VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/.woodpecker.yml
ZDDC cc35f7179b feat(zddc-server): publishable runtime image + Codeberg CI pipeline 
Batch 1 of the chart-vs-project split. The project now ships a
hardened runtime image as part of every zddc-server release; downstream
deployments (e.g. the Burns & McDonnell Helm chart) will FROM this
image instead of cloning and building from source.

zddc/Containerfile (target: server)
- Tag the runtime stage `server` so `podman build --target server`
  is unambiguous (the existing `binaries` target still works).
- Bake the bundled landing + archive tool HTML at /opt/zddc-server/web.
  Useful for self-contained demos (`ZDDC_ROOT=/opt/zddc-server/web`)
  and as a fallback web root when no external mount is supplied.
- Set fixed UID/GID 1000 for the non-root zddc user so volume
  permissions are predictable across hosts.
- Add ENV ZDDC_ROOT=/srv default so a `podman run -v data:/srv` works
  with no further config; explicit ZDDC_ROOT overrides.
- Declare VOLUME /srv to make the data-mount expectation explicit.
- Add OCI image labels (title, description, source, documentation,
  license, vendor).
- Install ca-certificates so any future outbound HTTPS works.
- Add a HEALTHCHECK for `docker run` users (Kubernetes overrides).

build.sh
- Make the cross-platform podman binary build conditional on `podman`
  being present. CI doesn't need it (the runtime container image's
  own builder stage produces linux/amd64 internally), but having
  build.sh sh-only-runnable means CI doesn't have to do nested
  containers just to assemble dist/web.
- Reorder so `zddc/dist/web/` is assembled before the binary build
  (allows the binary build to be skipped without breaking the bundle).

.woodpecker.yml (new)
- Triggers on tag push matching `zddc-server-v*`.
- Step 1 (alpine + sh): runs `sh build.sh` to assemble dist/web,
  computes the image tag (`${TAG#zddc-server-v}` plus `latest`).
- Step 2 (docker-buildx plugin): builds and publishes
  codeberg.org/varasys/zddc-server:{X.Y.Z, latest}. Auth via the
  codeberg_user / codeberg_token Woodpecker secrets — these need
  one-time setup in repo Settings; documented in zddc/README.md.

zddc/README.md
- New "Container image" section: pull URL, image properties (alpine,
  non-root UID 1000, EXPOSE 8443, VOLUME /srv, baked web bundle),
  example `podman run` invocation.
- New "Env-var contract (for chart consumers)" table: the variables
  Helm charts and Compose files should set explicitly when running
  behind a TLS-terminating reverse proxy with SSO. This is the
  documented interface between project and downstream charts.
- "Release Tagging" section now points at .woodpecker.yml and lists
  the two Woodpecker secrets that must be configured.

Validated locally:
  podman build --target server -t zddc-server-test .
  podman run -e ZDDC_ROOT=/opt/zddc-server/web -e ZDDC_TLS_CERT=none \
             -e ZDDC_INSECURE_DIRECT=1 -e ZDDC_ADDR=:8080 \
             -p 18080:8080 zddc-server-test
  curl http://localhost:18080/ → HTTP 200, bundled landing tool.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 14:46:59 -05:00

54 lines
2 KiB
YAML
Raw Blame History

# Woodpecker CI for ZDDC.
#
# This pipeline only runs on `zddc-server-v*` tag pushes — it builds the
# zddc-server runtime container image and publishes it to Codeberg's
# container registry. Other tags (archive-v*, transmittal-v*, etc.) and
# regular pushes are ignored here; the HTML tool releases happen by
# pushing static files to the website (no image involved).
#
# To enable: in Codeberg → repo Settings → Woodpecker → set the secrets
# codeberg_user = your Codeberg username (e.g. VARASYS)
# codeberg_token = a personal token with package:write scope
# Generate the token at https://codeberg.org/user/settings/applications.
#
# After setup, cut a release with:
# git tag zddc-server-v0.0.1
# git push --tags
# and the pipeline will publish:
# codeberg.org/varasys/zddc-server:0.0.1
# codeberg.org/varasys/zddc-server:latest
when:
- event: tag
ref: refs/tags/zddc-server-v*
steps:
prepare-bundle:
image: docker.io/alpine:3.20
commands:
# build.sh assembles zddc/dist/web/ from landing and archive
# built outputs (which are committed force-tracked dist files).
# Falls back gracefully when podman isn't present — we don't
# need the cross-compiled binaries here, the runtime container
# builds its own linux/amd64 binary internally.
- sh build.sh
# Image tag = the bare semver after the "zddc-server-v" prefix.
# Plus a "latest" tag for convenience.
- VERSION="${CI_COMMIT_TAG#zddc-server-v}"
- printf '%s\nlatest\n' "$VERSION" > .image-tags
- echo "Will tag image with: $(cat .image-tags | tr '\n' ' ')"
publish-image:
image: woodpeckerci/plugin-docker-buildx
settings:
registry: codeberg.org
repo: codeberg.org/varasys/zddc-server
dockerfile: zddc/Containerfile
context: zddc
target: server
tags_file: .image-tags
auto_tag: false
username:
from_secret: codeberg_user
password:
from_secret: codeberg_token
Reference in a new issue View git blame Copy permalink