ci: gate workflow + CI-image build/push, drop probe
- build-ci-image.yaml: builds .gitea/ci-image/Dockerfile via DinD and pushes git.lazyeval.net/oli/rdbms-playground-ci:latest (REGISTRY_* secrets); triggers on image-input changes + manual dispatch. - ci.yaml: the gate — runs inside that image, clippy -D warnings + cargo test, on push/PR. fmt intentionally not gated (ADR-0049). Removes ci-probe.yaml; it answered the runner questions (jobs run in containers, host nix unreachable, custom container: works).
This commit is contained in:
claude@clouddev1
@@ -0,0 +1,47 @@
|
|||||||
|
# Builds the nix CI toolchain image (.gitea/ci-image/Dockerfile) and pushes it
|
||||||
|
# to the Gitea registry. The gate (ci.yaml) runs *inside* this image, so this
|
||||||
|
# workflow is the gate's prerequisite. It only needs to run when the image's
|
||||||
|
# inputs change — the Dockerfile, the flake, or the toolchain pin — plus on
|
||||||
|
# manual dispatch.
|
||||||
|
#
|
||||||
|
# DinD pattern: plain docker:27-dind (one of the tested ci-test samples). No
|
||||||
|
# registry proxy here — the runner's containers have direct internet egress
|
||||||
|
# (the ci-probe run cloned github.com and pulled docker.io with no proxy), and
|
||||||
|
# this image's RUN steps fetch from apt + nixos.org, which the proxy isn't
|
||||||
|
# guaranteed to forward. The dind-cached:local + REGISTRY_PROXY_HOST variant is
|
||||||
|
# a later speed optimisation for base-image pull caching, not needed for green.
|
||||||
|
name: build-ci-image
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- '.gitea/ci-image/Dockerfile'
|
||||||
|
- 'flake.nix'
|
||||||
|
- 'flake.lock'
|
||||||
|
- 'rust-toolchain.toml'
|
||||||
|
- '.gitea/workflows/build-ci-image.yaml'
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ci-public
|
||||||
|
services:
|
||||||
|
docker:
|
||||||
|
image: docker:27-dind
|
||||||
|
options: --privileged
|
||||||
|
env:
|
||||||
|
DOCKER_TLS_CERTDIR: ""
|
||||||
|
env:
|
||||||
|
DOCKER_HOST: tcp://docker:2375
|
||||||
|
IMAGE: git.lazyeval.net/oli/rdbms-playground-ci
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: wait for docker
|
||||||
|
run: until docker version >/dev/null 2>&1; do sleep 1; done
|
||||||
|
- name: registry login
|
||||||
|
run: |
|
||||||
|
echo "${{ secrets.REGISTRY_TOKEN }}" \
|
||||||
|
| docker login git.lazyeval.net -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
||||||
|
- name: build
|
||||||
|
run: docker build -f .gitea/ci-image/Dockerfile -t "$IMAGE:latest" .
|
||||||
|
- name: push
|
||||||
|
run: docker push "$IMAGE:latest"
|
||||||
@@ -1,73 +0,0 @@
|
|||||||
# THROWAWAY DIAGNOSTIC — delete once the real gate is wired.
|
|
||||||
#
|
|
||||||
# This answers the questions that decide the CI architecture, on facts rather
|
|
||||||
# than guesses:
|
|
||||||
# * How does this runner execute a plain job — directly on the host, or inside
|
|
||||||
# a default container? (-> is "the ci server has nix" reachable from steps?)
|
|
||||||
# * Is `nix` on PATH where steps run, and does a /nix store persist?
|
|
||||||
# * Is a docker client/daemon reachable from a plain job (no DinD service)?
|
|
||||||
# * Does a custom job `container:` work on this rootless runner, and can it pull
|
|
||||||
# an image (nixos/nix) — i.e. is the "reusable nix image" model viable?
|
|
||||||
#
|
|
||||||
# Trigger: push to this branch, or run manually from the Actions UI.
|
|
||||||
name: ci-probe
|
|
||||||
on: [push, workflow_dispatch]
