diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 10f2c9d..a8f5b26 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -1067,8 +1067,10 @@ Before proceeding with Section 7, you need to understand the environment variabl - **Format**: Must be a full digest reference including the registry URL (e.g., `quay.io/podman/stable@sha256:...`) - **How to obtain**: ```bash + # Host arch (should print amd64) + podman info --format '{{.Host.Arch}}' # Get Podman client image digest - DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[0].digest') + DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest') # Combine with registry URL to create full digest reference export PODMAN_CLIENT_IMG_DIGEST="quay.io/podman/stable@${DIGEST}" echo "PODMAN_CLIENT_IMG_DIGEST=${PODMAN_CLIENT_IMG_DIGEST}" @@ -1183,33 +1185,33 @@ The CI pipeline now includes comprehensive integration testing: ```bash # Test PiP connectivity through secure socket -podman exec ci-pip podman version +podman exec ci-pip-local podman version # Start PostgreSQL for integration tests -podman exec ci-pip podman run -d \ +podman exec ci-pip-local podman run -d \ --name test-postgres \ -e POSTGRES_PASSWORD=testpassword \ -e POSTGRES_USER=testuser \ -e POSTGRES_DB=testdb \ -p 5432:5432 \ - postgres:15-alpine + "${POSTGRES_IMG_DIGEST}" # Wait for PostgreSQL to be ready -podman exec ci-pip timeout 60 bash -c 'until podman exec test-postgres pg_isready -h localhost -p 5432 -U testuser; do sleep 1; done' +podman exec ci-pip-local timeout 60 bash -c 'until podman exec test-postgres pg_isready -h localhost -p 5432 -U testuser; do sleep 1; done' # Run backend unit tests -podman exec ci-pip podman run --rm \ - -v $(pwd):/workspace \ +podman exec ci-pip-local podman run --rm \ + -v $(pwd)/backend:/workspace \ -w /workspace \ - rust:latest \ + "${RUST_IMG_DIGEST}" \ sh -c "cargo test --lib -- --test-threads=1" # Run backend integration tests with real database podman exec ci-pip podman run --rm \ - -v $(pwd):/workspace \ + -v $(pwd)/backend:/workspace \ -w /workspace \ -e DATABASE_URL=postgres://testuser:testpassword@localhost:5432/testdb \ - rust:latest \ + "${RUST_IMG_DIGEST}" \ sh -c "cargo test --test '*' -- --test-threads=1" ``` @@ -2143,7 +2145,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an - **`PODMAN_CLIENT_IMG_DIGEST`**: Used for secure ephemeral PiP containers in CI ```bash # Get Podman client image digest and create full reference - DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[0].digest') + DIGEST=$(podman manifest inspect quay.io/podman/stable:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest') export PODMAN_CLIENT_IMG_DIGEST="quay.io/podman/stable@${DIGEST}" echo "PODMAN_CLIENT_IMG_DIGEST=${PODMAN_CLIENT_IMG_DIGEST}" # Result: quay.io/podman/stable@sha256:5dd9f78bd233970ea4a36bb65d5fc63b7edbb9c7f800ab7901fa912564f36415 @@ -2152,7 +2154,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an - **`RUST_IMG_DIGEST`**: Used for Rust backend testing and building ```bash # Get Rust image digest and create full reference - DIGEST=$(podman manifest inspect docker.io/library/rust:latest | jq -r '.manifests[0].digest') + DIGEST=$(podman manifest inspect docker.io/library/rust:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest') export RUST_IMG_DIGEST="docker.io/library/rust@${DIGEST}" echo "RUST_IMG_DIGEST=${RUST_IMG_DIGEST}" # Result: docker.io/library/rust@sha256:... @@ -2161,7 +2163,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an - **`NODE_IMG_DIGEST`**: Used for Node.js frontend testing and building ```bash # Get Node.js image digest and create full reference - DIGEST=$(podman manifest inspect docker.io/library/node:latest | jq -r '.manifests[0].digest') + DIGEST=$(podman manifest inspect docker.io/library/node:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest') export NODE_IMG_DIGEST="docker.io/library/node@${DIGEST}" echo "NODE_IMG_DIGEST=${NODE_IMG_DIGEST}" # Result: docker.io/library/node@sha256:... @@ -2170,7 +2172,7 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an - **`POSTGRES_IMG_DIGEST`**: Used for PostgreSQL database in integration tests ```bash # Get PostgreSQL image digest and create full reference - DIGEST=$(podman manifest inspect docker.io/library/postgres:latest | jq -r '.manifests[0].digest') + DIGEST=$(podman manifest inspect docker.io/library/postgres:latest | jq -r '.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest') export POSTGRES_IMG_DIGEST="docker.io/library/postgres@${DIGEST}" echo "POSTGRES_IMG_DIGEST=${POSTGRES_IMG_DIGEST}" # Result: docker.io/library/postgres@sha256:... diff --git a/secure_pip_setup.sh b/secure_pip_setup.sh index 892201d..e597a56 100755 --- a/secure_pip_setup.sh +++ b/secure_pip_setup.sh @@ -5,6 +5,7 @@ RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-local}}" PIP_CONTAINER_NAME="ci-pip-${RUN_ID}" RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" SOCKET_PATH="${SOCKET_PATH:-${RUNTIME_DIR}/podman-host/podman.sock}" +SOCKET_DIR="$(dirname "$SOCKET_PATH")" WORKSPACE="${GITHUB_WORKSPACE:-$PWD}" PIP_UID="${PIP_UID:-1000}" PIP_GID="${PIP_GID:-1000}" @@ -40,9 +41,9 @@ podman run -d \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ - -v "${SOCKET_PATH}:/var/run/podman.sock" \ + -v "${SOCKET_DIR}:/run/podman-host:rw" \ -v "${WORKSPACE}:/workspace:rw" \ - -e CONTAINER_HOST="unix:///var/run/podman.sock" \ + -e CONTAINER_HOST="unix:///run/podman-host/podman.sock" \ "${PODMAN_CLIENT_IMG_DIGEST}" \ sleep infinity