Ci/build dockerfiles#8
Open
muk2 wants to merge 14 commits into
Open
Conversation
Adds .forgejo/workflows/build-containers.yml — on every pull_request that
touches a Dockerfile, the matching image is rebuilt to confirm it still
assembles. Stays cheap by:
- Path-filtering so README / docs / shell-alias PRs skip CI entirely
- Diffing against the merge target and only building the Dockerfiles that
actually changed (matrix with fail-fast: false, max-parallel: 3)
- Excluding Dockerfile.all from automatic runs (8-10 GB image); reachable
via workflow_dispatch + build_all=true when full coverage is needed
- Reclaiming ~10 GB on the runner before each build (dotnet/android/ghc)
- GitHub Actions cache (cache-from / cache-to) for Buildx layers
- Smoke test: `docker run --entrypoint /bin/true` confirms the image is
well-formed without launching claude/opencode
A `build-result` aggregate job is added so branch protection can require
a single check ("All builds succeeded") regardless of matrix size.
README documents the workflow under a new "Continuous Integration" section.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previous run failed because the Forgejo runner couldn't pull marketplace actions (actions/checkout@v4, docker/setup-buildx-action@v3, docker/build-push-action@v6) — detect died in 5s, the build matrix never ran, and build-result reported success because empty should_build was treated as "nothing to build" instead of "detect blew up". This commit: - Replaces every marketplace action with plain `git clone` and `docker build`. Forgejo Actions runners typically ship git + docker in the runner image (gitea/runner-images:ubuntu-latest), so no external download is required. - Adds an explicit `Show runner environment` step at the top of detect so the next failure (if any) is diagnosable from the log. - Fixes the aggregate `build-result`: detect.result != success now fails the check, so "X on green" cannot happen again. - Uses GITHUB_SERVER_URL / GITHUB_REPOSITORY / GITHUB_SHA / GITHUB_BASE_REF instead of expression literals where possible, so the script is portable across Forgejo and GitHub Actions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
We can't read Forgejo Actions logs via the API on this instance, so the workflow posts its environment + tool inventory back as a PR comment. Lets us figure out what the runner actually provides without log access. Deleted once build-containers.yml is green.
Diagnostic dump from .forgejo/workflows/diagnose.yml revealed the configured act_runner image is node:20-bookworm-slim with: - docker: MISSING - buildx: MISSING - jq: MISSING - disk: 1.4 GB free (would OOM on any Dockerfile.* > 500 MB anyway) A real `docker build` is impossible without reconfiguring the runner. This commit switches the workflow to hadolint (static Dockerfile linter) which catches: - syntax errors and broken RUN chains - missing version pins and known anti-patterns - unset USER/WORKDIR, shell pitfalls README now documents what's needed to upgrade to real builds: mount /var/run/docker.sock from host into runner job container, or switch runner image to one with docker-in-docker. The matrix-detection logic no longer needs jq (uses plain shell). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
hadolint 2.12 can't parse Dockerfiles using multi-line heredocs in RUN
(opencode Dockerfiles do this for the OpenCode JSON config). The two
oc-python and oc-go Dockerfiles parse and build fine with docker, but
hadolint emits 'unexpected { expecting ...' and fails CI.
Workaround: detect that specific parser-failure signature in hadolint's
output and downgrade it to a SKIP with warning. Real rule violations at
error severity continue to fail the job.
Tracks hadolint upstream: github.com/hadolint/hadolint/issues/784
diagnose.yml was a temporary self-reporting workflow used to discover what tools were actually available on the act_runner. Findings have been baked into build-containers.yml (hadolint instead of docker build, log publishing to ci-debug for visibility), so this scaffolding can go. The ci-debug branch is retained as a side-channel for future lint failures since act_runner's log endpoint is not exposed via the Forgejo API. The CI_DEBUG_TOKEN secret stays for the log publisher to authenticate; rotate or delete via repo Settings -> Actions -> Secrets if you no longer want this.
Replaces hadolint-only linting on Forgejo with real docker build verification on GitHub Actions. Matrix strategy builds only changed Dockerfiles on PR, all images on push to main.
3529b7c to
9f7060b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.