ci: gate workflow + CI-image build/push, drop probe
- build-ci-image.yaml: builds .gitea/ci-image/Dockerfile via DinD and pushes git.lazyeval.net/oli/rdbms-playground-ci:latest (REGISTRY_* secrets); triggers on image-input changes + manual dispatch. - ci.yaml: the gate — runs inside that image, clippy -D warnings + cargo test, on push/PR. fmt intentionally not gated (ADR-0049). Removes ci-probe.yaml; it answered the runner questions (jobs run in containers, host nix unreachable, custom container: works).
This commit is contained in:
claude@clouddev1
@@ -0,0 +1,47 @@
|
||||
# Builds the nix CI toolchain image (.gitea/ci-image/Dockerfile) and pushes it
|
||||
# to the Gitea registry. The gate (ci.yaml) runs *inside* this image, so this
|
||||
# workflow is the gate's prerequisite. It only needs to run when the image's
|
||||
# inputs change — the Dockerfile, the flake, or the toolchain pin — plus on
|
||||
# manual dispatch.
|
||||
#
|
||||
# DinD pattern: plain docker:27-dind (one of the tested ci-test samples). No
|
||||
# registry proxy here — the runner's containers have direct internet egress
|
||||
# (the ci-probe run cloned github.com and pulled docker.io with no proxy), and
|
||||
# this image's RUN steps fetch from apt + nixos.org, which the proxy isn't
|
||||
# guaranteed to forward. The dind-cached:local + REGISTRY_PROXY_HOST variant is
|
||||
# a later speed optimisation for base-image pull caching, not needed for green.
|
||||
name: build-ci-image
|
||||
on:
|
||||
push:
|
||||
paths:
|
||||
- '.gitea/ci-image/Dockerfile'
|
||||
- 'flake.nix'
|
||||
- 'flake.lock'
|
||||
- 'rust-toolchain.toml'
|
||||
- '.gitea/workflows/build-ci-image.yaml'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ci-public
|
||||
services:
|
||||
docker:
|
||||
image: docker:27-dind
|
||||
options: --privileged
|
||||
env:
|
||||
DOCKER_TLS_CERTDIR: ""
|
||||
env:
|
||||
DOCKER_HOST: tcp://docker:2375
|
||||
IMAGE: git.lazyeval.net/oli/rdbms-playground-ci
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: wait for docker
|
||||
run: until docker version >/dev/null 2>&1; do sleep 1; done
|
||||
- name: registry login
|
||||
run: |
|
||||
echo "${{ secrets.REGISTRY_TOKEN }}" \
|
||||
| docker login git.lazyeval.net -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
||||
- name: build
|
||||
run: docker build -f .gitea/ci-image/Dockerfile -t "$IMAGE:latest" .
|
||||
- name: push
|
||||
run: docker push "$IMAGE:latest"
|
||||
@@ -1,73 +0,0 @@
|
||||
# THROWAWAY DIAGNOSTIC — delete once the real gate is wired.
|
||||
#
|
||||
# This answers the questions that decide the CI architecture, on facts rather
|
||||
# than guesses:
|
||||
# * How does this runner execute a plain job — directly on the host, or inside
|
||||
# a default container? (-> is "the ci server has nix" reachable from steps?)
|
||||
# * Is `nix` on PATH where steps run, and does a /nix store persist?
|
||||
# * Is a docker client/daemon reachable from a plain job (no DinD service)?
|
||||
# * Does a custom job `container:` work on this rootless runner, and can it pull
|
||||
# an image (nixos/nix) — i.e. is the "reusable nix image" model viable?
|
||||
#
|
||||
# Trigger: push to this branch, or run manually from the Actions UI.
|
||||
name: ci-probe
|
||||
on: [push, workflow_dispatch]
|
||||
|
||||
jobs:
