mosaicstack/stack
1
0
Fork 0
Code Issues 31 Pull Requests 2 Actions Packages Projects Releases 15 Wiki Activity

CI: add pre-baked ci-base image (producer) [Phase 1a] #637

Merged
jason.woltje merged 1 commits from chore/ci-base-image into main 2026-06-22 22:20:48 +00:00
Conversation 0 Commits 1 Files Changed 2 +83
jason.woltje commented 2026-06-22 21:49:58 +00:00
Owner
Copy Link

Producer half of the Woodpecker CI cache work (Phase 1a)

This is the producer of a two-PR split. It adds only the image recipe:

  • Dockerfile.ci (new)
  • .woodpecker/ci-image.yml (new)

Why split (bootstrap problem)

ci.yml/publish.yml are being switched to pull git.mosaicstack.dev/mosaicstack/stack/ci-base:latest. But ci-image.yml can only build+push that image on a main push/manual event (kaniko from_secret is blocked on PR events). A single combined PR could never go green — its own CI would try to pull an image that does not exist yet. So we land the producer first, prime the image on main, then land the consumer.

Nothing in this PR references the ci-base image. Its own pipeline still runs on node:22-alpine, so this PR's CI is green on its own.

After merge

  1. Prime ci-base:latest via a manual ci-image pipeline trigger on main (orchestrator does this).
  2. Then land the consumer PR (#635), which flips ci.yml/publish.yml to the baked image.

Review fixes applied to Dockerfile.ci

  • N2: bake bash into the apk add toolchain — the sanitization step in ci.yml otherwise does a per-run apk add bash.
  • N1 (comment accuracy): the prior comment claimed native modules are "compiled ONCE at build time." That is false for pnpm fetchfetch only populates the tarball store; native node-gyp builds still happen at pnpm install. Comments reworded: store/tarballs are fetched at build time, native compile still runs at install (which is why the toolchain stays baked). Commands unchanged.

Refs #634. Board report: jarvis-brain/docs/reports/woodpecker-ci-cache-board-2026-06-22.md.

No self-merge — needs review.

## Producer half of the Woodpecker CI cache work (Phase 1a) This is the **producer** of a two-PR split. It adds **only** the image recipe: - `Dockerfile.ci` (new) - `.woodpecker/ci-image.yml` (new) ### Why split (bootstrap problem) `ci.yml`/`publish.yml` are being switched to pull `git.mosaicstack.dev/mosaicstack/stack/ci-base:latest`. But `ci-image.yml` can only build+push that image on a **main push/manual** event (kaniko `from_secret` is blocked on PR events). A single combined PR could never go green — its own CI would try to pull an image that does not exist yet. So we land the producer first, prime the image on main, then land the consumer. **Nothing in this PR references the `ci-base` image.** Its own pipeline still runs on `node:22-alpine`, so this PR's CI is green on its own. ### After merge 1. Prime `ci-base:latest` via a **manual `ci-image` pipeline trigger on main** (orchestrator does this). 2. Then land the consumer PR (#635), which flips `ci.yml`/`publish.yml` to the baked image. ### Review fixes applied to `Dockerfile.ci` - **N2:** bake `bash` into the `apk add` toolchain — the `sanitization` step in `ci.yml` otherwise does a per-run `apk add bash`. - **N1 (comment accuracy):** the prior comment claimed native modules are "compiled ONCE at build time." That is false for `pnpm fetch` — `fetch` only populates the tarball store; native `node-gyp` builds still happen at `pnpm install`. Comments reworded: store/tarballs are fetched at build time, native compile still runs at install (which is why the toolchain stays baked). Commands unchanged. Refs #634. Board report: `jarvis-brain/docs/reports/woodpecker-ci-cache-board-2026-06-22.md`. No self-merge — needs review.
jason.woltje added 1 commit 2026-06-22 21:49:59 +00:00
CI: add pre-baked ci-base image (producer) [Phase 1a]
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
80faab34f5 
Producer half of the Woodpecker CI cache work (#634). Adds Dockerfile.ci
and .woodpecker/ci-image.yml only — nothing in this PR references the
ci-base image yet, so its own CI runs on the existing node:22-alpine and
stays green.

Review fixes applied:
- N2: bake `bash` into the apk toolchain (ci.yml's sanitization step
  otherwise does a per-run `apk add bash`).
- N1: correct the Dockerfile comments — `pnpm fetch` only populates the
  tarball store; native node-gyp modules still compile at `pnpm install`,
  which is why the musl toolchain stays baked.

After merge, ci-base:latest is primed via a manual `ci-image` pipeline
trigger on main; the consumer PR (#635) then switches ci.yml/publish.yml
to pull it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
jason.woltje merged commit cf8ceb3095 into main 2026-06-22 22:20:48 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
fleet-enhancement
Fleet-wide reliability/speed/cost improvements surfaced by the nightly enhance pass
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#637
Delete Branch "chore/ci-base-image"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?