markdownlint --files README.md docs/DEPLOYABLE_RUNTIME_CONTRACT.md` - `pre-commit run prettier --files README.md docs/DEPLOYABLE_RUNTIME_CONTRACT.md` - Workflow YAML validation returned no errors ## Notes This change does not alter application runtime behavior. It only strengthens CI and documentation quality enforcement. Co-authored-by: copilotcoder <copilotcoder@darkhelm.org> Reviewed-on: #68 |
|||
| d02039a22e |
Backend runtime upgraded to Python 3.14 with exact dependency pinning (#57)
Some checks failed
CICD Start / Sanity and Base Decision (push) Successful in 18s
Runner Canary / Canary Heavy (ubuntu-act-8gb) (push) Has been skipped
Runner Canary / Canary Heavy (ubuntu-act-4gb) (push) Has been skipped
Runner Canary / Canary Burst (ubuntu-act (push) Failing after 11m10s
Runner Canary / Canary (ubuntu-latest) (push) Failing after 12m39s
Runner Canary / Canary (ubuntu-act) (push) Failing after 12m42s
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> ## Summary Upgrades backend runtime baseline and dependency management for issue #10. ### Changes 1. **Python Baseline**: Updated from 3.13 to 3.14 - Updated `backend/pyproject.toml` requires-python constraint - Updated `backend/pyrightconfig.json` pythonVersion - Updated all Dockerfile and CI references 2. **Dependency Pinning**: Switched to exact version pins in `backend/pyproject.toml` - All dev and runtime dependencies now use `==` instead of `>=` - `fastapi==0.120.2`, `uvicorn==0.38.0` - ruff, pyright, pytest suite pinned to current resolved versions - Regenerated `backend/uv.lock` under Python 3.14 3. **Startup Compatibility Guard** (TDD via RED→GREEN) - New `compatibility_status()` function evaluates runtime and pinned deps - Startup raises `RuntimeError` if policy fails - Implemented via FastAPI lifespan (non-deprecated) handler 4. **Compatibility Status Endpoint** - New `GET /compatibility` returns policy status, runtime version, and package checks - Shares single source of truth with startup validation 5. **Integration Tests** - Added failing-then-passing tests for startup guard and endpoint behavior - 100% coverage maintained 6. **Direnv Configuration** - Added `UV_PYTHON="3.14"` pin to repo `.envrc` - Ensures direnv creates/recreates venv with correct Python version ### Validation - ✅ ruff format/check - ✅ pyright strict (0 errors) - ✅ pytest: 8 passed, 100% coverage (>=95 gate) - ✅ pydoclint: pass - ✅ xdoctest: pass ### Notes - SQLAlchemy/SQLModel introduction deferred to next pass per scope - Compatibility logic currently validates fastapi/uvicorn pins (runtime deps) - Ready for container build validation and Renovate bot testing Co-authored-by: copilotcoder <copilotcoder@darkhelm.org> Reviewed-on: #57 Co-authored-by: Cliff Hill <xlorep@darkhelm.org> Co-committed-by: Cliff Hill <xlorep@darkhelm.org> |
|||
|
a142bc46c2
|
CICD workflow is now valid.
Some checks failed
Tests / Build and Push CICD Base Image (push) Successful in 1m12s
Tests / Build and Push CICD Complete Image (push) Failing after 19m39s
Tests / Darglint Docstring Check (push) Has been skipped
Tests / Ruff Format Check (push) Has been skipped
Tests / Pyright Type Check (push) Has been skipped
Tests / Trailing Whitespace Check (push) Has been skipped
Tests / End of File Check (push) Has been skipped
Tests / YAML Syntax Check (push) Has been skipped
Tests / TOML Syntax Check (push) Has been skipped
Tests / Mixed Line Ending Check (push) Has been skipped
Tests / TOML Formatting Check (push) Has been skipped
Tests / Ruff Linting (push) Has been skipped
Tests / No Docstring Types Check (push) Has been skipped
Tests / ESLint Check (push) Has been skipped
Tests / Prettier Format Check (push) Has been skipped
Tests / TypeScript Type Check (push) Has been skipped
Tests / TSDoc Lint Check (push) Has been skipped
Tests / Backend Tests (push) Has been skipped
Tests / Backend Doctests (push) Has been skipped
Tests / Frontend Tests (push) Has been skipped
Tests / Integration Tests (push) Has been skipped
Tests / End-to-End Tests (push) Has been skipped
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> |
|||
|
a9db4d64bc
|
Fixing playright
Some checks failed
Tests / Build and Push CICD Base Image (push) Successful in 1m13s
Tests / Build and Push CICD Complete Image (push) Successful in 12m20s
Tests / YAML Syntax Check (push) Successful in 27m55s
Tests / Mixed Line Ending Check (push) Successful in 45s
Tests / TOML Formatting Check (push) Successful in 44s
Tests / End of File Check (push) Successful in 30m14s
Tests / Ruff Linting (push) Failing after 36s
Tests / Ruff Format Check (push) Successful in 1m0s
Tests / Darglint Docstring Check (push) Successful in 1m4s
Tests / No Docstring Types Check (push) Successful in 56s
Tests / Pyright Type Check (push) Successful in 1m30s
Tests / ESLint Check (push) Successful in 1m14s
Tests / TypeScript Type Check (push) Successful in 1m27s
Tests / Prettier Format Check (push) Successful in 57s
Tests / Backend Tests (push) Successful in 1m10s
Tests / TSDoc Lint Check (push) Successful in 1m15s
Tests / Frontend Tests (push) Successful in 1m40s
Tests / Backend Doctests (push) Successful in 42s
Tests / Integration Tests (push) Successful in 1m8s
Tests / Trailing Whitespace Check (push) Successful in 57m52s
Tests / End-to-End Tests (push) Failing after 25m51s
Tests / TOML Syntax Check (push) Successful in 1h27m25s
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> |
|||
|
cad7c7fea9
|
Fixing how uv is being used in the base image, adding Poe the Poet to everything.