|
||||
# --- Job 1: DEFAULT execution -------------------------------------------
|
||||
# No `container:` override — this is whatever environment the runner gives a
|
||||
# plain job. Tells us where steps actually run and what's already there.
|
||||
host:
|
||||
runs-on: ci-public
|
||||
steps:
|
||||
- name: identity & environment
|
||||
run: |
|
||||
echo "=== uname ==="; uname -a
|
||||
echo "=== os-release ==="; head -3 /etc/os-release 2>/dev/null || echo "(none)"
|
||||
echo "=== whoami / id ==="; whoami; id
|
||||
echo "=== containerized? ==="
|
||||
if [ -f /.dockerenv ]; then
|
||||
echo "/.dockerenv PRESENT -> steps run INSIDE a container"
|
||||
else
|
||||
echo "/.dockerenv absent"
|
||||
fi
|
||||
echo "--- /proc/1/cgroup (first lines) ---"; head -5 /proc/1/cgroup 2>/dev/null || echo "(none)"
|
||||
|
||||
- name: nix availability (the decisive check)
|
||||
run: |
|
||||
echo "=== which nix ==="; command -v nix || echo "nix NOT on PATH"
|
||||
echo "=== nix --version ==="; nix --version 2>/dev/null || echo "(no nix here)"
|
||||
echo "=== /nix store ==="; ls -ld /nix /nix/store 2>/dev/null || echo "(no /nix)"
|
||||
echo "=== store path count (persistence hint; high => warm/shared) ==="
|
||||
ls /nix/store 2>/dev/null | wc -l
|
||||
|
||||
- name: docker availability (without a DinD service)
|
||||
run: |
|
||||
echo "=== which docker ==="; command -v docker || echo "docker NOT on PATH"
|
||||
docker version 2>/dev/null || echo "(no docker client/daemon reachable from a plain job)"
|
||||
|
||||
- name: checkout — does the flake land here?
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: flake present in this checkout?
|
||||
run: ls -la flake.nix flake.lock rust-toolchain.toml 2>/dev/null || echo "(flake not on this branch's checkout)"
|
||||
|
||||
# --- Job 2: CUSTOM CONTAINER --------------------------------------------
|
||||
# Tests the "reusable nix image" model: run steps inside a pinned nix image.
|
||||
# Deliberately minimal — no checkout (the checkout action needs node, which a
|
||||
# bare nixos/nix image lacks; that's a separate concern). If this job's steps
|
||||
# run at all, custom job containers are viable on this runner.
|
||||
nix-container:
|
||||
runs-on: ci-public
|
||||
container:
|
||||
image: nixos/nix:latest
|
||||
steps:
|
||||
- name: nix inside a pinned container
|
||||
run: |
|
||||
echo "=== inside nixos/nix container ==="
|
||||
nix --version
|
||||
echo "--- identity ---"; whoami; id; uname -a
|
||||
echo "--- flakes enabled? ---"
|
||||
nix --extra-experimental-features 'nix-command flakes' flake --help >/dev/null 2>&1 \
|
||||
&& echo "flakes usable (with --extra-experimental-features)" \
|
||||
|| echo "flake subcommand not usable as invoked"
|
||||
@@ -0,0 +1,24 @@
|
||||
# The CI gate. Runs inside the prebuilt nix toolchain image (built + pushed by
|
||||
# build-ci-image.yaml), so the pinned 1.95.0 toolchain is already warm — steps
|
||||
# just enter the flake devShell and run cargo.
|
||||
#
|
||||
# Gate = clippy + test. fmt is deliberately NOT gated yet (ADR-0049: the tree
|
||||
# isn't clean under stock rustfmt; revisit on main). The release job (static
|
||||
# binary for D2) and the platform matrix layer on later, step by step.
|
||||
name: ci
|
||||
on:
|
||||
push:
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
gate:
|
||||
runs-on: ci-public
|
||||
# Public package → anonymous pull, no credentials needed.
|
||||
container:
|
||||
image: git.lazyeval.net/oli/rdbms-playground-ci:latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: clippy (warnings denied)
|
||||
run: nix develop -c cargo clippy --all-targets -- -D warnings
|
||||
- name: test
|
||||
run: nix develop -c cargo test --no-fail-fast
|
||||
Reference in New Issue
Block a user