azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-21 09:21:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
missions/_docs/02_document/deployment/ci_cd_pipeline.md
T
Oleksandr Bezdieniezhnykh a26d7b163b [AZ-549] B10a: clean up forward-looking notes; mark image rename done 
The .woodpecker/build-arm.yml already pushes ${REGISTRY_HOST}/azaion/missions
(landed earlier as part of the B5 csproj/namespace rename). What this commit
fixes is the missions-internal documentation that still described the legacy
azaion/flights image as the *current* state.

Edits:

- _docs/02_document/deployment/environment_strategy.md: drop "today's edge
  compose still references azaion/flights" — B10 is done. Container/service
  name 'flights' still noted as B6/B11 work.
- _docs/02_document/deployment/containerization.md: drop "today's Dockerfile
  ENTRYPOINT is dotnet Azaion.Flights.dll, image tag base is azaion/flights"
  — both AZ-544 (B5) and AZ-549 (B10) done.
- _docs/02_document/deployment/ci_cd_pipeline.md: same fix.
- _docs/02_document/components/07_host/description.md: same fix.
- _docs/02_document/04_verification_log.md row for AZ-549: explicitly
  marked "done"; Code symbol column converged to post-rename value.
- _docs/00_problem/restrictions.md E6: parenthetical reworded so the row
  reads as a present-state assertion (B10 done) instead of a forward-
  looking note.
- _docs/02_document/glossary.md "Synonym pairs" heading flipped from
  "today's code ↔ post-rename target" to "pre-rename ↔ post-rename"
  (adjacent hygiene — B5-B9+B10 are done across the missions rename
  Epic; the table's "today" framing no longer matches reality).

Spec _docs/tasks/todo/AZ-549a_missions_rename_b10_pipeline.md moved to
_docs/tasks/done/.

rg -F 'azaion/flights' missions/ | grep -v done/ now returns only
intentional pre-rename historical references in glossary.md /
architecture.md / restrictions.md / verification_log.md — the "current
state" wording is gone.

Suite-side slice (AZ-549b — _infra/deploy/*/docker-compose.yml image
ref + ci/README.md example) shipped separately in the suite repo.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-16 11:57:09 +03:00

5.3 KiB
Raw Permalink Blame History

CI / CD Pipeline

Note

: image registry path reflects the post-rename state. The pipeline pushes ${REGISTRY_HOST}/azaion/missions:${BRANCH}-arm (B10 done — AZ-549).

Source

./.woodpecker/build-arm.yml (single CI file). One job: build + push the container image.

when:
  event: [push, manual]
  branch: [dev, stage, main]

labels:
  platform: arm64

steps:
  - name: build-push
    image: docker
    environment:
      REGISTRY_HOST:  { from_secret: registry_host }
      REGISTRY_USER:  { from_secret: registry_user }
      REGISTRY_TOKEN: { from_secret: registry_token }
    commands:
      - echo "$REGISTRY_TOKEN" | docker login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin
      - export TAG=${CI_COMMIT_BRANCH}-arm
      - export BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
      - |
        docker build -f Dockerfile \
          --build-arg CI_COMMIT_SHA=$CI_COMMIT_SHA \
          --label org.opencontainers.image.revision=$CI_COMMIT_SHA \
          --label org.opencontainers.image.created=$BUILD_DATE \
          --label org.opencontainers.image.source=$CI_REPO_URL \
          -t $REGISTRY_HOST/azaion/missions:$TAG .                  # post-B10
      - docker push $REGISTRY_HOST/azaion/missions:$TAG             # post-B10
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Triggers

Trigger Branch filter Outcome
push dev, stage, main Build + push the corresponding ${BRANCH}-arm image tag
manual any of dev, stage, main Same as push — used for rebuilding without a code change (e.g., after a base-image security patch)
pull_request, other branches Not built today. Feature branches do not produce images

Runner / platform

  • labels: platform: arm64 — the pipeline runs on an ARM64-labeled Woodpecker runner. The build is therefore native for the ARM64 image variant (no QEMU). The Dockerfile's --platform=$BUILDPLATFORM for the build stage ensures the SDK image matches the runner's architecture.
  • For the (currently absent) AMD64 variant a second pipeline file (build-amd.yml) on an AMD64-labeled runner would be the natural pattern.

Secrets

Secret Source Purpose
registry_host Woodpecker secret store Hostname of the suite's container registry (Caddy-fronted Gitea Container Registry per ../../../suite/_docs/00_top_level_architecture.md)
registry_user Woodpecker secret store Service account that has push rights to azaion/missions
registry_token Woodpecker secret store Personal access token for the service account

docker login is piped via stdin (--password-stdin) — token never lands on the command line or in process listings.

OCI labels emitted

Three standard OCI labels are baked into every published image:

Label Value Source
org.opencontainers.image.revision $CI_COMMIT_SHA Git commit driving this build
org.opencontainers.image.created $BUILD_DATE (ISO 8601 UTC) date -u +%Y-%m-%dT%H:%M:%SZ at build time
org.opencontainers.image.source $CI_REPO_URL Suite Gitea repo URL

These let docker inspect answer "which commit and when?" without consulting the registry's metadata.

What the pipeline does NOT do (carry-forward improvements)

  • No dotnet test step — there is no test project in the repo today. Tracked in ../../../suite/_docs/_process_leftovers/2026-04-22_ci-unit-test-lane-missing-projects.md. When a tests/Azaion.Missions.Tests/ sibling lands (autodev existing-code Steps 57), the natural insert is a name: test step that runs dotnet test --collect "XPlat Code Coverage" against the build before the docker step.
  • No security scan — neither container scanning (Trivy / Grype on the published image) nor source scanning (CodeQL / Semgrep) is wired. Suite-level concern; out of this Epic.
  • No migration check — the migrator runs at app startup (Flow F6). A CI-time "does the migrator's DDL parse cleanly against an empty PG" smoke test is the next-cheapest safety net once tests exist.
  • No SBOMdocker buildx --sbom would surface base-image CVEs at registry-push time. Carry-forward.
  • No image-signing — Notary v2 / cosign is not wired. Carry-forward; suite-wide concern.
  • No multi-arch matrix — only arm64 builds today (see containerization.md § Multi-arch limitation).

Pipeline run-time characteristics

  • Single step, single image. Typical wall-clock time: 25 minutes on the suite's ARM64 runner (most of it dotnet publish + the runtime image layer pull).
  • No caching layer between builds today. dotnet restore re-downloads NuGet packages on every run. A persistent ~/.nuget volume on the runner would shave ~30 seconds per build.

Failure modes

Failure Symptom in Woodpecker Recovery
dotnet publish fails Build step fails with compilation errors Standard — fix source, push again
Registry login fails (rotated token) docker login exits non-zero Rotate registry_token in Woodpecker secrets
Registry push rate-limited docker push 429 Retry the manual run; rare in practice with Gitea-hosted registry
ARM64 runner offline Pipeline waits in queue Bring the runner back online; pipeline auto-resumes
Reference in New Issue View Git Blame Copy Permalink