Some checks failed
Tests / Build and Push CICD Base Image (push) Successful in 1m2s
Tests / Build and Push CICD Complete Image (push) Failing after 20m37s
Tests / TSDoc Lint Check (push) Has been skipped
Tests / Trailing Whitespace Check (push) Has been skipped
Tests / End of File Check (push) Has been skipped
Tests / YAML Syntax Check (push) Has been skipped
Tests / TOML Syntax Check (push) Has been skipped
Tests / Mixed Line Ending Check (push) Has been skipped
Tests / TOML Formatting Check (push) Has been skipped
Tests / Ruff Linting (push) Has been skipped
Tests / No Docstring Types Check (push) Has been skipped
Tests / ESLint Check (push) Has been skipped
Tests / Prettier Format Check (push) Has been skipped
Tests / TypeScript Type Check (push) Has been skipped
Tests / Backend Tests (push) Has been skipped
Tests / Frontend Tests (push) Has been skipped
Tests / Ruff Format Check (push) Has been skipped
Tests / Pyright Type Check (push) Has been skipped
Tests / Darglint Docstring Check (push) Has been skipped
Tests / Backend Doctests (push) Has been skipped
Tests / Integration Tests (push) Has been skipped
Tests / End-to-End Tests (push) Has been skipped
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> |
|||
|
6df52238de
|
Optimizing the build so that CICD doesn't take FOREVER to run.
Some checks failed
Tests / Build and Push CICD Base Image (push) Successful in 46m24s
Tests / Build and Push CICD Complete Image (push) Failing after 1m6s
Tests / TOML Syntax Check (push) Has been skipped
Tests / Mixed Line Ending Check (push) Has been skipped
Tests / TOML Formatting Check (push) Has been skipped
Tests / Ruff Linting (push) Has been skipped
Tests / Ruff Format Check (push) Has been skipped
Tests / Pyright Type Check (push) Has been skipped
Tests / Darglint Docstring Check (push) Has been skipped
Tests / No Docstring Types Check (push) Has been skipped
Tests / ESLint Check (push) Has been skipped
Tests / Prettier Format Check (push) Has been skipped
Tests / TypeScript Type Check (push) Has been skipped
Tests / TSDoc Lint Check (push) Has been skipped
Tests / Trailing Whitespace Check (push) Has been skipped
Tests / End of File Check (push) Has been skipped
Tests / YAML Syntax Check (push) Has been skipped
Tests / End-to-End Tests (push) Has been skipped
Tests / Backend Tests (push) Has been skipped
Tests / Frontend Tests (push) Has been skipped
Tests / Backend Doctests (push) Has been skipped
Tests / Integration Tests (push) Has been skipped
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> |
|||
|
c5660e547a
|
Trying to make e2e be truly non-interactive and headless.
Some checks failed
Tests / Mixed Line Ending Check (push) Has been cancelled
Tests / Darglint Docstring Check (push) Has been cancelled
Tests / Frontend Tests (push) Has been cancelled
Tests / End of File Check (push) Has been cancelled
Tests / Build and Push CICD Image (push) Has started running
Tests / YAML Syntax Check (push) Has been cancelled
Tests / TOML Formatting Check (push) Has been cancelled
Tests / Ruff Linting (push) Has been cancelled
Tests / Ruff Format Check (push) Has been cancelled
Tests / No Docstring Types Check (push) Has been cancelled
Tests / End-to-End Tests (push) Has been cancelled
Tests / TOML Syntax Check (push) Has been cancelled
Tests / TSDoc Lint Check (push) Has been cancelled
Tests / Trailing Whitespace Check (push) Has been cancelled
Tests / Pyright Type Check (push) Has been cancelled
Tests / ESLint Check (push) Has been cancelled
Tests / Backend Tests (push) Has been cancelled
Tests / Prettier Format Check (push) Has been cancelled
Tests / Integration Tests (push) Has been cancelled
Tests / TypeScript Type Check (push) Has been cancelled
Tests / Backend Doctests (push) Has been cancelled
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> |
|||
|
aee066d611
|
Fixing the e2e tests (again).
Some checks failed
Tests / Build and Push CICD Image (push) Successful in 1h18m58s
Tests / YAML Syntax Check (push) Successful in 40s
Tests / TOML Syntax Check (push) Successful in 33s
Tests / Mixed Line Ending Check (push) Successful in 38s
Tests / TOML Formatting Check (push) Successful in 46s
Tests / Ruff Linting (push) Successful in 35s
Tests / Ruff Format Check (push) Successful in 32s
Tests / Pyright Type Check (push) Successful in 48s
Tests / Darglint Docstring Check (push) Successful in 30s
Tests / No Docstring Types Check (push) Successful in 20s
Tests / ESLint Check (push) Successful in 51s
Tests / Prettier Format Check (push) Successful in 30s
Tests / TypeScript Type Check (push) Successful in 1m4s
Tests / TSDoc Lint Check (push) Successful in 59s
Tests / End of File Check (push) Successful in 10m13s
Tests / Backend Tests (push) Successful in 37s
Tests / Backend Doctests (push) Successful in 20s
Tests / Frontend Tests (push) Successful in 1m30s
Tests / Trailing Whitespace Check (push) Successful in 12m47s
Tests / Integration Tests (push) Successful in 10m43s
Tests / End-to-End Tests (push) Has been cancelled
Signed-off-by: Cliff Hill <xlorep@darkhelm.org> |