mosaicstack/stack
1
0
Fork 0
Code Issues 31 Pull Requests Actions Packages Projects Releases 15 Wiki Activity
Files
chore/ci-base-image
stack/.woodpecker/ci-image.yml
Jarvis 80faab34f5
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
CI: add pre-baked ci-base image (producer) [Phase 1a] 
Producer half of the Woodpecker CI cache work (#634). Adds Dockerfile.ci
and .woodpecker/ci-image.yml only — nothing in this PR references the
ci-base image yet, so its own CI runs on the existing node:22-alpine and
stays green.

Review fixes applied:
- N2: bake `bash` into the apk toolchain (ci.yml's sanitization step
  otherwise does a per-run `apk add bash`).
- N1: correct the Dockerfile comments — `pnpm fetch` only populates the
  tarball store; native node-gyp modules still compile at `pnpm install`,
  which is why the musl toolchain stays baked.

After merge, ci-base:latest is primed via a manual `ci-image` pipeline
trigger on main; the consumer PR (#635) then switches ci.yml/publish.yml
to pull it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 16:49:42 -05:00

41 lines
1.7 KiB
YAML
Raw Permalink Blame History

# Build & push the pre-baked CI base image (Dockerfile.ci) to the Gitea
# registry CI already publishes to. Reuses the exact kaniko + auth pattern
# from publish.yml (REGISTRY_USER/REGISTRY_PASS from_secret, /kaniko/.docker
# config.json). Other pipelines (ci.yml, publish.yml) pull `ci-base:latest`
# for their install step.
#
# Rebuild ONLY when the dependency set or the image recipe changes — a normal
# code push must not trigger a 25-min image build. `path` applies to push/PR
# events; `event: tag` (releases) rebuilds unconditionally so a tagged release
# always ships a fresh base.
when:
- event: tag
- event: [push, manual]
branch: main
path:
include:
- 'pnpm-lock.yaml'
- 'Dockerfile.ci'
steps:
build-ci-base:
image: gcr.io/kaniko-project/executor:debug
environment:
REGISTRY_USER:
from_secret: gitea_username
REGISTRY_PASS:
from_secret: gitea_password
CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
CI_COMMIT_TAG: ${CI_COMMIT_TAG}
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
commands:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
- |
# Lockfile-hash tag: an immutable identity for the exact dep set baked
# into this image. `:latest` is the mutable pointer pipelines consume.
LOCK_HASH=$(sha256sum pnpm-lock.yaml | cut -c1-12)
DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/ci-base:latest"
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/ci-base:lock-$LOCK_HASH"
/kaniko/executor --context . --dockerfile Dockerfile.ci $DESTINATIONS
Reference in New Issue View Git Blame Copy Permalink