# CI / CD Pipeline

Source of truth: `.woodpecker/build-arm.yml`.

## Engine

Woodpecker CI. No GitHub Actions / GitLab CI / Azure Pipelines configured in this repo — `.github/workflows/` is absent (`00_discovery.md`). Suite-wide CI may layer on top of this; that lives outside the workspace.

## Trigger

```yaml
when:
  event: [push, manual]
  branch: [dev, stage, main]
```

- Builds run on push to **`dev`**, **`stage`**, or **`main`**, plus manual triggers.
- Other branches do **not** build images.

## Runner constraint

```yaml
labels:
  platform: arm64
```

Pipeline pins to ARM64 runners. The Dockerfile is multi-arch capable but this pipeline only builds `arm64`.

## Steps (single step `build-push`)

1. Login to private registry using secrets `registry_host`, `registry_user`, `registry_token`.
2. Compute `TAG=${CI_COMMIT_BRANCH}-arm` and `BUILD_DATE` (`date -u +%Y-%m-%dT%H:%M:%SZ`).
3. `docker build -f src/Dockerfile` with build args + OCI labels:
   - `--build-arg CI_COMMIT_SHA=$CI_COMMIT_SHA`
   - `--label org.opencontainers.image.revision=$CI_COMMIT_SHA`
   - `--label org.opencontainers.image.created=$BUILD_DATE`
   - `--label org.opencontainers.image.source=$CI_REPO_URL`
   - tag: `$REGISTRY_HOST/azaion/annotations:$TAG`
4. `docker push` of that tag.
5. Mounts `/var/run/docker.sock` into the build container (Docker-out-of-Docker pattern).

## Image tagging

Per branch:

| Branch | Image tag |
|--------|-----------|
| `dev` | `dev-arm` |
| `stage` | `stage-arm` |
| `main` | `main-arm` |

Tags are **mutable** — every push to a branch overwrites the prior image at that tag. No immutable revision-tagged images are produced today (`main-arm-${SHA}` is not pushed). Adding immutable tags would simplify rollback and trace-back from a running image to a commit.

## Secrets

| Secret | Purpose |
|--------|---------|
| `registry_host` | Registry hostname (also used in pushed image FQN) |
| `registry_user` | Registry login user |
| `registry_token` | Registry login token (used via `--password-stdin`) |

Secrets are referenced via `from_secret:` and never echoed.

## What CI does NOT do today

- No tests run (no test project exists in repo per `00_discovery.md`).
- No linters / format checks (`dotnet format`).
- No `amd64` image.
- No scan (Trivy / Grype) on the produced image.
- No automated rollback on failed deploy (deploy itself is out of pipeline scope).

These are gaps to track when the test project is added in autodev Phase A Step 6.