CloudNebulaProject/solstice-ci
SHA256
1
0
Fork 0
mirror of https://codeberg.org/Toasterson/solstice-ci.git synced 2026-04-10 13:20:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update container build cache mounts, enhance Traefik and GitHub integration support

Browse source 
- Use `sharing=locked` for cargo build cache mounts across multiple Containerfiles to improve caching efficiency.
- Upgrade Traefik to version 3.6 and add support for `DOCKER_API_VERSION` for Podman compatibility.
- Extend `.env.sample` with GitHub integration variables and update `.gitignore` with new secrets.
- Document GitHub App configuration and webhook integration in Podman README.
- Update `github-integration` compose service with environment variables for webhook secret, app ID, key, and API base.

Signed-off-by: Till Wegmueller <toasterson@gmail.com>
This commit is contained in:
Till Wegmueller 2026-01-25 18:38:28 +01:00
parent a1592cd6c9
commit e33ddf2892
No known key found for this signature in database
8 changed files with 51 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
deploy/images/forge-integration/Containerfile
View file

@ -12,9 +12,9 @@ RUN apt-get update \
RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
COPY Cargo.toml ./ COPY Cargo.toml ./
COPY crates ./crates COPY crates ./crates
RUN --mount=type=cache,target=/cargo/registry \ RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
--mount=type=cache,target=/cargo/git \ --mount=type=cache,target=/cargo/git,sharing=locked \
--mount=type=cache,target=/cargo/target \ --mount=type=cache,target=/cargo/target,sharing=locked \
cargo build --release -p forge-integration && cp /cargo/target/release/forge-integration /forge-integration cargo build --release -p forge-integration && cp /cargo/target/release/forge-integration /forge-integration
FROM docker.io/library/debian:bookworm-slim FROM docker.io/library/debian:bookworm-slim

6
deploy/images/github-integration/Containerfile
View file

@ -12,9 +12,9 @@ RUN apt-get update \
RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
COPY Cargo.toml ./ COPY Cargo.toml ./
COPY crates ./crates COPY crates ./crates
RUN --mount=type=cache,target=/cargo/registry \ RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
--mount=type=cache,target=/cargo/git \ --mount=type=cache,target=/cargo/git,sharing=locked \
--mount=type=cache,target=/cargo/target \ --mount=type=cache,target=/cargo/target,sharing=locked \
cargo build --release -p github-integration && cp /cargo/target/release/github-integration /github-integration cargo build --release -p github-integration && cp /cargo/target/release/github-integration /github-integration
FROM docker.io/library/debian:bookworm-slim FROM docker.io/library/debian:bookworm-slim

6
deploy/images/logs-service/Containerfile
View file

@ -14,9 +14,9 @@ RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /car
# Pre-copy manifests for better caching # Pre-copy manifests for better caching
COPY Cargo.toml ./ COPY Cargo.toml ./
COPY crates ./crates COPY crates ./crates
RUN --mount=type=cache,target=/cargo/registry \ RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
--mount=type=cache,target=/cargo/git \ --mount=type=cache,target=/cargo/git,sharing=locked \
--mount=type=cache,target=/cargo/target \ --mount=type=cache,target=/cargo/target,sharing=locked \
cargo build --release -p logs-service && cp /cargo/target/release/logs-service /logs-service cargo build --release -p logs-service && cp /cargo/target/release/logs-service /logs-service
FROM docker.io/library/debian:bookworm-slim FROM docker.io/library/debian:bookworm-slim

6
deploy/images/orchestrator/Containerfile
View file

@ -15,9 +15,9 @@ RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /car
COPY Cargo.toml ./ COPY Cargo.toml ./
COPY crates ./crates COPY crates ./crates
# Build orchestrator only # Build orchestrator only
RUN --mount=type=cache,target=/cargo/registry \ RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
--mount=type=cache,target=/cargo/git \ --mount=type=cache,target=/cargo/git,sharing=locked \
--mount=type=cache,target=/cargo/target \ --mount=type=cache,target=/cargo/target,sharing=locked \
cargo build --release -p orchestrator --features libvirt && cp /cargo/target/release/orchestrator /orchestrator cargo build --release -p orchestrator --features libvirt && cp /cargo/target/release/orchestrator /orchestrator
FROM docker.io/library/debian:bookworm-slim FROM docker.io/library/debian:bookworm-slim

