diff --git a/.gitea/workflows/build-ci-image.yaml b/.gitea/workflows/build-ci-image.yaml new file mode 100644 index 0000000..9cea8bb --- /dev/null +++ b/.gitea/workflows/build-ci-image.yaml @@ -0,0 +1,47 @@ +# Builds the nix CI toolchain image (.gitea/ci-image/Dockerfile) and pushes it +# to the Gitea registry. The gate (ci.yaml) runs *inside* this image, so this +# workflow is the gate's prerequisite. It only needs to run when the image's +# inputs change — the Dockerfile, the flake, or the toolchain pin — plus on +# manual dispatch. +# +# DinD pattern: plain docker:27-dind (one of the tested ci-test samples). No +# registry proxy here — the runner's containers have direct internet egress +# (the ci-probe run cloned github.com and pulled docker.io with no proxy), and +# this image's RUN steps fetch from apt + nixos.org, which the proxy isn't +# guaranteed to forward. The dind-cached:local + REGISTRY_PROXY_HOST variant is +# a later speed optimisation for base-image pull caching, not needed for green. +name: build-ci-image +on: + push: + paths: + - '.gitea/ci-image/Dockerfile' + - 'flake.nix' + - 'flake.lock' + - 'rust-toolchain.toml' + - '.gitea/workflows/build-ci-image.yaml' + workflow_dispatch: + +jobs: + build: + runs-on: ci-public + services: + docker: + image: docker:27-dind + options: --privileged + env: + DOCKER_TLS_CERTDIR: "" + env: + DOCKER_HOST: tcp://docker:2375 + IMAGE: git.lazyeval.net/oli/rdbms-playground-ci + steps: + - uses: actions/checkout@v4 + - name: wait for docker + run: until docker version >/dev/null 2>&1; do sleep 1; done + - name: registry login + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" \ + | docker login git.lazyeval.net -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin + - name: build + run: docker build -f .gitea/ci-image/Dockerfile -t "$IMAGE:latest" . + - name: push + run: docker push "$IMAGE:latest" diff --git a/.gitea/workflows/ci-probe.yaml b/.gitea/workflows/ci-probe.yaml deleted file mode 100644 index 19fd23a..0000000 --- a/.gitea/workflows/ci-probe.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# THROWAWAY DIAGNOSTIC — delete once the real gate is wired. -# -# This answers the questions that decide the CI architecture, on facts rather -# than guesses: -# * How does this runner execute a plain job — directly on the host, or inside -# a default container? (-> is "the ci server has nix" reachable from steps?) -# * Is `nix` on PATH where steps run, and does a /nix store persist? -# * Is a docker client/daemon reachable from a plain job (no DinD service)? -# * Does a custom job `container:` work on this rootless runner, and can it pull -# an image (nixos/nix) — i.e. is the "reusable nix image" model viable? -# -# Trigger: push to this branch, or run manually from the Actions UI. -name: ci-probe -on: [push, workflow_dispatch] - -jobs: - # --- Job 1: DEFAULT execution ------------------------------------------- - # No `container:` override — this is whatever environment the runner gives a - # plain job. Tells us where steps actually run and what's already there. - host: - runs-on: ci-public - steps: - - name: identity & environment - run: | - echo "=== uname ==="; uname -a - echo "=== os-release ==="; head -3 /etc/os-release 2>/dev/null || echo "(none)" - echo "=== whoami / id ==="; whoami; id - echo "=== containerized? ===" - if [ -f /.dockerenv ]; then - echo "/.dockerenv PRESENT -> steps run INSIDE a container" - else - echo "/.dockerenv absent" - fi - echo "--- /proc/1/cgroup (first lines) ---"; head -5 /proc/1/cgroup 2>/dev/null || echo "(none)" - - - name: nix availability (the decisive check) - run: | - echo "=== which nix ==="; command -v nix || echo "nix NOT on PATH" - echo "=== nix --version ==="; nix --version 2>/dev/null || echo "(no nix here)" - echo "=== /nix store ==="; ls -ld /nix /nix/store 2>/dev/null || echo "(no /nix)" - echo "=== store path count (persistence hint; high => warm/shared) ===" - ls /nix/store 2>/dev/null | wc -l - - - name: docker availability (without a DinD service) - run: | - echo "=== which docker ==="; command -v docker || echo "docker NOT on PATH" - docker version 2>/dev/null || echo "(no docker client/daemon reachable from a plain job)" - - - name: checkout — does the flake land here? - uses: actions/checkout@v4 - - - name: flake present in this checkout? - run: ls -la flake.nix flake.lock rust-toolchain.toml 2>/dev/null || echo "(flake not on this branch's checkout)" - - # --- Job 2: CUSTOM CONTAINER -------------------------------------------- - # Tests the "reusable nix image" model: run steps inside a pinned nix image. - # Deliberately minimal — no checkout (the checkout action needs node, which a - # bare nixos/nix image lacks; that's a separate concern). If this job's steps - # run at all, custom job containers are viable on this runner. - nix-container: - runs-on: ci-public - container: - image: nixos/nix:latest - steps: - - name: nix inside a pinned container - run: | - echo "=== inside nixos/nix container ===" - nix --version - echo "--- identity ---"; whoami; id; uname -a - echo "--- flakes enabled? ---" - nix --extra-experimental-features 'nix-command flakes' flake --help >/dev/null 2>&1 \ - && echo "flakes usable (with --extra-experimental-features)" \ - || echo "flake subcommand not usable as invoked" diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml new file mode 100644 index 0000000..cdf32f9 --- /dev/null +++ b/.gitea/workflows/ci.yaml @@ -0,0 +1,24 @@ +# The CI gate. Runs inside the prebuilt nix toolchain image (built + pushed by +# build-ci-image.yaml), so the pinned 1.95.0 toolchain is already warm — steps +# just enter the flake devShell and run cargo. +# +# Gate = clippy + test. fmt is deliberately NOT gated yet (ADR-0049: the tree +# isn't clean under stock rustfmt; revisit on main). The release job (static +# binary for D2) and the platform matrix layer on later, step by step. +name: ci +on: + push: + pull_request: + +jobs: + gate: + runs-on: ci-public + # Public package → anonymous pull, no credentials needed. + container: + image: git.lazyeval.net/oli/rdbms-playground-ci:latest + steps: + - uses: actions/checkout@v4 + - name: clippy (warnings denied) + run: nix develop -c cargo clippy --all-targets -- -D warnings + - name: test + run: nix develop -c cargo test --no-fail-fast