From 0b5bddc1dae53abe748a3e33a3b55dd78ead23c7 Mon Sep 17 00:00:00 2001 From: liangxu Date: Fri, 1 May 2026 23:55:34 +0800 Subject: [PATCH] fix(ci): update Gitea Registry CI/CD workflows and enhance image verification --- findings.md | 8 ++++++++ progress.md | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/findings.md b/findings.md index 86ee01c..211ead7 100644 --- a/findings.md +++ b/findings.md @@ -228,3 +228,11 @@ - `Dockerfile.ops-web` now builds the operations frontend and serves it through its existing nginx proxy to `ops-api`. - Verification succeeded with `kubectl kustomize deploy/k3s`, local YAML parsing of 30 rendered Kubernetes objects, `bash -n` for deploy scripts, `git diff --check`, `pnpm --filter ops-web build`, and `pnpm --filter admin-web typecheck`. - Live `kubectl apply --dry-run=client` validation could not complete locally because the configured kube-apiserver at `127.0.0.1:26443` is not running; run that validation on the target k3s node. + +## Gitea Registry CI/CD Boundary - 2026-05-01 +- Deployable business images are owned by two CI workflows: `frontend-ci.yml` publishes `frontend` and `ops-web`; `backend-ci.yml` publishes `migrate`, `tenant-api`, `ops-api`, `worker-generate`, `kol-assist-worker`, and `scheduler`. +- `deploy-config-ci.yml` is intentionally validation-only. It checks compose, shell scripts, and a smoke Docker build, but does not push images because deployment config is not a component image boundary. +- The canonical deploy tag is the pushed commit hash first 8 chars. CI uses `git rev-parse --short=8 HEAD`; CD and offline packaging default to the same value. +- Gitea Registry secret name is `REGISTRY_PASSWORD`; Gitea rejects secret names beginning with `GITEA_`. +- CD workflows verify required commit8 image tags in Gitea Registry before pulling or deploying. Missing images are treated as a failed prerequisite, not as a signal to build during CD. +- Offline packaging pulls previously published Gitea Registry images into the package; it does not rebuild business images when `SOURCE_IMAGE_REGISTRY` is set by the workflow. diff --git a/progress.md b/progress.md index b26ba16..f99e319 100644 --- a/progress.md +++ b/progress.md @@ -697,3 +697,12 @@ - Confirmed the four platform templates are stored in `article_templates` and currently seeded by `server/cmd/dev-seed/main.go`. - Confirmed production deployment jobs only run database migrations, so a fresh environment can miss the four template records unless dev seed is run manually. - Decision: add a production-safe platform-template initializer and wire it into the migrate job/image instead of running the broad dev seed path. + +## 2026-05-01T07:15:00Z - Gitea Registry CI/CD cleanup + +- Kept `deploy-config-ci.yml` validation-only after the user clarified it should not own images. +- Scoped `frontend-ci.yml` to `admin-web` and `ops-web` plus shared packages/Dockerfiles; removed browser-extension typecheck from this workflow. +- Added Gitea Registry publishing to frontend/backend CI with commit8 tags and skip-if-tag-exists behavior through `deploy/scripts/gitea-registry-images.sh`. +- Added commit8 image verification to compose/k3s/offline deployment paths so CD fails if CI has not produced the required image. +- Changed offline package defaults to use commit8 instead of tag names and to pull business images from the Gitea Registry. +- Verification passed: workflow YAML parse, deploy script `bash -n`, and `sh -n` over all workflow run blocks.