ci(cd): add release-tag bootstrap image publish pipeline to 192.168.241.13:8080
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
WorkClub Automation
@@ -3783,3 +3783,169 @@ Local validations passed:
|
||||
- Infra job now reliably validates compose + kustomize manifests
|
||||
- No risk of action maintainer abandonment or API breakage
|
||||
- Future version updates require only URL change (no action configuration)
|
||||
|
||||
---
|
||||
|
||||
## Task 30-33: CD Bootstrap Release Image Publish Pipeline (2026-03-08)
|
||||
|
||||
### Key Learnings
|
||||
|
||||
1. **Gitea workflow_run Trigger Pattern**
|
||||
- Triggers on completion of named workflow: `workflows: ["CI Pipeline"]`
|
||||
- Access CI result via `github.event.workflow_run.conclusion`
|
||||
- Access source ref via `github.event.workflow_run.head_branch`
|
||||
- Access commit SHA via `github.event.workflow_run.head_sha`
|
||||
- Gate job validates both CI success AND release tag pattern before proceeding
|
||||
|
||||
2. **Release Tag Detection Strategy**
|
||||
- Regex pattern: `^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+` or `^v[0-9]+\.[0-9]+\.[0-9]+`
|
||||
- Extract version: `sed 's|refs/tags/||'` (e.g., refs/tags/v1.0.0 → v1.0.0)
|
||||
- Extract short SHA: `${COMMIT_SHA:0:7}` (first 7 characters)
|
||||
- Set outputs for downstream jobs: `is_release_tag`, `image_tag`, `image_sha`
|
||||
|
||||
3. **Job Dependency Chain**
|
||||
- Gate job runs first, validates CI + tag, sets outputs
|
||||
- Backend and frontend jobs: `needs: [gate]` + `if: needs.gate.outputs.is_release_tag == 'true'`
|
||||
- Jobs run in parallel (no dependency between backend-image and frontend-image)
|
||||
- Release-summary job: `needs: [gate, backend-image, frontend-image]` + `if: always()`
|
||||
- `if: always()` ensures summary runs even if image jobs fail (for evidence collection)
|
||||
|
||||
4. **Registry Authentication Pattern**
|
||||
- Conditional login: `if: ${{ secrets.REGISTRY_USERNAME != '' && secrets.REGISTRY_PASSWORD != '' }}`
|
||||
- Login method: `echo "$PASSWORD" | docker login --username "$USER" --password-stdin`
|
||||
- Graceful degradation: workflow continues without login if secrets not set (useful for public registries)
|
||||
- Same login step duplicated in both backend-image and frontend-image jobs (parallel execution requires separate auth)
|
||||
|
||||
5. **Multi-Tag Strategy**
|
||||
- Version tag: `192.168.241.13:8080/workclub-api:v1.0.0` (human-readable release)
|
||||
- SHA tag: `192.168.241.13:8080/workclub-api:sha-abc1234` (immutable commit reference)
|
||||
- No `latest` tag in bootstrap phase (per requirements)
|
||||
- Both tags pushed separately: `docker push IMAGE:v1.0.0 && docker push IMAGE:sha-abc1234`
|
||||
|
||||
6. **Evidence Artifact Pattern**
|
||||
- Create JSON evidence files in `.sisyphus/evidence/` directory
|
||||
- Use heredoc for JSON generation: `cat > file.json <<EOF ... EOF`
|
||||
- Include timestamp: `$(date -u +%Y-%m-%dT%H:%M:%SZ)` (UTC ISO 8601)
|
||||
- Upload with `actions/upload-artifact@v3` (v3 for Gitea compatibility per Decision 4)
|
||||
- Separate artifacts per job (backend-push-evidence, frontend-push-evidence, cd-bootstrap-evidence)
|
||||
|
||||
7. **GitHub Actions Summary Integration**
|
||||
- Write to `$GITHUB_STEP_SUMMARY` for PR/workflow UI display
|
||||
- Markdown format: headers, bullet lists, code blocks
|
||||
- Show key info: release tag, commit SHA, image URLs, job conclusions
|
||||
- Enhances observability without requiring log diving
|
||||
|
||||
8. **Workflow Execution Flow**
|
||||
- Push release tag (e.g., `git tag v1.0.0 && git push --tags`)
|
||||
- CI Pipeline workflow runs (backend-ci, frontend-ci, infra-ci)
|
||||
- On CI success, CD Bootstrap workflow triggers via workflow_run
|
||||
- Gate validates: CI == success AND ref matches v* pattern
|
||||
- Backend + Frontend image jobs build and push in parallel
|
||||
- Release-summary collects all evidence and creates consolidated artifact
|
||||
|
||||
### Files Created
|
||||
|
||||
**Workflow**:
|
||||
- `.gitea/workflows/cd-bootstrap.yml` — 257 lines, 4 jobs, 4 steps per image job
|
||||
- gate job: CI success validation + release tag detection
|
||||
- backend-image job: Build + tag + push workclub-api
|
||||
- frontend-image job: Build + tag + push workclub-frontend
|
||||
- release-summary job: Evidence collection + GitHub summary
|
||||
|
||||
**Evidence Files** (QA scenarios):
|
||||
- `.sisyphus/evidence/task-30-ci-gate.json` — CI success gate validation
|
||||
- `.sisyphus/evidence/task-30-non-tag-skip.json` — Non-release-tag skip proof
