name: CI/CD Pipeline with Secure Ephemeral PiP on: push: branches: [main] pull_request: branches: [main] env: REGISTRY: ${{ secrets.REGISTRY_HOST }} APP_NAME: ${{ secrets.APP_NAME }} IMAGE_TAG: ${{ github.sha }} RUN_ID: ${{ github.run_id }} POSTGRES_USERNAME: ${{ secrets.PROD_DB_USERNAME }} POSTGRES_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }} POSTGRES_HOST: ${{ secrets.PROD_DB_HOST }} POSTGRES_PORT: ${{ secrets.PROD_DB_PORT }} POSTGRES_DATABASE_NAME: ${{ secrets.PROD_DB_DATABASE_NAME }} PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }} PROD_BACKEND_PORT: ${{ secrets.PROD_BACKEND_PORT }} PROD_FRONTEND_PORT: ${{ secrets.PROD_FRONTEND_PORT }} # Required pinned digests (fail if missing) RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }} # e.g., docker.io/library/rust@sha256:... NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:... POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:... PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest jobs: test-backend: runs-on: [ci] container: image: ghcr.io/catthehacker/ubuntu:act-22.04 options: >- --read-only=false -v /run/user/999/podman:/run/user/999/podman:rw -e XDG_RUNTIME_DIR=/run/user/999 env: CONTAINER_HOST: unix:///run/user/999/podman/podman.sock steps: - name: Install Podman client env: DEBIAN_FRONTEND: noninteractive run: | apt-get update apt-get install -y --no-install-recommends podman jq - uses: actions/checkout@v4 - name: Verify runner wiring to Podman run: | podman --version test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; } # Optional: sanity poke of the service via PiP later - name: Network/DNS sanity from job container run: | getent hosts git.gcdo.org || true curl -sS -o /dev/null -w 'status=%{http_code}\n' https://git.gcdo.org/api/healthz || true - name: Verify pinned digests provided run: | for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do [ -n "${!v}" ] || { echo "Missing $v"; exit 1; } echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; } done - name: Setup ephemeral PiP container env: PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest SOCKET_PATH: /run/user/999/podman/podman.sock run: | chmod +x ./secure_pip_setup.sh ./secure_pip_setup.sh - name: Wait for PiP readiness env: PIP_NAME: ci-pip-${{ env.RUN_ID }} run: | chmod +x ./pip_ready.sh ./pip_ready.sh - name: Verify Podman socket inside PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK' - name: Network sanity from PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz' - name: Configure Git for token-based authentication run: | git config --global url."https://${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}@${{ env.REGISTRY }}".insteadOf "https://${{ env.REGISTRY }}" - name: Create internal integration network run: podman exec ci-pip-${{ env.RUN_ID }} podman network create --internal integ-${{ env.RUN_ID }} - name: Start PostgreSQL on internal network (digest-pinned) run: | podman exec ci-pip-${{ env.RUN_ID }} podman run -d \ --name test-postgres \ --network integ-${{ env.RUN_ID }} \ -e POSTGRES_PASSWORD=password \ -e POSTGRES_USER=postgres \ -e POSTGRES_DB=sharenet_test \ "${POSTGRES_IMG_DIGEST}" - name: Wait for PostgreSQL to be ready run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc ' i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U postgres >/dev/null 2>&1; do i=$((i+1)); [ $i -gt 60 ] && { echo "pg not ready"; exit 1; }; sleep 1 done' - name: Run backend unit tests env: WORKSPACE: ${{ github.workspace }} run: | podman exec -e WORKSPACE="${WORKSPACE}" ci-pip-${{ env.RUN_ID }} sh -lc ' podman run --rm \ -v "$WORKSPACE":/workspace \ -w /workspace \ "'"${RUST_IMG_DIGEST}"'" \ sh -c "cargo test --lib -- --test-threads=1"' - name: Run backend integration tests env: WORKSPACE: ${{ github.workspace }} run: | podman exec -e WORKSPACE="${WORKSPACE}" ci-pip-${{ env.RUN_ID }} sh -lc ' podman run --rm \ --network integ-${{ env.RUN_ID }} \ -v "$WORKSPACE":/workspace \ -w /workspace \ -e DATABASE_URL=postgres://postgres:password@test-postgres:5432/sharenet_test \ "'"${RUST_IMG_DIGEST}"'" \ sh -c "cargo test --test '"'"'*'"'"' -- --test-threads=1"' - name: Cleanup test resources if: always() run: | podman exec ci-pip-${{ env.RUN_ID }} podman rm -f test-postgres 2>/dev/null || true podman exec ci-pip-${{ env.RUN_ID }} podman network rm integ-${{ env.RUN_ID }} 2>/dev/null || true - name: Per-job cleanup (PiP container) if: always() run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true test-frontend: runs-on: [ci] needs: test-backend container: image: ghcr.io/catthehacker/ubuntu:act-22.04 options: >- --read-only=false -v /run/user/999/podman:/run/user/999/podman:rw -e XDG_RUNTIME_DIR=/run/user/999 env: CONTAINER_HOST: unix:///run/user/999/podman/podman.sock steps: - name: Install Podman client env: DEBIAN_FRONTEND: noninteractive run: | apt-get update apt-get install -y --no-install-recommends podman jq - uses: actions/checkout@v4 - name: Verify runner wiring to Podman run: | podman --version test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; } # Optional: sanity poke of the service via PiP later - name: Verify pinned digests provided run: | for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do [ -n "${!v}" ] || { echo "Missing $v"; exit 1; } echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; } done - name: Setup ephemeral PiP container env: PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest SOCKET_PATH: /run/user/999/podman/podman.sock run: | chmod +x ./secure_pip_setup.sh ./secure_pip_setup.sh - name: Wait for PiP readiness env: PIP_NAME: ci-pip-${{ env.RUN_ID }} run: | chmod +x ./pip_ready.sh ./pip_ready.sh - name: Verify Podman socket inside PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK' - name: Network sanity from PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz' - name: Run frontend tests (digest-pinned) env: WORKSPACE: ${{ github.workspace }} run: | podman exec -e WORKSPACE="${WORKSPACE}" ci-pip-${{ env.RUN_ID }} sh -lc ' podman run --rm \ -v "$WORKSPACE":/workspace \ -w /workspace \ "'"${NODE_IMG_DIGEST}"'" \ sh -c "npm ci && npm run test"' - name: Per-job cleanup (PiP container) if: always() run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true build-backend: runs-on: [ci] needs: test-frontend container: image: ghcr.io/catthehacker/ubuntu:act-22.04 options: >- --read-only=false -v /run/user/999/podman:/run/user/999/podman:rw -e XDG_RUNTIME_DIR=/run/user/999 env: CONTAINER_HOST: unix:///run/user/999/podman/podman.sock steps: - name: Install Podman client env: DEBIAN_FRONTEND: noninteractive run: | apt-get update apt-get install -y --no-install-recommends podman jq - uses: actions/checkout@v4 - name: Verify runner wiring to Podman run: | podman --version test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; } # Optional: sanity poke of the service via PiP later - name: Setup ephemeral PiP container env: PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest SOCKET_PATH: /run/user/999/podman/podman.sock run: | chmod +x ./secure_pip_setup.sh ./secure_pip_setup.sh - name: Wait for PiP readiness env: PIP_NAME: ci-pip-${{ env.RUN_ID }} run: | chmod +x ./pip_ready.sh ./pip_ready.sh - name: Verify Podman socket inside PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK' - name: Network sanity from PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz' - name: Login to Forgejo Container Registry securely env: REGISTRY_HOST: ${{ env.REGISTRY }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | podman exec -i ci-pip-${{ env.RUN_ID }} sh -lc \ 'podman login "$REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin' <<<"${REGISTRY_TOKEN}" - name: Build backend image env: REGISTRY: ${{ env.REGISTRY }} APP_NAME: ${{ env.APP_NAME }} IMAGE_TAG: ${{ env.IMAGE_TAG }} run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc \ 'cd /workspace/backend && podman build -t "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG" .' - name: Push backend image env: REGISTRY: ${{ env.REGISTRY }} APP_NAME: ${{ env.APP_NAME }} IMAGE_TAG: ${{ env.IMAGE_TAG }} run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc \ 'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"' - name: Per-job cleanup (PiP container) if: always() run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true build-frontend: runs-on: [ci] needs: test-frontend container: image: ghcr.io/catthehacker/ubuntu:act-22.04 options: >- --read-only=false -v /run/user/999/podman:/run/user/999/podman:rw -e XDG_RUNTIME_DIR=/run/user/999 env: CONTAINER_HOST: unix:///run/user/999/podman/podman.sock steps: - name: Install Podman client env: DEBIAN_FRONTEND: noninteractive run: | apt-get update apt-get install -y --no-install-recommends podman jq - uses: actions/checkout@v4 - name: Verify runner wiring to Podman run: | podman --version test -S "/run/user/999/podman/podman.sock" || { echo "Missing socket /run/user/999/podman/podman.sock"; exit 1; } # Optional: sanity poke of the service via PiP later - name: Setup ephemeral PiP container env: PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable:latest SOCKET_PATH: /run/user/999/podman/podman.sock run: | chmod +x ./secure_pip_setup.sh ./secure_pip_setup.sh - name: Wait for PiP readiness env: PIP_NAME: ci-pip-${{ env.RUN_ID }} run: | chmod +x ./pip_ready.sh ./pip_ready.sh - name: Verify Podman socket inside PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK' - name: Network sanity from PiP run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz' - name: Login to Forgejo Container Registry securely env: REGISTRY_HOST: ${{ env.REGISTRY }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | podman exec -i ci-pip-${{ env.RUN_ID }} sh -lc \ 'podman login "$REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin' <<<"${REGISTRY_TOKEN}" - name: Build frontend image env: REGISTRY: ${{ env.REGISTRY }} APP_NAME: ${{ env.APP_NAME }} IMAGE_TAG: ${{ env.IMAGE_TAG }} run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc \ 'cd /workspace/frontend && podman build -t "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG" .' - name: Push frontend image env: REGISTRY: ${{ env.REGISTRY }} APP_NAME: ${{ env.APP_NAME }} IMAGE_TAG: ${{ env.IMAGE_TAG }} run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc \ 'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"' - name: Per-job cleanup (PiP container) if: always() run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true deploy-prod: runs-on: [prod] needs: [build-backend, build-frontend] if: success() container: image: ghcr.io/catthehacker/ubuntu:act-22.04 options: >- --read-only=false -v /run/user/999/podman:/run/user/999/podman:rw -e XDG_RUNTIME_DIR=/run/user/999 env: CONTAINER_HOST: unix:///run/user/999/podman/podman.sock steps: - name: Install Podman client env: DEBIAN_FRONTEND: noninteractive run: | apt-get update apt-get install -y --no-install-recommends podman jq - uses: actions/checkout@v4 - name: Verify Podman in job container run: | podman --version podman info --log-level=error >/dev/null # Your prod-pod.yml uses ${REGISTRY_HOST}, but the workflow defines REGISTRY. # Export a one-off alias so templating resolves. - name: Render prod spec (no envsubst) env: REGISTRY_HOST: ${{ env.REGISTRY }} run: | awk '{ while (match($0, /\$\{[A-Za-z_][A-Za-z0-9_]*\}/)) { k = substr($0, RSTART+2, RLENGTH-3); v = ENVIRON[k]; gsub("\\$\\{" k "\\}", v); } print }' deploy/prod-pod.yml > prod-pod-deploy.yml - name: Apply with Podman run: podman play kube --replace prod-pod-deploy.yml - name: Clean up generated file if: always() run: rm -f prod-pod-deploy.yml