diff --git a/.woodpecker/backend.yaml b/.woodpecker/backend.yaml index 02a30b5..4311088 100644 --- a/.woodpecker/backend.yaml +++ b/.woodpecker/backend.yaml @@ -1,45 +1,45 @@ when: - - event: push - branch: main + - event: [push, pull_request] path: - - 'backend/**' - - '.woodpecker/backend.yaml' - -services: - docker: - image: docker:29-dind - privileged: true - environment: - DOCKER_TLS_CERTDIR: '' - commands: - - dockerd-entrypoint.sh --host=tcp://0.0.0.0:2375 --tls=false + include: + - 'backend/**' + - '.woodpecker/backend.yaml' steps: - build: - image: docker:29 - environment: - DOCKER_HOST: tcp://docker:2375 - REGISTRY_USER: - from_secret: registry_user - REGISTRY_PASSWORD: - from_secret: registry_password + test: + image: golang:1.26-alpine commands: - - apk add --no-cache git - - until docker info > /dev/null 2>&1; do echo "waiting for dind..."; sleep 1; done - - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" registry.itsh.dev - - docker buildx create --name ci-builder --driver docker-container --use - - export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) - - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) - - | - docker buildx build \ - --output "type=image,push=true,rewrite-timestamp=true" \ - -f backend/deploy/Dockerfile \ - -t "registry.itsh.dev/vikingowl/marktvogt.de/backend:$SHORT_SHA" \ - backend/ + - apk add --no-cache git gcc musl-dev + - cd backend && CGO_ENABLED=1 go test ./... -count=1 -race + # Build and push immutable SHA-tagged image on main branch only. + # rewrite-timestamp normalizes layer timestamps to SOURCE_DATE_EPOCH for + # reproducible builds. CI_COMMIT_TIMESTAMP is expected to be a Unix epoch + # in Woodpecker 2.x; if it arrives as RFC3339 on this instance, parse it + # in a prep step (see infinity-tales TODO). + docker: + image: woodpeckerci/plugin-docker-buildx + environment: + SOURCE_DATE_EPOCH: ${CI_COMMIT_TIMESTAMP} + settings: + repo: registry.itsh.dev/vikingowl/marktvogt.de/backend + tags: + - "${CI_COMMIT_SHA:0:8}" + dockerfile: backend/deploy/Dockerfile + context: backend + registry: registry.itsh.dev + output: type=image,push=true,rewrite-timestamp=true + username: + from_secret: registry_user + password: + from_secret: registry_password + when: + - event: push + branch: main + + # Deploy via Helm using the exact SHA tag just pushed deploy: image: alpine/helm:4.1 - depends_on: [build] environment: KUBECONFIG_DATA: from_secret: kubeconfig_data @@ -63,11 +63,10 @@ steps: - mkdir -p ~/.kube - echo "$KUBECONFIG_DATA" > ~/.kube/config - chmod 600 ~/.kube/config - - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) - | helm upgrade --install marktvogt-backend ./backend/deploy/helm/ \ --namespace tenant-2 \ - --set image.tag="$SHORT_SHA" \ + --set image.tag="${CI_COMMIT_SHA:0:8}" \ --set smtp.host="$SMTP_HOST" \ --set smtp.user="$SMTP_USER" \ --set smtp.password="$SMTP_PASSWORD" \ @@ -76,4 +75,9 @@ steps: --set ai.agentDiscovery="$AI_AGENT_DISCOVERY" \ --set discovery.token="$DISCOVERY_TOKEN" \ --set turnstile.secretKey="$TURNSTILE_SECRET_KEY" \ - --rollback-on-failure --wait=watcher --timeout 5m + --rollback-on-failure \ + --wait=watcher \ + --timeout 5m + when: + - event: push + branch: main diff --git a/.woodpecker/web.yaml b/.woodpecker/web.yaml index ad7cdb3..fe26be2 100644 --- a/.woodpecker/web.yaml +++ b/.woodpecker/web.yaml @@ -1,47 +1,46 @@ when: - - event: push - branch: main + - event: [push, pull_request] path: - - 'web/**' - - '.woodpecker/web.yaml' - -services: - docker: - image: docker:29-dind - privileged: true - environment: - DOCKER_TLS_CERTDIR: '' - commands: - - dockerd-entrypoint.sh --host=tcp://0.0.0.0:2375 --tls=false + include: + - 'web/**' + - '.woodpecker/web.yaml' steps: - build: - image: docker:29 - environment: - DOCKER_HOST: tcp://docker:2375 - REGISTRY_USER: - from_secret: registry_user - REGISTRY_PASSWORD: - from_secret: registry_password + check: + image: node:25-alpine commands: - - apk add --no-cache git - - until docker info > /dev/null 2>&1; do echo "waiting for dind..."; sleep 1; done - - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" registry.itsh.dev - - docker buildx create --name ci-builder --driver docker-container --use - - export SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) - - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) - - | - docker buildx build \ - --output "type=image,push=true,rewrite-timestamp=true" \ - -f web/Dockerfile \ - --build-arg PUBLIC_API_BASE_URL=https://api.marktvogt.de \ - --build-arg PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz \ - -t "registry.itsh.dev/vikingowl/marktvogt.de/web:$SHORT_SHA" \ - web/ + - npm install -g pnpm@10 + - cd web && pnpm install --frozen-lockfile + - cd web && pnpm check + # Build and push immutable SHA-tagged image on main branch only. + # See backend.yaml for SOURCE_DATE_EPOCH / rewrite-timestamp notes. + docker: + image: woodpeckerci/plugin-docker-buildx + environment: + SOURCE_DATE_EPOCH: ${CI_COMMIT_TIMESTAMP} + settings: + repo: registry.itsh.dev/vikingowl/marktvogt.de/web + tags: + - "${CI_COMMIT_SHA:0:8}" + dockerfile: web/Dockerfile + context: web + registry: registry.itsh.dev + output: type=image,push=true,rewrite-timestamp=true + username: + from_secret: registry_user + password: + from_secret: registry_password + build_args: + - PUBLIC_API_BASE_URL=https://api.marktvogt.de + - PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz + when: + - event: push + branch: main + + # Deploy via Helm using the exact SHA tag just pushed deploy: image: alpine/helm:4.1 - depends_on: [build] environment: KUBECONFIG_DATA: from_secret: kubeconfig_data @@ -49,9 +48,13 @@ steps: - mkdir -p ~/.kube - echo "$KUBECONFIG_DATA" > ~/.kube/config - chmod 600 ~/.kube/config - - SHORT_SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) - | helm upgrade --install marktvogt-web ./web/deploy/helm/ \ --namespace tenant-2 \ - --set image.tag="$SHORT_SHA" \ - --rollback-on-failure --wait=watcher --timeout 5m + --set image.tag="${CI_COMMIT_SHA:0:8}" \ + --rollback-on-failure \ + --wait=watcher \ + --timeout 5m + when: + - event: push + branch: main