Skip to content

Ci/build dockerfiles#8

Open
muk2 wants to merge 14 commits into
mainfrom
ci/build-dockerfiles
Open

Ci/build dockerfiles#8
muk2 wants to merge 14 commits into
mainfrom
ci/build-dockerfiles

Conversation

@muk2

@muk2 muk2 commented May 31, 2026

Copy link
Copy Markdown
Owner

No description provided.

Claude Agent and others added 14 commits May 20, 2026 21:54
Adds .forgejo/workflows/build-containers.yml — on every pull_request that
touches a Dockerfile, the matching image is rebuilt to confirm it still
assembles. Stays cheap by:

- Path-filtering so README / docs / shell-alias PRs skip CI entirely
- Diffing against the merge target and only building the Dockerfiles that
  actually changed (matrix with fail-fast: false, max-parallel: 3)
- Excluding Dockerfile.all from automatic runs (8-10 GB image); reachable
  via workflow_dispatch + build_all=true when full coverage is needed
- Reclaiming ~10 GB on the runner before each build (dotnet/android/ghc)
- GitHub Actions cache (cache-from / cache-to) for Buildx layers
- Smoke test: `docker run --entrypoint /bin/true` confirms the image is
  well-formed without launching claude/opencode

A `build-result` aggregate job is added so branch protection can require
a single check ("All builds succeeded") regardless of matrix size.

README documents the workflow under a new "Continuous Integration" section.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previous run failed because the Forgejo runner couldn't pull marketplace
actions (actions/checkout@v4, docker/setup-buildx-action@v3,
docker/build-push-action@v6) — detect died in 5s, the build matrix
never ran, and build-result reported success because empty should_build
was treated as "nothing to build" instead of "detect blew up".

This commit:
- Replaces every marketplace action with plain `git clone` and
  `docker build`. Forgejo Actions runners typically ship git + docker
  in the runner image (gitea/runner-images:ubuntu-latest), so no
  external download is required.
- Adds an explicit `Show runner environment` step at the top of detect
  so the next failure (if any) is diagnosable from the log.
- Fixes the aggregate `build-result`: detect.result != success now
  fails the check, so "X on green" cannot happen again.
- Uses GITHUB_SERVER_URL / GITHUB_REPOSITORY / GITHUB_SHA / GITHUB_BASE_REF
  instead of expression literals where possible, so the script is
  portable across Forgejo and GitHub Actions.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
We can't read Forgejo Actions logs via the API on this instance, so the
workflow posts its environment + tool inventory back as a PR comment.
Lets us figure out what the runner actually provides without log access.
Deleted once build-containers.yml is green.
Diagnostic dump from .forgejo/workflows/diagnose.yml revealed the
configured act_runner image is node:20-bookworm-slim with:
  - docker:  MISSING
  - buildx:  MISSING
  - jq:      MISSING
  - disk:    1.4 GB free (would OOM on any Dockerfile.* > 500 MB anyway)

A real `docker build` is impossible without reconfiguring the runner.
This commit switches the workflow to hadolint (static Dockerfile linter)
which catches:
  - syntax errors and broken RUN chains
  - missing version pins and known anti-patterns
  - unset USER/WORKDIR, shell pitfalls

README now documents what's needed to upgrade to real builds:
mount /var/run/docker.sock from host into runner job container,
or switch runner image to one with docker-in-docker.

The matrix-detection logic no longer needs jq (uses plain shell).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
hadolint 2.12 can't parse Dockerfiles using multi-line heredocs in RUN
(opencode Dockerfiles do this for the OpenCode JSON config). The two
oc-python and oc-go Dockerfiles parse and build fine with docker, but
hadolint emits 'unexpected { expecting ...' and fails CI.

Workaround: detect that specific parser-failure signature in hadolint's
output and downgrade it to a SKIP with warning. Real rule violations at
error severity continue to fail the job.

Tracks hadolint upstream: github.com/hadolint/hadolint/issues/784
diagnose.yml was a temporary self-reporting workflow used to discover
what tools were actually available on the act_runner. Findings have
been baked into build-containers.yml (hadolint instead of docker build,
log publishing to ci-debug for visibility), so this scaffolding can go.

The ci-debug branch is retained as a side-channel for future lint
failures since act_runner's log endpoint is not exposed via the
Forgejo API. The CI_DEBUG_TOKEN secret stays for the log publisher
to authenticate; rotate or delete via repo Settings -> Actions ->
Secrets if you no longer want this.
Replaces hadolint-only linting on Forgejo with real docker build
verification on GitHub Actions. Matrix strategy builds only changed
Dockerfiles on PR, all images on push to main.
@muk2 muk2 force-pushed the ci/build-dockerfiles branch from 3529b7c to 9f7060b Compare May 31, 2026 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant