trm/directus
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0f89fea913c612ebe6937c97fe9e5cbadd063e42
directus/.gitea/workflows/build.yml
T
julian 0f89fea913 Task 1.8 — Gitea CI dry-run workflow 
.gitea/workflows/build.yml builds the directus image on path-filtered
pushes to main and validates the boot pipeline against a throwaway
Postgres before pushing the image to the registry. The dry-run is the
gate that catches snapshot drift, broken db-init scripts, or
incompatible schema changes before they reach stage.

Workflow shape (mirrors processor's CI but tailored to Directus):
- Path filter: snapshots/, db-init/, extensions/, scripts/,
  entrypoint.sh, Dockerfile, the workflow file itself.
  Docs-only commits (.planning/, README.md, compose.dev.yaml,
  package.json) do NOT trigger CI.
- Throwaway Postgres via services: block, pinned to the same
  timescale/timescaledb-ha:pg16.6-ts2.17.2-all tag as compose.dev.yaml.
- Plain `docker build` (NOT build-push-action) so the image stays in
  the local daemon for the subsequent docker run dry-run.
- Dry-run: --network host + --entrypoint bash to override the upstream
  entrypoint and run only apply-db-init.sh && schema-apply.sh.
  Skips bootstrap and pm2-runtime — the schema apply is the gate.
- Two image tags: :main (mutable) and :<sha> (immutable).
- Optional Portainer webhook gated on secret presence; curl -fsS so a
  misconfigured URL fails the step explicitly.

Spec corrections folded in (the spec's draft had two contradictions
that would have failed at runtime):
1. DB_HOST=localhost (not 'postgres'). With --network host, service
   containers are reachable on the runner's loopback by their port
   mapping, NOT by service name. Service-name resolution requires the
   default bridge network; --network host overrides it.
2. health-retries 20 (not 10). timescaledb-ha:*-all does more init
   work at boot than vanilla postgres; 50s isn't always enough.

Operator action required in the Gitea repo Settings before first run:
configure REGISTRY_USERNAME and REGISTRY_PASSWORD secrets (required for
push); optionally PORTAINER_WEBHOOK_URL (for auto-deploy).

Live verification deferred to first relevant commit. Documented in the
task spec's Done section: positive (clean snapshot → push succeeds)
and negative (malformed snapshot → halt before push) cases to validate
once CI runs.

ROADMAP marks 1.8 done. Phase 1 progress: 8/9 tasks complete (1.1–1.8);
only 1.9 (Rally Albania 2026 dogfood seed) remains before Phase 1 ships.
2026-05-02 10:04:39 +02:00