|
||||
- `.sisyphus/evidence/task-31-backend-push.json` — Backend push template
|
||||
- `.sisyphus/evidence/task-32-frontend-push.json` — Frontend push template
|
||||
|
||||
### Build Verification
|
||||
|
||||
✅ **Registry Connectivity**: `curl -sf http://192.168.241.13:8080/v2/` succeeds (empty response = registry operational)
|
||||
|
||||
✅ **Workflow Markers**: All 5 required patterns found via grep:
|
||||
- `workflow_run` — 11 occurrences (trigger + event access)
|
||||
- `tags:` — N/A (pattern handled via refs/tags/v* regex, not YAML key)
|
||||
- `192.168.241.13:8080` — 3 occurrences (env var + image URLs + summary)
|
||||
- `workclub-api` — 3 occurrences (env var + image URLs)
|
||||
- `workclub-frontend` — 3 occurrences (env var + image URLs)
|
||||
|
||||
✅ **Action Versions**: All use Gitea-compatible versions
|
||||
- `actions/checkout@v4` — 2 occurrences (backend, frontend)
|
||||
- `actions/upload-artifact@v3` — 3 occurrences (per Decision 4)
|
||||
|
||||
✅ **Job Count**: 4 jobs (gate, backend-image, frontend-image, release-summary)
|
||||
|
||||
### Patterns & Conventions
|
||||
|
||||
**Environment Variables** (workflow-level):
|
||||
- `REGISTRY_HOST: 192.168.241.13:8080` — Registry hostname
|
||||
- `BACKEND_IMAGE: workclub-api` — Backend image name
|
||||
- `FRONTEND_IMAGE: workclub-frontend` — Frontend image name
|
||||
|
||||
**Gate Output Variables**:
|
||||
- `is_release_tag`: boolean ("true" or "false" as string)
|
||||
- `image_tag`: version string (e.g., "v1.0.0")
|
||||
- `image_sha`: short commit SHA (e.g., "abc1234")
|
||||
|
||||
**Directory Structure**:
|
||||
- Dockerfiles: `backend/Dockerfile`, `frontend/Dockerfile`
|
||||
- Build contexts: `./backend`, `./frontend` (relative to repo root)
|
||||
- Evidence: `.sisyphus/evidence/task-*.json`
|
||||
|
||||
### Gotchas Avoided
|
||||
|
||||
- ❌ **DO NOT** use `actions/upload-artifact@v4` (v3 for Gitea compatibility)
|
||||
- ❌ **DO NOT** push `latest` tag (only version + SHA tags in bootstrap)
|
||||
- ❌ **DO NOT** add deployment steps (CD Bootstrap = build+push ONLY)
|
||||
- ❌ **DO NOT** hardcode credentials (use conditional secrets pattern)
|
||||
- ❌ **DO NOT** skip gate validation (prevents non-release pushes from publishing)
|
||||
- ✅ Use `if: always()` on release-summary to collect evidence even on failures
|
||||
- ✅ Use `needs.gate.outputs.is_release_tag == 'true'` (string comparison, not boolean)
|
||||
- ✅ Check both `head_branch` and `ref` (supports workflow_run and workflow_dispatch)
|
||||
|
||||
### Integration Points
|
||||
|
||||
**Triggers**:
|
||||
- Upstream: CI Pipeline workflow (`.gitea/workflows/ci.yml`)
|
||||
- Condition: CI conclusion == success AND ref matches refs/tags/v*
|
||||
|
||||
**Registry**:
|
||||
- Host: 192.168.241.13:8080 (verified reachable)
|
||||
- Authentication: Optional via REGISTRY_USERNAME and REGISTRY_PASSWORD secrets
|
||||
- Images: workclub-api, workclub-frontend
|
||||
|
||||
**Dockerfiles**:
|
||||
- Backend: `backend/Dockerfile` (dotnet/sdk:10.0 → dotnet/aspnet:10.0-alpine)
|
||||
- Frontend: `frontend/Dockerfile` (node:22-alpine multi-stage)
|
||||
|
||||
### Security Considerations
|
||||
|
||||
✅ **No Hardcoded Credentials**: Registry auth via secrets (optional)
|
||||
✅ **Read-Only Checkout**: No write permissions needed (push happens via docker CLI)
|
||||
✅ **Immutable SHA Tags**: Commit-based tags prevent tag hijacking
|
||||
✅ **CI Gate**: Only publishes after full CI success (quality gate)
|
||||
|
||||
### Performance Notes
|
||||
|
||||
**Parallel Execution**: Backend and frontend images build simultaneously (no serial dependency)
|
||||
**Build Cache**: Docker layer caching on runner (not persistent across runs without setup)
|
||||
**Registry Push**: Sequential push of version + SHA tags per image (minimal overhead)
|
||||
|
||||
### Next Dependencies
|
||||
|
||||
**Unblocks**:
|
||||
- Deployment workflows (Task 34+): Images available in registry for helm/kustomize
|
||||
- QA testing: Release process can be tested end-to-end
|
||||
|
||||
**Pending**:
|
||||
- Actual release: `git tag v1.0.0 && git push origin v1.0.0` triggers full flow
|
||||
- Registry credentials: Set REGISTRY_USERNAME and REGISTRY_PASSWORD secrets in Gitea
|
||||
|
||||
### Commit Strategy (Per Plan)
|
||||
|
||||
**Wave 7 (T30-T33)**: Single grouped commit
|
||||
- Message: `ci(cd): add release-tag bootstrap image publish pipeline to 192.168.241.13:8080`
|
||||
- Files: `.gitea/workflows/cd-bootstrap.yml`, `.sisyphus/evidence/task-30-*.json` through `task-32-*.json`
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user