All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 17s
## Summary Implements issue #59 by enforcing a hard boundary between CI validation tooling and deployable runtime images. This PR: - Adds automated deployable-runtime boundary checks in CI. - Verifies deployable backend/frontend artifacts are free of CI/development tooling. - Documents runtime-vs-validation ownership and enforcement behavior. ## What Changed ### CI workflow enforcement - Updated `.gitea/workflows/docker-build-main.yaml` to: - Checkout additional verification inputs (`Dockerfile.backend`, `Dockerfile.frontend`, scripts, backend/frontend directories). - Run `scripts/check-dockerfile-boundaries.sh`. - Build deployable runtime images (`Dockerfile.backend`, `Dockerfile.frontend --target production`). - Run `scripts/verify-deployable-image-purity.sh` against both images before publishing CICD image. - Updated `.gitea/workflows/cicd-checks.yaml` to add: - `dockerfile-boundary-check` job. - Boundary validation execution inside the CICD validation image. ### New enforcement scripts - Added `scripts/check-dockerfile-boundaries.sh`: - Ensures deployable Dockerfiles do **not** reference CICD image paths (`cicd-base`, `CICD_BASE_IMAGE`, `Dockerfile.cicd*`, etc.). - Ensures deployable Dockerfiles do **not** include disallowed CI-only tooling tokens. - Enforces runtime base expectations: - Backend: `python:3.14-slim` - Frontend production target: `nginx:alpine` - Added `scripts/verify-deployable-image-purity.sh`: - Baseline binary checks for disallowed tooling. - Backend-specific deep checks: - Python module import probes for disallowed CI/dev modules. - `pip show` package metadata checks for disallowed CI/dev packages. - Frontend-specific deep checks: - OS package metadata checks (`apk`/`dpkg` when available) for disallowed runtime leaks. - Directory-based checks for development package trees (`node_modules`, `.venv`, `site-packages`, `dist-packages` in sensitive paths). ## Documentation updates - Updated `docs/DEVELOPMENT.md`: - Clarifies runtime-vs-validation enforcement and where checks run. - Notes purity checks include binaries and metadata artifacts. - Updated `docs/CICD_MULTI_STAGE_BUILD.md`: - Adds explicit “Runtime Boundary Enforcement” section. - Documents metadata-level purity probes. - Updated `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`: - Replaces future-only language with current enforcement hooks. - Documents binary + metadata-level purity enforcement. ## Acceptance Criteria Mapping 1. **Deployable backend/frontend image paths do not require CI-only tool installation** - Enforced by: - `scripts/check-dockerfile-boundaries.sh` - `scripts/verify-deployable-image-purity.sh` - `docker-build-main.yaml` pre-publish gates 2. **Checks and tests execute in dedicated validation environment(s)** - Reinforced by: - `cicd-checks.yaml` boundary-check job running in CICD validation image - Existing check/test workflow usage of CICD image 3. **Workflow docs identify runtime vs validation concerns** - Addressed via updates to: - `docs/DEVELOPMENT.md` - `docs/CICD_MULTI_STAGE_BUILD.md` - `docs/DEPLOYABLE_RUNTIME_CONTRACT.md` ## Scope / Non-Goals - Included: - Structural separation enforcement - Workflow-level guardrails - Documentation clarity and traceability - Not included: - Full staging deployment wiring - Security policy redesign ## Notes for Reviewers - Main enforcement path is in `docker-build-main.yaml` before CICD image publish. - New scripts are intentionally fail-fast and policy-oriented. - Existing deployable Dockerfiles currently satisfy the new gates. Co-authored-by: copilotcoder <copilotcoder@darkhelm.org> Reviewed-on: #69
73 lines
1.5 KiB
Bash
73 lines
1.5 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
cd "${ROOT_DIR}"
|
|
|
|
backend_file="Dockerfile.backend"
|
|
frontend_file="Dockerfile.frontend"
|
|
|
|
declare -a disallowed_references=(
|
|
"cicd-base"
|
|
"CICD_BASE_IMAGE"
|
|
"Dockerfile.cicd"
|
|
"Dockerfile.cicd-base"
|
|
"plex-playlist-cicd"
|
|
)
|
|
|
|
declare -a disallowed_runtime_tools=(
|
|
"ruff"
|
|
"pyright"
|
|
"pytest"
|
|
"pydoclint"
|
|
"xdoctest"
|
|
"pre-commit"
|
|
"yamllint"
|
|
"toml-sort"
|
|
"eslint"
|
|
"prettier"
|
|
"typescript"
|
|
"vitest"
|
|
"playwright"
|
|
)
|
|
|
|
check_absent() {
|
|
local file="$1"
|
|
local token="$2"
|
|
|
|
if grep -Eiv '^[[:space:]]*#' "${file}" | grep -Eiq "${token}"; then
|
|
echo "❌ Found disallowed token '${token}' in ${file}" >&2
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
status=0
|
|
|
|
for token in "${disallowed_references[@]}"; do
|
|
check_absent "${backend_file}" "${token}" || status=1
|
|
check_absent "${frontend_file}" "${token}" || status=1
|
|
done
|
|
|
|
for token in "${disallowed_runtime_tools[@]}"; do
|
|
check_absent "${backend_file}" "${token}" || status=1
|
|
check_absent "${frontend_file}" "${token}" || status=1
|
|
done
|
|
|
|
if ! grep -Eq '^FROM[[:space:]]+python:3\.14-slim' "${backend_file}"; then
|
|
echo "❌ ${backend_file} must use python:3.14-slim as runtime base" >&2
|
|
status=1
|
|
fi
|
|
|
|
if ! grep -Eq '^FROM[[:space:]]+nginx:alpine[[:space:]]+AS[[:space:]]+production' "${frontend_file}"; then
|
|
echo "❌ ${frontend_file} must use nginx:alpine for production target" >&2
|
|
status=1
|
|
fi
|
|
|
|
if [[ "${status}" -ne 0 ]]; then
|
|
exit "${status}"
|
|
fi
|
|
|
|
echo "✅ Dockerfile runtime boundaries are valid"
|