From e33ddf289214b34a848d138ac9d5304d33797996b269185f6d1c6aa535900e8f Mon Sep 17 00:00:00 2001
From: Till Wegmueller <toasterson@gmail.com>
Date: Sun, 25 Jan 2026 18:38:28 +0100
Subject: [PATCH] Update container build cache mounts, enhance Traefik and
 GitHub integration support

- Use `sharing=locked` for cargo build cache mounts across multiple Containerfiles to improve caching efficiency.
- Upgrade Traefik to version 3.6 and add support for `DOCKER_API_VERSION` for Podman compatibility.
- Extend `.env.sample` with GitHub integration variables and update `.gitignore` with new secrets.
- Document GitHub App configuration and webhook integration in Podman README.
- Update `github-integration` compose service with environment variables for webhook secret, app ID, key, and API base.

Signed-off-by: Till Wegmueller <toasterson@gmail.com>
---
 deploy/images/forge-integration/Containerfile  |  6 +++---
 deploy/images/github-integration/Containerfile |  6 +++---
 deploy/images/logs-service/Containerfile       |  6 +++---
 deploy/images/orchestrator/Containerfile       |  6 +++---
 deploy/podman/.env.sample                      | 17 ++++++++++++++++-
 deploy/podman/.gitignore                       |  3 ++-
 deploy/podman/README.md                        |  9 ++++++++-
 deploy/podman/compose.yml                      | 15 +++++++++++++--
 8 files changed, 51 insertions(+), 17 deletions(-)

diff --git a/deploy/images/forge-integration/Containerfile b/deploy/images/forge-integration/Containerfile
index 6411ecd..5c971a6 100644
--- a/deploy/images/forge-integration/Containerfile
+++ b/deploy/images/forge-integration/Containerfile
@@ -12,9 +12,9 @@ RUN apt-get update \
 RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
 COPY Cargo.toml ./
 COPY crates ./crates
-RUN --mount=type=cache,target=/cargo/registry \
-    --mount=type=cache,target=/cargo/git \
-    --mount=type=cache,target=/cargo/target \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p forge-integration && cp /cargo/target/release/forge-integration /forge-integration
 
 FROM docker.io/library/debian:bookworm-slim
diff --git a/deploy/images/github-integration/Containerfile b/deploy/images/github-integration/Containerfile
index b096a96..16b1b33 100644
--- a/deploy/images/github-integration/Containerfile
+++ b/deploy/images/github-integration/Containerfile
@@ -12,9 +12,9 @@ RUN apt-get update \
 RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
 COPY Cargo.toml ./
 COPY crates ./crates
-RUN --mount=type=cache,target=/cargo/registry \
-    --mount=type=cache,target=/cargo/git \
-    --mount=type=cache,target=/cargo/target \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p github-integration && cp /cargo/target/release/github-integration /github-integration
 
 FROM docker.io/library/debian:bookworm-slim
diff --git a/deploy/images/logs-service/Containerfile b/deploy/images/logs-service/Containerfile
index 9d639b8..ecc3fa5 100644
--- a/deploy/images/logs-service/Containerfile
+++ b/deploy/images/logs-service/Containerfile
@@ -14,9 +14,9 @@ RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /car
 # Pre-copy manifests for better caching
 COPY Cargo.toml ./
 COPY crates ./crates
-RUN --mount=type=cache,target=/cargo/registry \
-    --mount=type=cache,target=/cargo/git \
-    --mount=type=cache,target=/cargo/target \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p logs-service && cp /cargo/target/release/logs-service /logs-service
 
 FROM docker.io/library/debian:bookworm-slim
diff --git a/deploy/images/orchestrator/Containerfile b/deploy/images/orchestrator/Containerfile
index 7577a25..28dc9d7 100644
--- a/deploy/images/orchestrator/Containerfile
+++ b/deploy/images/orchestrator/Containerfile
@@ -15,9 +15,9 @@ RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /car
 COPY Cargo.toml ./
 COPY crates ./crates
 # Build orchestrator only
-RUN --mount=type=cache,target=/cargo/registry \
-    --mount=type=cache,target=/cargo/git \
-    --mount=type=cache,target=/cargo/target \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p orchestrator --features libvirt && cp /cargo/target/release/orchestrator /orchestrator
 
 FROM docker.io/library/debian:bookworm-slim
diff --git a/deploy/podman/.env.sample b/deploy/podman/.env.sample
index 3f4962d..07511b8 100644
--- a/deploy/podman/.env.sample
+++ b/deploy/podman/.env.sample
@@ -37,6 +37,8 @@ TRAEFIK_DASHBOARD_AUTH=
 # to allow binding 80/443.
 TRAEFIK_HTTP_PORT=8080
 TRAEFIK_HTTPS_PORT=4443
+# Docker API version used by Traefik (Podman compatibility)
+DOCKER_API_VERSION=1.44
 