15
deploy/podman/.env.sample
View file

@ -37,6 +37,8 @@ TRAEFIK_DASHBOARD_AUTH=
# to allow binding 80/443. # to allow binding 80/443.
TRAEFIK_HTTP_PORT=8080 TRAEFIK_HTTP_PORT=8080
TRAEFIK_HTTPS_PORT=4443 TRAEFIK_HTTPS_PORT=4443
# Docker API version used by Traefik (Podman compatibility)
DOCKER_API_VERSION=1.44
# Orchestrator libvirt integration (Linux hosts) # Orchestrator libvirt integration (Linux hosts)
# URI to the system libvirt on the host; usually qemu:///system # URI to the system libvirt on the host; usually qemu:///system
@ -69,3 +71,16 @@ FORGEJO_TOKEN=
# Optional: Forgejo API base URL (not secret, but commonly configured alongside the token) # Optional: Forgejo API base URL (not secret, but commonly configured alongside the token)
# Example: https://codeberg.org/api/v1 # Example: https://codeberg.org/api/v1
FORGEJO_BASE_URL= FORGEJO_BASE_URL=
# GitHub Integration secrets (set per deployment)
# Shared secret used to validate GitHub webhooks (X-Hub-Signature-256)
GITHUB_WEBHOOK_SECRET=
# GitHub App ID (numeric)
GITHUB_APP_ID=
# GitHub App private key (PEM) or a filesystem path to the PEM
GITHUB_APP_KEY=
GITHUB_APP_KEY_PATH=
# Optional: override GitHub API base (GitHub Enterprise)
GITHUB_API_BASE=
# Optional: custom check run display name
GITHUB_CHECK_NAME=

1
deploy/podman/.gitignore vendored
View file

@ -1 +1,2 @@
.env .env
solstice-ci-github-key.pem

7
deploy/podman/README.md
View file

@ -163,6 +163,13 @@ Forge integration configuration
- To enable posting commit statuses back to Forgejo/Gitea, set FORGEJO_TOKEN and FORGEJO_BASE_URL in deploy/podman/.env. If they are not set, the service logs a warning (FORGEJO_* not set) and disables the job result consumer that reports statuses. - To enable posting commit statuses back to Forgejo/Gitea, set FORGEJO_TOKEN and FORGEJO_BASE_URL in deploy/podman/.env. If they are not set, the service logs a warning (FORGEJO_* not set) and disables the job result consumer that reports statuses.
- The compose file passes these variables to the container. After editing .env, run: podman compose up -d forge-integration - The compose file passes these variables to the container. After editing .env, run: podman compose up -d forge-integration
GitHub integration configuration
- Set GITHUB_WEBHOOK_SECRET in deploy/podman/.env to validate webhook signatures (X-Hub-Signature-256). If unset, webhooks are accepted without validation (dev mode).
- To enable check runs and workflow fetches, configure a GitHub App and set GITHUB_APP_ID plus either GITHUB_APP_KEY (PEM contents) or GITHUB_APP_KEY_PATH (path inside the container).
- Optional overrides: GITHUB_API_BASE for GitHub Enterprise and GITHUB_CHECK_NAME to customize the check run title.
- The compose file passes these variables to the container. After editing .env, run: podman compose up -d github-integration
Traefik ACME CA server note Traefik ACME CA server note
- If you see a warning about TRAEFIK_ACME_CASERVER being unset, it is harmless. The compose file now defaults this value to empty so Traefik uses the production Lets Encrypt endpoint. To test with staging, set TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory in .env and redeploy Traefik. - If you see a warning about TRAEFIK_ACME_CASERVER being unset, it is harmless. The compose file now defaults this value to empty so Traefik uses the production Lets Encrypt endpoint. To test with staging, set TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory in .env and redeploy Traefik.

15
deploy/podman/compose.yml
View file

@ -27,9 +27,11 @@ volumes:
services: services:
traefik: traefik:
image: docker.io/library/traefik:v3.1 image: docker.io/library/traefik:v3.6
container_name: traefik container_name: traefik
restart: unless-stopped restart: unless-stopped
environment:
DOCKER_API_VERSION: ${DOCKER_API_VERSION:-1.44}
command: command:
- --api.dashboard=true - --api.dashboard=true
- --providers.docker=true - --providers.docker=true
@ -314,8 +316,17 @@ services:
environment: environment:
RUST_LOG: info RUST_LOG: info
AMQP_URL: amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672/solstice-${ENV} AMQP_URL: amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672/solstice-${ENV}
# HTTP server for GitHub webhooks (skeleton service; implement handler later) # HTTP server for GitHub webhooks
HTTP_ADDR: 0.0.0.0:8082 HTTP_ADDR: 0.0.0.0:8082
WEBHOOK_PATH: /webhooks/github
GITHUB_WEBHOOK_SECRET: ${GITHUB_WEBHOOK_SECRET}
GITHUB_APP_ID: ${GITHUB_APP_ID}
GITHUB_APP_KEY_PATH: ${GITHUB_APP_KEY_PATH}
GITHUB_APP_KEY: ${GITHUB_APP_KEY}
GITHUB_API_BASE: ${GITHUB_API_BASE:-https://api.github.com}
GITHUB_CHECK_NAME: ${GITHUB_CHECK_NAME:-Solstice CI}
# URL where logs-service is exposed (used for check-run links)
LOGS_BASE_URL: https://logs.${ENV}.${DOMAIN}
depends_on: depends_on:
rabbitmq: rabbitmq:
condition: service_healthy condition: service_healthy