All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 17s
## Summary Implements issue #59 by enforcing a hard boundary between CI validation tooling and deployable runtime images. This PR: - Adds automated deployable-runtime boundary checks in CI. - Verifies deployable backend/frontend artifacts are free of CI/development tooling. - Documents runtime-vs-validation ownership and enforcement behavior. ## What Changed ### CI workflow enforcement - Updated `.gitea/workflows/docker-build-main.yaml` to: - Checkout additional verification inputs (`Dockerfile.backend`, `Dockerfile.frontend`, scripts, backend/frontend directories). - Run `scripts/check-dockerfile-boundaries.sh`. - Build deployable runtime images (`Dockerfile.backend`, `Dockerfile.frontend --target production`). - Run `scripts/verify-deployable-image-purity.sh` against both images before publishing CICD image. - Updated `.gitea/workflows/cicd-checks.yaml` to add: - `dockerfile-boundary-check` job. - Boundary validation execution inside the CICD validation image. ### New enforcement scripts - Added `scripts/check-dockerfile-boundaries.sh`: - Ensures deployable Dockerfiles do **not** reference CICD image paths (`cicd-base`, `CICD_BASE_IMAGE`, `Dockerfile.cicd*`, etc.). - Ensures deployable Dockerfiles do **not** include disallowed CI-only tooling tokens. - Enforces runtime base expectations: - Backend: `python:3.14-slim` - Frontend production target: `nginx:alpine` - Added `scripts/verify-deployable-image-purity.sh`: - Baseline binary checks for disallowed tooling. - Backend-specific deep checks: - Python module import probes for disallowed CI/dev modules. - `pip show` package metadata checks for disallowed CI/dev packages. - Frontend-specific deep checks: - OS package metadata checks (`apk`/`dpkg` when available) for disallowed runtime leaks. - Directory-based checks for development package trees (`node_modules`, `.venv`, `site-packages`, `dist-packages` in sensitive paths). ## Documentation updates - Updated `docs/DEVELOPMENT.md`: - Clarifies runtime-vs-validation enforcement and where checks run. - Notes purity checks include binaries and metadata artifacts. - Updated `docs/CICD_MULTI_STAGE_BUILD.md`: - Adds explicit “Runtime Boundary Enforcement” section. - Documents metadata-level purity probes. - Updated `docs/DEPLOYABLE_RUNTIME_CONTRACT.md`: - Replaces future-only language with current enforcement hooks. - Documents binary + metadata-level purity enforcement. ## Acceptance Criteria Mapping 1. **Deployable backend/frontend image paths do not require CI-only tool installation** - Enforced by: - `scripts/check-dockerfile-boundaries.sh` - `scripts/verify-deployable-image-purity.sh` - `docker-build-main.yaml` pre-publish gates 2. **Checks and tests execute in dedicated validation environment(s)** - Reinforced by: - `cicd-checks.yaml` boundary-check job running in CICD validation image - Existing check/test workflow usage of CICD image 3. **Workflow docs identify runtime vs validation concerns** - Addressed via updates to: - `docs/DEVELOPMENT.md` - `docs/CICD_MULTI_STAGE_BUILD.md` - `docs/DEPLOYABLE_RUNTIME_CONTRACT.md` ## Scope / Non-Goals - Included: - Structural separation enforcement - Workflow-level guardrails - Documentation clarity and traceability - Not included: - Full staging deployment wiring - Security policy redesign ## Notes for Reviewers - Main enforcement path is in `docker-build-main.yaml` before CICD image publish. - New scripts are intentionally fail-fast and policy-oriented. - Existing deployable Dockerfiles currently satisfy the new gates. Co-authored-by: copilotcoder <copilotcoder@darkhelm.org> Reviewed-on: #69
90 lines
2.7 KiB
TypeScript
90 lines
2.7 KiB
TypeScript
import { defineConfig, devices } from '@playwright/test';
|
|
|
|
export default defineConfig({
|
|
testDir: './tests/e2e',
|
|
timeout: process.env.CI ? 60 * 1000 : 30 * 1000, // Longer timeout in CI
|
|
expect: {
|
|
timeout: process.env.CI ? 10000 : 5000, // Longer expect timeout in CI
|
|
},
|
|
fullyParallel: true,
|
|
forbidOnly: !!process.env.CI,
|
|
retries: process.env.CI ? 2 : 0,
|
|
workers: process.env.CI ? 1 : undefined,
|
|
reporter: process.env.CI
|
|
? [['list'], ['junit', { outputFile: 'playwright-results.xml' }]]
|
|
: 'html',
|
|
use: {
|
|
baseURL: 'http://localhost:5173',
|
|
trace: 'on-first-retry',
|
|
headless: process.env.CI ? true : false,
|
|
// CI-specific browser optimizations
|
|
actionTimeout: process.env.CI ? 15000 : 0,
|
|
navigationTimeout: process.env.CI ? 45000 : 30000, // Longer for network instability
|
|
// Network resilience settings
|
|
...(process.env.CI && {
|
|
// Retry failed requests automatically
|
|
extraHTTPHeaders: {
|
|
'Cache-Control': 'no-cache',
|
|
},
|
|
// Ignore HTTPS errors in CI (self-signed certs, etc.)
|
|
ignoreHTTPSErrors: true,
|
|
// Wait longer for network operations
|
|
timeout: 60000,
|
|
}),
|
|
},
|
|
projects: process.env.CI
|
|
? [
|
|
// CI Environment: Only run Chromium for reliability in Docker
|
|
{
|
|
name: 'chromium',
|
|
use: {
|
|
...devices['Desktop Chrome'],
|
|
headless: true,
|
|
launchOptions: {
|
|
args: [
|
|
'--no-sandbox',
|
|
'--disable-setuid-sandbox',
|
|
'--disable-dev-shm-usage',
|
|
'--disable-background-timer-throttling',
|
|
'--disable-backgrounding-occluded-windows',
|
|
'--disable-renderer-backgrounding',
|
|
// Keep CI browser args minimal and deterministic.
|
|
'--disable-extensions',
|
|
'--disable-plugins',
|
|
'--aggressive-cache-discard',
|
|
],
|
|
},
|
|
},
|
|
},
|
|
]
|
|
: [
|
|
// Local Development: Run all browsers
|
|
{
|
|
name: 'chromium',
|
|
use: {
|
|
...devices['Desktop Chrome'],
|
|
},
|
|
},
|
|
{
|
|
name: 'firefox',
|
|
use: {
|
|
...devices['Desktop Firefox'],
|
|
},
|
|
},
|
|
{
|
|
name: 'webkit',
|
|
use: {
|
|
...devices['Desktop Safari'],
|
|
},
|
|
},
|
|
],
|
|
webServer: {
|
|
command: 'yarn dev --host 0.0.0.0 --port 5173 --strictPort',
|
|
url: 'http://localhost:5173',
|
|
reuseExistingServer: !process.env.CI,
|
|
timeout: process.env.CI ? 180 * 1000 : 120 * 1000, // Longer startup timeout in CI
|
|
stderr: 'pipe',
|
|
stdout: 'pipe',
|
|
},
|
|
});
|