Update container build cache mounts, enhance Traefik and GitHub integration support

- Use `sharing=locked` for cargo build cache mounts across multiple Containerfiles to improve caching efficiency.
- Upgrade Traefik to version 3.6 and add support for `DOCKER_API_VERSION` for Podman compatibility.
- Extend `.env.sample` with GitHub integration variables and update `.gitignore` with new secrets.
- Document GitHub App configuration and webhook integration in Podman README.
- Update `github-integration` compose service with environment variables for webhook secret, app ID, key, and API base.

Signed-off-by: Till Wegmueller <toasterson@gmail.com>

deploy/images/forge-integration/Containerfile

@@ -12,9 +12,9 @@ RUN apt-get update \
 RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
 COPY Cargo.toml ./
 COPY crates ./crates
-RUN --mount=type=cache,target=/cargo/registry \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
-    --mount=type=cache,target=/cargo/git \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
-    --mount=type=cache,target=/cargo/target \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p forge-integration && cp /cargo/target/release/forge-integration /forge-integration
 
 FROM docker.io/library/debian:bookworm-slim

deploy/images/github-integration/Containerfile

@@ -12,9 +12,9 @@ RUN apt-get update \
 RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
 COPY Cargo.toml ./
 COPY crates ./crates
-RUN --mount=type=cache,target=/cargo/registry \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
-    --mount=type=cache,target=/cargo/git \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
-    --mount=type=cache,target=/cargo/target \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p github-integration && cp /cargo/target/release/github-integration /github-integration
 
 FROM docker.io/library/debian:bookworm-slim

deploy/images/logs-service/Containerfile

@@ -14,9 +14,9 @@ RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /car
 # Pre-copy manifests for better caching
 COPY Cargo.toml ./
 COPY crates ./crates
-RUN --mount=type=cache,target=/cargo/registry \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
-    --mount=type=cache,target=/cargo/git \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
-    --mount=type=cache,target=/cargo/target \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p logs-service && cp /cargo/target/release/logs-service /logs-service
 
 FROM docker.io/library/debian:bookworm-slim

deploy/images/orchestrator/Containerfile

@@ -15,9 +15,9 @@ RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /car
 COPY Cargo.toml ./
 COPY crates ./crates
 # Build orchestrator only
-RUN --mount=type=cache,target=/cargo/registry \
+RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
-    --mount=type=cache,target=/cargo/git \
+    --mount=type=cache,target=/cargo/git,sharing=locked \
-    --mount=type=cache,target=/cargo/target \
+    --mount=type=cache,target=/cargo/target,sharing=locked \
     cargo build --release -p orchestrator --features libvirt && cp /cargo/target/release/orchestrator /orchestrator
 
 FROM docker.io/library/debian:bookworm-slim

deploy/podman/.env.sample

@@ -37,6 +37,8 @@ TRAEFIK_DASHBOARD_AUTH=
 # to allow binding 80/443.
 TRAEFIK_HTTP_PORT=8080
 TRAEFIK_HTTPS_PORT=4443
+# Docker API version used by Traefik (Podman compatibility)
+DOCKER_API_VERSION=1.44
 
 # Orchestrator libvirt integration (Linux hosts)
 # URI to the system libvirt on the host; usually qemu:///system
@@ -68,4 +70,17 @@ WEBHOOK_SECRET=
 FORGEJO_TOKEN=
 # Optional: Forgejo API base URL (not secret, but commonly configured alongside the token)
 # Example: https://codeberg.org/api/v1
-FORGEJO_BASE_URL=
+FORGEJO_BASE_URL=
+
+# GitHub Integration secrets (set per deployment)
+# Shared secret used to validate GitHub webhooks (X-Hub-Signature-256)
+GITHUB_WEBHOOK_SECRET=
+# GitHub App ID (numeric)
+GITHUB_APP_ID=
+# GitHub App private key (PEM) or a filesystem path to the PEM
+GITHUB_APP_KEY=
+GITHUB_APP_KEY_PATH=
+# Optional: override GitHub API base (GitHub Enterprise)
+GITHUB_API_BASE=
+# Optional: custom check run display name
+GITHUB_CHECK_NAME=

deploy/podman/.gitignore

@@ -1 +1,2 @@
-.env
+.env
+solstice-ci-github-key.pem

deploy/podman/README.md

@@ -163,6 +163,13 @@ Forge integration configuration
 - To enable posting commit statuses back to Forgejo/Gitea, set FORGEJO_TOKEN and FORGEJO_BASE_URL in deploy/podman/.env. If they are not set, the service logs a warning (FORGEJO_* not set) and disables the job result consumer that reports statuses.
 - The compose file passes these variables to the container. After editing .env, run: podman compose up -d forge-integration
 
+GitHub integration configuration
+
+- Set GITHUB_WEBHOOK_SECRET in deploy/podman/.env to validate webhook signatures (X-Hub-Signature-256). If unset, webhooks are accepted without validation (dev mode).
+- To enable check runs and workflow fetches, configure a GitHub App and set GITHUB_APP_ID plus either GITHUB_APP_KEY (PEM contents) or GITHUB_APP_KEY_PATH (path inside the container).
+- Optional overrides: GITHUB_API_BASE for GitHub Enterprise and GITHUB_CHECK_NAME to customize the check run title.
+- The compose file passes these variables to the container. After editing .env, run: podman compose up -d github-integration
+
 Traefik ACME CA server note
 
-- If you see a warning about TRAEFIK_ACME_CASERVER being unset, it is harmless. The compose file now defaults this value to empty so Traefik uses the production Let’s Encrypt endpoint. To test with staging, set TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory in .env and redeploy Traefik.
+- If you see a warning about TRAEFIK_ACME_CASERVER being unset, it is harmless. The compose file now defaults this value to empty so Traefik uses the production Let’s Encrypt endpoint. To test with staging, set TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory in .env and redeploy Traefik.

deploy/podman/compose.yml

@@ -27,9 +27,11 @@ volumes:
 
 services:
   traefik:
-    image: docker.io/library/traefik:v3.1
+    image: docker.io/library/traefik:v3.6
     container_name: traefik
     restart: unless-stopped
+    environment:
+      DOCKER_API_VERSION: ${DOCKER_API_VERSION:-1.44}
     command:
       - --api.dashboard=true
       - --providers.docker=true
@@ -314,8 +316,17 @@ services:
     environment:
       RUST_LOG: info
       AMQP_URL: amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672/solstice-${ENV}
-      # HTTP server for GitHub webhooks (skeleton service; implement handler later)
+      # HTTP server for GitHub webhooks
       HTTP_ADDR: 0.0.0.0:8082
+      WEBHOOK_PATH: /webhooks/github
+      GITHUB_WEBHOOK_SECRET: ${GITHUB_WEBHOOK_SECRET}
+      GITHUB_APP_ID: ${GITHUB_APP_ID}
+      GITHUB_APP_KEY_PATH: ${GITHUB_APP_KEY_PATH}
+      GITHUB_APP_KEY: ${GITHUB_APP_KEY}
+      GITHUB_API_BASE: ${GITHUB_API_BASE:-https://api.github.com}
+      GITHUB_CHECK_NAME: ${GITHUB_CHECK_NAME:-Solstice CI}
+      # URL where logs-service is exposed (used for check-run links)
+      LOGS_BASE_URL: https://logs.${ENV}.${DOMAIN}
     depends_on:
       rabbitmq:
         condition: service_healthy