41 lines
1.7 KiB
YAML
41 lines
1.7 KiB
YAML
# Build & push the pre-baked CI base image (Dockerfile.ci) to the Gitea
|
|
# registry CI already publishes to. Reuses the exact kaniko + auth pattern
|
|
# from publish.yml (REGISTRY_USER/REGISTRY_PASS from_secret, /kaniko/.docker
|
|
# config.json). Other pipelines (ci.yml, publish.yml) pull `ci-base:latest`
|
|
# for their install step.
|
|
#
|
|
# Rebuild ONLY when the dependency set or the image recipe changes — a normal
|
|
# code push must not trigger a 25-min image build. `path` applies to push/PR
|
|
# events; `event: tag` (releases) rebuilds unconditionally so a tagged release
|
|
# always ships a fresh base.
|
|
when:
|
|
- event: tag
|
|
- event: [push, manual]
|
|
branch: main
|
|
path:
|
|
include:
|
|
- 'pnpm-lock.yaml'
|
|
- 'Dockerfile.ci'
|
|
|
|
steps:
|
|
build-ci-base:
|
|
image: gcr.io/kaniko-project/executor:debug
|
|
environment:
|
|
REGISTRY_USER:
|
|
from_secret: gitea_username
|
|
REGISTRY_PASS:
|
|
from_secret: gitea_password
|
|
CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
|
|
CI_COMMIT_TAG: ${CI_COMMIT_TAG}
|
|
CI_COMMIT_SHA: ${CI_COMMIT_SHA}
|
|
commands:
|
|
- mkdir -p /kaniko/.docker
|
|
- echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
|
|
- |
|
|
# Lockfile-hash tag: an immutable identity for the exact dep set baked
|
|
# into this image. `:latest` is the mutable pointer pipelines consume.
|
|
LOCK_HASH=$(sha256sum pnpm-lock.yaml | cut -c1-12)
|
|
DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/stack/ci-base:latest"
|
|
DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/stack/ci-base:lock-$LOCK_HASH"
|
|
/kaniko/executor --context . --dockerfile Dockerfile.ci $DESTINATIONS
|