stack/docs/scratchpads/ci-docker-publish-20260330.md

Scratchpad: CI Docker Publish (2026-03-30)

• Objective: Add Woodpecker Docker build+push steps for gateway and web images on main pushes.
• Scope: .woodpecker/ci.yml.
• Constraints:
  • Use existing Dockerfiles at docker/gateway.Dockerfile and docker/web.Dockerfile.
  • Publish to git.mosaicstack.dev with from_secret credentials.
  • Tag both latest and ${CI_COMMIT_SHA}.
  • Do not run publish steps on pull requests.
• ASSUMPTION: Publishing latest is required by the task for registry convenience, even though immutable tags remain the safer deployment reference.
• Findings:
  • Existing pipeline already has build after lint, format, and test.
  • apps/gateway/package.json uses tsc for build; no Prisma dependency or prisma generate hook is present.
• Plan:
  1. Patch .woodpecker/ci.yml to keep build as the quality gate successor and add publish-gateway plus publish-web.
  2. Validate YAML and run repo quality gates relevant to the change.
  3. Review the diff, then commit/push/PR if validation passes.
• Verification:
  • python3 -c "import yaml; yaml.safe_load(open('.woodpecker/ci.yml'))" && echo "YAML valid"
  • pnpm lint
  • pnpm typecheck
  • pnpm format:check
  • docker compose up -d
  • pnpm --filter @mosaic/db db:push
  • pnpm test
  • pnpm build
  • Manual review of .woodpecker/ci.yml diff: publish steps are main-only, depend on build, and use secret-backed registry auth plus dual tags.
• Risks:
  • Pipeline behavior beyond YAML validation cannot be fully proven locally; remote Woodpecker execution will be the final situational check after push.
  • Repo baseline required two existing plugins/macp files to be reformatted before pnpm format:check would pass.