# Scratchpad: CI Docker Publish (2026-03-30)

- Objective: Add Woodpecker Docker build+push steps for gateway and web images on `main` pushes.
- Scope: `.woodpecker/ci.yml`.
- Constraints:
  - Use existing Dockerfiles at `docker/gateway.Dockerfile` and `docker/web.Dockerfile`.
  - Publish to `git.mosaicstack.dev` with `from_secret` credentials.
  - Tag both `latest` and `${CI_COMMIT_SHA}`.
  - Do not run publish steps on pull requests.
- ASSUMPTION: Publishing `latest` is required by the task for registry convenience, even though immutable tags remain the safer deployment reference.
- Findings:
  - Existing pipeline already has `build` after `lint`, `format`, and `test`.
  - `apps/gateway/package.json` uses `tsc` for `build`; no Prisma dependency or `prisma generate` hook is present.
- Plan:
  1. Patch `.woodpecker/ci.yml` to keep `build` as the quality gate successor and add `publish-gateway` plus `publish-web`.
  2. Validate YAML and run repo quality gates relevant to the change.
  3. Review the diff, then commit/push/PR if validation passes.
- Verification:
  - `python3 -c "import yaml; yaml.safe_load(open('.woodpecker/ci.yml'))" && echo "YAML valid"`
  - `pnpm lint`
  - `pnpm typecheck`
  - `pnpm format:check`
  - `docker compose up -d`
  - `pnpm --filter @mosaic/db db:push`
  - `pnpm test`
  - `pnpm build`
  - Manual review of `.woodpecker/ci.yml` diff: publish steps are main-only, depend on `build`, and use secret-backed registry auth plus dual tags.
- Risks:
  - Pipeline behavior beyond YAML validation cannot be fully proven locally; remote Woodpecker execution will be the final situational check after push.
  - Repo baseline required two existing `plugins/macp` files to be reformatted before `pnpm format:check` would pass.