Flea Flicker
3e547b8568
The GRO-1983 fast restoration swapped Corepack's pnpm shim for a real
`npm install -g pnpm@9.15.4` binary, which is the right move. But the
GRO-1997 evidence gate still showed the first `reset-demo-data` pod
(...-nh7vg) hitting `getaddrinfo EAI_AGAIN registry.npmjs.org` before a
retry succeeded — the cache was writable, the cold-cache registry
download wasn't eliminated. This is the durable fix:
1. `ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0` in `base` and `runner`:
defence in depth so a Corepack shim can never silently re-download
pnpm, even if it is somehow re-introduced.
2. `ENV HOME=/tmp` in the `migrate`, `seed`, and `reset` stages:
under `readOnlyRootFilesystem: true` + `runAsUser: 1000`, the
default HOME path is read-only, and pnpm fails the first time it
tries to write a config or state file. The job pods already mount a
writable emptyDir at `/tmp`; point HOME there.
3. CI smoke tests for `seed` and `reset` images (matching the existing
`migrate` smoke): point `registry.npmjs.org` at 127.0.0.1 in a
throwaway container, assert `which pnpm` resolves to
`/usr/local/bin/pnpm` (real binary, not shim), and that `pnpm
--version` succeeds without network egress. If Corepack ever sneaks
back in, CI catches it on every PR.
The vestigial `RUN mkdir -p /home/node/.cache/node/corepack` in the
`builder` stage (mentioned in the spec) was already removed in GRO-1909
(commit 0a3eb8a), so nothing to do there.
Follow-on cleanup of the per-job `COREPACK_HOME` env vars and
`node-cache` emptyDir mounts in `groombook/infra` is intentionally
deferred to a coordinated infra PR once the new image is deployed —
keeping the existing infra in place during the transition avoids a
flag-day.
GRO-1985, hardening follow-up to GRO-1984 / GRO-1983.
Closes parent: GRO-1981.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
188 lines
6.1 KiB
YAML
188 lines
6.1 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main, dev, uat]
|
|
pull_request:
|
|
branches: [main, dev, uat]
|
|
workflow_dispatch:
|
|
inputs:
|
|
ref:
|
|
description: "Branch or ref to run CI against"
|
|
required: false
|
|
default: "main"
|
|
|
|
jobs:
|
|
lint-typecheck:
|
|
name: Lint & Typecheck
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: '9.15.4'
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Typecheck
|
|
run: |
|
|
pnpm --filter @groombook/api typecheck
|
|
pnpm --filter @groombook/db typecheck
|
|
|
|
- name: Lint
|
|
run: pnpm --filter @groombook/api lint
|
|
|
|
test:
|
|
name: Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: '9.15.4'
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Run tests
|
|
run: pnpm --filter @groombook/api test
|
|
|
|
docker:
|
|
name: Build & Push Docker Images
|
|
runs-on: ubuntu-latest
|
|
needs: [lint-typecheck, test]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Generate image tag
|
|
id: version
|
|
run: |
|
|
if [ "${{ github.event_name }}" = "pull_request" ]; then
|
|
TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}"
|
|
else
|
|
TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
|
|
fi
|
|
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
|
|
echo "Image tag: $TAG"
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
driver-opts: network=host
|
|
|
|
- name: Log in to Gitea Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: git.farh.net
|
|
username: ${{ gitea.actor }}
|
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
|
|
|
- name: Build and push API image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
provenance: false
|
|
context: .
|
|
file: Dockerfile
|
|
target: runner
|
|
push: true
|
|
tags: |
|
|
git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
|
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
|
|
cache-from: type=registry,ref=git.farh.net/groombook/cache:api
|
|
cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
|
|
|
|
- name: Build and push Migrate image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
provenance: false
|
|
context: .
|
|
file: Dockerfile
|
|
target: migrate
|
|
push: true
|
|
tags: |
|
|
git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
|
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
|
|
cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
|
|
cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
|
|
|
|
- name: Smoke test migrate image (blackhole npmjs.org)
|
|
run: |
|
|
set -euo pipefail
|
|
IMAGE="git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}"
|
|
docker pull "$IMAGE"
|
|
docker run --rm \
|
|
--add-host registry.npmjs.org:127.0.0.1 \
|
|
--entrypoint="" \
|
|
"$IMAGE" \
|
|
pnpm --version
|
|
|
|
- name: Build and push Seed image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
provenance: false
|
|
context: .
|
|
file: Dockerfile
|
|
target: seed
|
|
push: true
|
|
tags: |
|
|
git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
|
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
|
|
cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
|
|
cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max
|
|
|
|
- name: Build and push Reset image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
provenance: false
|
|
context: .
|
|
file: Dockerfile
|
|
target: reset
|
|
push: true
|
|
tags: |
|
|
git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
|
|
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
|
|
cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
|
|
cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
|
|
|
|
- name: Smoke test seed image (blackhole npmjs.org)
|
|
run: |
|
|
set -euo pipefail
|
|
IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
|
|
docker pull "$IMAGE"
|
|
# GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
|
|
# not try to reach registry.npmjs.org on invocation.
|
|
docker run --rm \
|
|
--add-host registry.npmjs.org:127.0.0.1 \
|
|
--entrypoint="" \
|
|
"$IMAGE" \
|
|
sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
|
|
echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
|
|
|
|
- name: Smoke test reset image (blackhole npmjs.org)
|
|
run: |
|
|
set -euo pipefail
|
|
IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
|
|
docker pull "$IMAGE"
|
|
# GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
|
|
# not try to reach registry.npmjs.org on invocation. Validates the
|
|
# hard requirement from the issue: reset runs offline.
|
|
docker run --rm \
|
|
--add-host registry.npmjs.org:127.0.0.1 \
|
|
--entrypoint="" \
|
|
"$IMAGE" \
|
|
sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
|
|
echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"
|