142 lines
6.4 KiB
YAML
Raw Blame History

name: Build directus image
on:
push:
branches: [main]
paths:
- 'snapshots/**'
- 'db-init/**'
- 'extensions/**'
- 'scripts/**'
- 'entrypoint.sh'
- 'Dockerfile'
- '.gitea/workflows/build.yml'
workflow_dispatch:
jobs:
build-and-publish:
runs-on: ubuntu-22.04
# ---------------------------------------------------------------------------
# Throwaway Postgres for the dry-run boot step.
#
# Image: pinned to the same concrete tag used in compose.dev.yaml — NOT the
# floating :pg16-latest alias (which does NOT exist on Docker Hub).
#
# PGDATA: the timescaledb-ha image initialises at /home/postgres/pgdata/data;
# the healthcheck uses pg_isready, which doesn't depend on the PGDATA path.
#
# Port mapping: 5432:5432 binds the service on the runner's loopback.
# The dry-run docker run uses --network host so DB_HOST=localhost reaches it.
# ---------------------------------------------------------------------------
services:
postgres:
image: timescale/timescaledb-ha:pg16.6-ts2.17.2-all
env:
POSTGRES_USER: directus
POSTGRES_PASSWORD: directus
POSTGRES_DB: directus
ports:
- '5432:5432'
options: >-
--health-cmd "pg_isready -U directus -d directus"
--health-interval 5s
--health-timeout 5s
--health-retries 20
steps:
- name: Checkout
uses: actions/checkout@v4
# -------------------------------------------------------------------------
# Build the image locally (trm-directus:ci).
#
# We use a plain `docker build` rather than docker/build-push-action because
# we need the image available in the *local Docker daemon* for the subsequent
# `docker run` dry-run step. docker/build-push-action with the
# docker-container Buildx driver exports into a separate buildkitd cache not
# accessible to `docker run`.
# -------------------------------------------------------------------------
- name: Build image
run: docker build -t trm-directus:ci .
# -------------------------------------------------------------------------
# Dry-run boot — the gate that protects the registry from broken images.
#
# Runs only the two pre-boot scripts (apply-db-init.sh → schema-apply.sh)
# against the throwaway Postgres service above. Intentionally does NOT run
# `directus bootstrap` or `directus start` — that would require waiting for
# the HTTP server to come up, which adds minutes and tests nothing new.
#
# --network host: the service container is mapped on 127.0.0.1:5432; the
# docker run container sees it as localhost:5432 only when host networking
# is used. Without --network host, the container would be in a separate
# bridge network and could not reach the service by name or IP.
#
# --entrypoint bash: overrides /directus/entrypoint.sh so we execute only
# the script chain, not the full pm2-runtime boot.
#
# Required Directus env vars: DB_CLIENT + connection params are mandatory
# for `node cli.js schema apply`. KEY + SECRET are required by Directus's
# env initialisation even when only the schema subcommand is invoked.
# ADMIN_EMAIL + ADMIN_PASSWORD are included defensively (some Directus
# versions assert on them during CLI init). PUBLIC_URL silences the
# missing-public-url warning.
#
# If this step exits non-zero the workflow halts and the registry login /
# push steps are never reached — the broken image is never published.
# -------------------------------------------------------------------------
- name: Dry-run boot against throwaway Postgres
run: |
docker run --rm \
--network host \
--entrypoint bash \
-e DB_CLIENT=pg \
-e DB_HOST=localhost \
-e DB_PORT=5432 \
-e DB_USER=directus \
-e DB_PASSWORD=directus \
-e DB_DATABASE=directus \
-e KEY=ci-key-placeholder-not-secret \
-e SECRET=ci-secret-placeholder-not-secret \
-e ADMIN_EMAIL=ci@example.com \
-e ADMIN_PASSWORD=ci-password-not-secret \
-e PUBLIC_URL=http://localhost:8055 \
trm-directus:ci \
-c '/directus/scripts/apply-db-init.sh && /directus/scripts/schema-apply.sh && echo "dry-run ok"'
# -------------------------------------------------------------------------
# Registry login — runs only if the dry-run succeeded (default: workflow
# halts on non-zero exit, so reaching this step implies dry-run passed).
# -------------------------------------------------------------------------
- name: Login to Gitea registry
uses: docker/login-action@v3
with:
registry: git.dev.microservices.al
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# -------------------------------------------------------------------------
# Tag and push two tags:
# :main — mutable; always points at the latest commit on main.
# :<sha> — immutable; pinned to this specific commit.
# The deploy stack can reference either; :main for rolling updates,
# :<sha> for pinned deployments that need explicit rollback control.
# -------------------------------------------------------------------------
- name: Tag and push
run: |
docker tag trm-directus:ci git.dev.microservices.al/trm/directus:main
docker tag trm-directus:ci git.dev.microservices.al/trm/directus:${{ github.sha }}
docker push git.dev.microservices.al/trm/directus:main
docker push git.dev.microservices.al/trm/directus:${{ github.sha }}
# -------------------------------------------------------------------------
# Optional Portainer redeploy webhook.
# Fires only when PORTAINER_WEBHOOK_URL secret is configured in the repo.
# If the secret is absent the condition evaluates false and the step is
# skipped — no error, no noise.
# -------------------------------------------------------------------------
- name: Trigger Portainer redeploy (optional)
if: ${{ secrets.PORTAINER_WEBHOOK_URL != '' }}
run: curl -fsS -X POST "${{ secrets.PORTAINER_WEBHOOK_URL }}"
Reference in New Issue View Git Blame Copy Permalink