Commit Graph

4 Commits

Author SHA1 Message Date
c7540e97ad feat(ci): enforce runtime-validation image separation (#69)
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 17s
## Summary

Implements issue #59 by enforcing a hard boundary between CI validation tooling and deployable runtime images.

This PR:

- Adds automated deployable-runtime boundary checks in CI.
- Verifies deployable backend/frontend artifacts are free of CI/development tooling.
- Documents runtime-vs-validation ownership and enforcement behavior.

## What Changed

### CI workflow enforcement

- Updated `.gitea/workflows/docker-build-main.yaml` to:
  - Checkout additional verification inputs (`Dockerfile.backend`, `Dockerfile.frontend`, scripts, backend/frontend directories).
  - Run `scripts/check-dockerfile-boundaries.sh`.
  - Build deployable runtime images (`Dockerfile.backend`, `Dockerfile.frontend --target production`).
  - Run `scripts/verify-deployable-image-purity.sh` against both images before publishing CICD image.

- Updated `.gitea/workflows/cicd-checks.yaml` to add:
  - `dockerfile-boundary-check` job.
  - Boundary validation execution inside the CICD validation image.

### New enforcement scripts

- Added `scripts/check-dockerfile-boundaries.sh`:
  - Ensures deployable Dockerfiles do **not** reference CICD image paths (`cicd-base`, `CICD_BASE_IMAGE`, `Dockerfile.cicd*`, etc.).
  - Ensures deployable Dockerfiles do **not** include disallowed CI-only tooling tokens.
  - Enforces runtime base expectations:
    - Backend: `python:3.14-slim`
    - Frontend production target: `nginx:alpine`

- Added `scripts/verify-deployable-image-purity.sh`:
  - Baseline binary checks for disallowed tooling.
  - Backend-specific deep checks:
    - Python module import probes for disallowed CI/dev modules.
    - `pip show` package metadata checks for disallowed CI/dev packages.
  - Frontend-specific deep checks:
    - OS package metadata checks (`apk`/`dpkg` when available) for disallowed runtime leaks.
    - Directory-based checks for development package trees (`node_modules`, `.venv`, `site-packages`, `dist-packages` in sensitive paths).

## Documentation updates

- Updated `docs/DEVELOPMENT.md`:
  - Clarifies runtime-vs-validation enforcement and where checks run.
  - Notes purity checks include binaries and metadata artifacts.

- Updated `docs/CICD_MULTI_STAGE_BUILD.md`:
  - Adds explicit “Runtime Boundary Enforcement” section.
  - Documents metadata-level purity probes.

- Updated `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`:
  - Replaces future-only language with current enforcement hooks.
  - Documents binary + metadata-level purity enforcement.

## Acceptance Criteria Mapping

1. **Deployable backend/frontend image paths do not require CI-only tool installation**
   - Enforced by:
     - `scripts/check-dockerfile-boundaries.sh`
     - `scripts/verify-deployable-image-purity.sh`
     - `docker-build-main.yaml` pre-publish gates

2. **Checks and tests execute in dedicated validation environment(s)**
   - Reinforced by:
     - `cicd-checks.yaml` boundary-check job running in CICD validation image
     - Existing check/test workflow usage of CICD image

3. **Workflow docs identify runtime vs validation concerns**
   - Addressed via updates to:
     - `docs/DEVELOPMENT.md`
     - `docs/CICD_MULTI_STAGE_BUILD.md`
     - `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`

## Scope / Non-Goals

- Included:
  - Structural separation enforcement
  - Workflow-level guardrails
  - Documentation clarity and traceability

- Not included:
  - Full staging deployment wiring
  - Security policy redesign

## Notes for Reviewers

- Main enforcement path is in `docker-build-main.yaml` before CICD image publish.
- New scripts are intentionally fail-fast and policy-oriented.
- Existing deployable Dockerfiles currently satisfy the new gates.

Co-authored-by: copilotcoder <copilotcoder@darkhelm.org>
Reviewed-on: #69
2026-06-22 12:45:20 -04:00
9b742a5a6d feature/pp-58-runtime-image-contract (#68)
Some checks failed
CICD Start / Sanity and Base Decision (push) Successful in 18s
Renovate Dependency Updates / Renovate Dependencies (push) Failing after 7m19s
## Summary

This PR tightens repository quality enforcement around markdown and documentation. It adds `markdownlint` to the `cicd-checks` workflow, expands pre-commit coverage so markdown files are checked repo-wide, and cleans up the PP-58 documentation set to keep it aligned with the new policy.

## What changed

- Added a `Markdownlint Check` entry to `.gitea/workflows/cicd-checks.yaml`
- Added `markdownlint` to pre-commit and widened prettier coverage to include markdown files across the repo
- Updated `README.md` to satisfy markdownlint line-length rules
- Normalized the PP-58 documentation set:
  - `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`
  - `docs/adr/ADR003-deployable_runtime_image_contract.md`
  - `docs/DEVELOPMENT.md`
  - `docs/CICD_MULTI_STAGE_BUILD.md`
  - `docs/CICD_TROUBLESHOOTING_GUIDE.md`
  - `docs/SECURE_DOCKER_CICD.md`

## Validation

- `pre-commit run markdownlint --files README.md docs/DEPLOYABLE_RUNTIME_CONTRACT.md`
- `pre-commit run prettier --files README.md docs/DEPLOYABLE_RUNTIME_CONTRACT.md`
- Workflow YAML validation returned no errors

## Notes

This change does not alter application runtime behavior. It only strengthens CI and documentation quality enforcement.

Co-authored-by: copilotcoder <copilotcoder@darkhelm.org>
Reviewed-on: #68
2026-06-19 17:00:57 -04:00
570bc83295 Making it more resiliant to network problems, fixing playright
Some checks failed
Tests / Build and Push CICD Base Image (push) Successful in 3m27s
Tests / Build and Push CICD Complete Image (push) Failing after 4m6s
Tests / TSDoc Lint Check (push) Has been skipped
Tests / Backend Tests (push) Has been skipped
Tests / Frontend Tests (push) Has been skipped
Tests / Backend Doctests (push) Has been skipped
Tests / Integration Tests (push) Has been skipped
Tests / End-to-End Tests (push) Has been skipped
Tests / Trailing Whitespace Check (push) Has been skipped
Tests / End of File Check (push) Has been skipped
Tests / YAML Syntax Check (push) Has been skipped
Tests / TOML Syntax Check (push) Has been skipped
Tests / Mixed Line Ending Check (push) Has been skipped
Tests / TOML Formatting Check (push) Has been skipped
Tests / Ruff Linting (push) Has been skipped
Tests / Ruff Format Check (push) Has been skipped
Tests / Pyright Type Check (push) Has been skipped
Tests / Darglint Docstring Check (push) Has been skipped
Tests / No Docstring Types Check (push) Has been skipped
Tests / ESLint Check (push) Has been skipped
Tests / Prettier Format Check (push) Has been skipped
Tests / TypeScript Type Check (push) Has been skipped
Signed-off-by: Cliff Hill <xlorep@darkhelm.org>
2025-11-01 10:47:02 -04:00
8aa8d41e8a Did some things, made more improvements.
Some checks failed
CI/CD Pipeline / Backend Tests (Python) (push) Has been cancelled
CI/CD Pipeline / Frontend Tests (TypeScript/Vue) (push) Has been cancelled
CI/CD Pipeline / Integration Tests (push) Has been cancelled
Signed-off-by: Cliff Hill <xlorep@darkhelm.org>
2025-10-19 21:35:02 -04:00