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
# --- Job 1: DEFAULT execution -------------------------------------------
|
|
||||||
# No `container:` override — this is whatever environment the runner gives a
|
|
||||||
# plain job. Tells us where steps actually run and what's already there.
|
|
||||||
host:
|
|
||||||
runs-on: ci-public
|
|
||||||
steps:
|
|
||||||
- name: identity & environment
|
|
||||||
run: |
|
|
||||||
echo "=== uname ==="; uname -a
|
|
||||||
echo "=== os-release ==="; head -3 /etc/os-release 2>/dev/null || echo "(none)"
|
|
||||||
echo "=== whoami / id ==="; whoami; id
|
|
||||||
echo "=== containerized? ==="
|
|
||||||
if [ -f /.dockerenv ]; then
|
|
||||||
echo "/.dockerenv PRESENT -> steps run INSIDE a container"
|
|
||||||
else
|
|
||||||
echo "/.dockerenv absent"
|
|
||||||
fi
|
|
||||||
echo "--- /proc/1/cgroup (first lines) ---"; head -5 /proc/1/cgroup 2>/dev/null || echo "(none)"
|
|
||||||
|
|
||||||
- name: nix availability (the decisive check)
|
|
||||||
run: |
|
|
||||||
echo "=== which nix ==="; command -v nix || echo "nix NOT on PATH"
|
|
||||||
echo "=== nix --version ==="; nix --version 2>/dev/null || echo "(no nix here)"
|
|
||||||
echo "=== /nix store ==="; ls -ld /nix /nix/store 2>/dev/null || echo "(no /nix)"
|
|
||||||
echo "=== store path count (persistence hint; high => warm/shared) ==="
|
|
||||||
ls /nix/store 2>/dev/null | wc -l
|
|
||||||
|
|
||||||
- name: docker availability (without a DinD service)
|
|
||||||
run: |
|
|
||||||
echo "=== which docker ==="; command -v docker || echo "docker NOT on PATH"
|
|
||||||
docker version 2>/dev/null || echo "(no docker client/daemon reachable from a plain job)"
|
|
||||||
|
|
||||||
- name: checkout — does the flake land here?
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: flake present in this checkout?
|
|
||||||
run: ls -la flake.nix flake.lock rust-toolchain.toml 2>/dev/null || echo "(flake not on this branch's checkout)"
|
|
||||||
|
|
||||||
# --- Job 2: CUSTOM CONTAINER --------------------------------------------
|
|
||||||
# Tests the "reusable nix image" model: run steps inside a pinned nix image.
|
|
||||||
# Deliberately minimal — no checkout (the checkout action needs node, which a
|
|
||||||
# bare nixos/nix image lacks; that's a separate concern). If this job's steps
|
|
||||||
# run at all, custom job containers are viable on this runner.
|
|
||||||
nix-container:
|
|
||||||
runs-on: ci-public
|
|
||||||
container:
|
|
||||||
image: nixos/nix:latest
|
|
||||||
steps:
|
|
||||||
- name: nix inside a pinned container
|
|
||||||
run: |
|
|
||||||
echo "=== inside nixos/nix container ==="
|
|
||||||
nix --version
|
|
||||||
echo "--- identity ---"; whoami; id; uname -a
|
|
||||||
echo "--- flakes enabled? ---"
|
|
||||||
nix --extra-experimental-features 'nix-command flakes' flake --help >/dev/null 2>&1 \
|
|
||||||
&& echo "flakes usable (with --extra-experimental-features)" \
|
|
||||||
|| echo "flake subcommand not usable as invoked"
|
|
||||||
@@ -0,0 +1,24 @@
|
|||||||
|
# The CI gate. Runs inside the prebuilt nix toolchain image (built + pushed by
|
||||||
|
# build-ci-image.yaml), so the pinned 1.95.0 toolchain is already warm — steps
|
||||||
|
# just enter the flake devShell and run cargo.
|
||||||
|
#
|
||||||
|
# Gate = clippy + test. fmt is deliberately NOT gated yet (ADR-0049: the tree
|
||||||
|
# isn't clean under stock rustfmt; revisit on main). The release job (static
|
||||||
|
# binary for D2) and the platform matrix layer on later, step by step.
|
||||||
|
name: ci
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
pull_request:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
gate:
|
||||||
|
runs-on: ci-public
|
||||||
|
# Public package → anonymous pull, no credentials needed.
|
||||||
|
container:
|
||||||
|
image: git.lazyeval.net/oli/rdbms-playground-ci:latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: clippy (warnings denied)
|
||||||
|
run: nix develop -c cargo clippy --all-targets -- -D warnings
|
||||||
|
- name: test
|
||||||
|
run: nix develop -c cargo test --no-fail-fast
|
||||||
Reference in New Issue
Block a user