 # Orchestrator libvirt integration (Linux hosts)
 # URI to the system libvirt on the host; usually qemu:///system
@@ -68,4 +70,17 @@ WEBHOOK_SECRET=
 FORGEJO_TOKEN=
 # Optional: Forgejo API base URL (not secret, but commonly configured alongside the token)
 # Example: https://codeberg.org/api/v1
-FORGEJO_BASE_URL=
\ No newline at end of file
+FORGEJO_BASE_URL=
+
+# GitHub Integration secrets (set per deployment)
+# Shared secret used to validate GitHub webhooks (X-Hub-Signature-256)
+GITHUB_WEBHOOK_SECRET=
+# GitHub App ID (numeric)
+GITHUB_APP_ID=
+# GitHub App private key (PEM) or a filesystem path to the PEM
+GITHUB_APP_KEY=
+GITHUB_APP_KEY_PATH=
+# Optional: override GitHub API base (GitHub Enterprise)
+GITHUB_API_BASE=
+# Optional: custom check run display name
+GITHUB_CHECK_NAME=
diff --git a/deploy/podman/.gitignore b/deploy/podman/.gitignore
index a1e5ac6..b106d45 100644
--- a/deploy/podman/.gitignore
+++ b/deploy/podman/.gitignore
@@ -1 +1,2 @@
-.env
\ No newline at end of file
+.env
+solstice-ci-github-key.pem
\ No newline at end of file
diff --git a/deploy/podman/README.md b/deploy/podman/README.md
index 6f55e6a..067c79a 100644
--- a/deploy/podman/README.md
+++ b/deploy/podman/README.md
@@ -163,6 +163,13 @@ Forge integration configuration
 - To enable posting commit statuses back to Forgejo/Gitea, set FORGEJO_TOKEN and FORGEJO_BASE_URL in deploy/podman/.env. If they are not set, the service logs a warning (FORGEJO_* not set) and disables the job result consumer that reports statuses.
 - The compose file passes these variables to the container. After editing .env, run: podman compose up -d forge-integration
 
+GitHub integration configuration
+
+- Set GITHUB_WEBHOOK_SECRET in deploy/podman/.env to validate webhook signatures (X-Hub-Signature-256). If unset, webhooks are accepted without validation (dev mode).
+- To enable check runs and workflow fetches, configure a GitHub App and set GITHUB_APP_ID plus either GITHUB_APP_KEY (PEM contents) or GITHUB_APP_KEY_PATH (path inside the container).
+- Optional overrides: GITHUB_API_BASE for GitHub Enterprise and GITHUB_CHECK_NAME to customize the check run title.
+- The compose file passes these variables to the container. After editing .env, run: podman compose up -d github-integration
+
 Traefik ACME CA server note
 
-- If you see a warning about TRAEFIK_ACME_CASERVER being unset, it is harmless. The compose file now defaults this value to empty so Traefik uses the production Let’s Encrypt endpoint. To test with staging, set TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory in .env and redeploy Traefik.
\ No newline at end of file
+- If you see a warning about TRAEFIK_ACME_CASERVER being unset, it is harmless. The compose file now defaults this value to empty so Traefik uses the production Let’s Encrypt endpoint. To test with staging, set TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory in .env and redeploy Traefik.
diff --git a/deploy/podman/compose.yml b/deploy/podman/compose.yml
index b2c31e5..acd1bf5 100644
--- a/deploy/podman/compose.yml
+++ b/deploy/podman/compose.yml
@@ -27,9 +27,11 @@ volumes:
 
 services:
   traefik:
-    image: docker.io/library/traefik:v3.1
+    image: docker.io/library/traefik:v3.6
     container_name: traefik
     restart: unless-stopped
+    environment:
+      DOCKER_API_VERSION: ${DOCKER_API_VERSION:-1.44}
     command:
       - --api.dashboard=true
       - --providers.docker=true
@@ -314,8 +316,17 @@ services:
     environment:
       RUST_LOG: info
       AMQP_URL: amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672/solstice-${ENV}
-      # HTTP server for GitHub webhooks (skeleton service; implement handler later)
+      # HTTP server for GitHub webhooks
       HTTP_ADDR: 0.0.0.0:8082
+      WEBHOOK_PATH: /webhooks/github
+      GITHUB_WEBHOOK_SECRET: ${GITHUB_WEBHOOK_SECRET}
+      GITHUB_APP_ID: ${GITHUB_APP_ID}
+      GITHUB_APP_KEY_PATH: ${GITHUB_APP_KEY_PATH}
+      GITHUB_APP_KEY: ${GITHUB_APP_KEY}
+      GITHUB_API_BASE: ${GITHUB_API_BASE:-https://api.github.com}
+      GITHUB_CHECK_NAME: ${GITHUB_CHECK_NAME:-Solstice CI}
+      # URL where logs-service is exposed (used for check-run links)
+      LOGS_BASE_URL: https://logs.${ENV}.${DOMAIN}
     depends_on:
       rabbitmq:
         condition: service_healthy