brooktrails/directory-pacifier
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ci): trigger deploys #12

Merged
rcsheets merged 4 commits from feat/trigger-deploy into main 2026-04-18 08:34:41 +00:00
Conversation 2 Commits 4 Files changed 2 +54 -2
rcsheets commented 2026-04-18 08:23:51 +00:00
Owner
Copy link
No description provided.
Fetch Harbor push creds from OpenBao, not Forgejo secrets
Some checks failed
test / schema-test (pull_request) Waiting to run
Details
test / go-test (pull_request) Waiting to run
Details
build / images (controlloop) (pull_request) Has been cancelled
Details
build / images (rpcserver) (pull_request) Has been cancelled
Details
4e88fd18d5 
The workflow referenced secrets.HARBOR_USERNAME/HARBOR_PASSWORD which
aren't configured on this repo. Switch to the same Kubernetes-auth +
OpenBao pattern used by pr-reviewer and front-door: the runner pod's
ServiceAccount token logs into OpenBao via the shared
harbor-push-brooktrails role and reads creds from
secret/data/forgejo-runners/brooktrails/harbor-push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Publish images under the brooktrails/ Harbor project
Some checks failed
test / go-test (pull_request) Waiting to run
Details
test / schema-test (pull_request) Waiting to run
Details
build / images (controlloop) (pull_request) Has been cancelled
Details
build / images (rpcserver) (pull_request) Has been cancelled
Details
2fc130e653 
Match the convention used by pr-reviewer and front-door
(harbor.brooktrails.org/brooktrails/<app>). Image paths become
brooktrails/directory-pacifier/{controlloop,rpcserver}; placeholder
image refs in the k8s manifests are updated to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Dispatch test deploy on push to main; bake schema into controlloop
Some checks failed
test / go-test (pull_request) Waiting to run
Details
test / schema-test (pull_request) Waiting to run
Details
build / images (controlloop) (pull_request) Has been cancelled
Details
build / images (rpcserver) (pull_request) Has been cancelled
Details
fd4ba88d4f 
Add a trailing step to the build workflow that calls the infra repo's
deploy-directory-pacifier-test.yaml dispatch with the short SHA once
the image is pushed. Two dispatches fire (once per matrix binary); the
receiving workflow is idempotent so the second run is a no-op.

The Dockerfile splits into two runtime stages so the schema SQL gets
baked into the low-privilege controlloop image at /schema (rpcserver
stays minimal). The migrate Job in the infra repo uses a docker-cp
extraction of this schema to materialize a ConfigMap at bootstrap.

Requires these repo-level vars on directory-pacifier:
  - INFRA_REPO=brooktrails/infra
  - (optional) INFRA_DEPLOY_WORKFLOW=deploy-directory-pacifier-test.yaml
and a FORGEJO_TOKEN secret with dispatch permission on the infra repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-18 08:23:53 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e33f99-04321b
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The changes add deployment automation and multi-stage Docker builds without any obvious security issues or bugs.
Complexity: moderate

Safety Check Review

Key Changes

  • Added workflow step to trigger deployment via Forgejo API
  • Modified Dockerfile to support multi-stage builds for different binaries (rpcserver vs controlloop)

Security Analysis

  • The automated detection flagged potential credentials, but these are properly using GitHub secrets (${{ secrets.FORGEJO_TOKEN }}) and variables (${{ vars.INFRA_REPO }})
  • API call uses proper authentication headers and handles errors appropriately
  • No hardcoded secrets or credentials exposed

Logic Review

  • Deployment trigger has proper conditionals (push to main only)
  • Error handling includes HTTP status code validation and error output
  • Dockerfile logic correctly separates runtime stages based on BINARY arg
  • SQL schema is only included in controlloop image, not rpcserver (good security practice)

No Issues Found

The changes implement deployment automation and improve Docker image structure without introducing security vulnerabilities or obvious bugs.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e33f99-04321b`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The changes add deployment automation and multi-stage Docker builds without any obvious security issues or bugs. **Complexity:** moderate # Safety Check Review ## Key Changes - Added workflow step to trigger deployment via Forgejo API - Modified Dockerfile to support multi-stage builds for different binaries (rpcserver vs controlloop) ## Security Analysis - The automated detection flagged potential credentials, but these are properly using GitHub secrets (`${{ secrets.FORGEJO_TOKEN }}`) and variables (`${{ vars.INFRA_REPO }}`) - API call uses proper authentication headers and handles errors appropriately - No hardcoded secrets or credentials exposed ## Logic Review - Deployment trigger has proper conditionals (push to main only) - Error handling includes HTTP status code validation and error output - Dockerfile logic correctly separates runtime stages based on BINARY arg - SQL schema is only included in controlloop image, not rpcserver (good security practice) ## No Issues Found The changes implement deployment automation and improve Docker image structure without introducing security vulnerabilities or obvious bugs.
rcsheets force-pushed feat/trigger-deploy from fd4ba88d4f
Some checks failed
test / go-test (pull_request) Waiting to run
Details
test / schema-test (pull_request) Waiting to run
Details
build / images (controlloop) (pull_request) Has been cancelled
Details
build / images (rpcserver) (pull_request) Has been cancelled
Details
to 03faf4bcaf
Some checks failed
build / images (rpcserver) (pull_request) Failing after 19s
Details
test / schema-test (pull_request) Successful in 52s
Details
build / images (controlloop) (pull_request) Failing after 19s
Details
test / go-test (pull_request) Successful in 22s
Details
2026-04-18 08:24:02 +00:00 Compare
Move BINARY ARG above first FROM so it reaches the final stage
All checks were successful
build / images (controlloop) (pull_request) Successful in 1m40s
Details
build / images (rpcserver) (pull_request) Successful in 1m38s
Details
test / go-test (pull_request) Successful in 22s
Details
test / schema-test (pull_request) Successful in 52s
Details
f13c16cdcb 
The final-stage `FROM runtime-${BINARY}` substitution needs BINARY to
be a global ARG (declared before any FROM). A stage-scoped ARG BINARY
in the builder doesn't propagate to later FROM lines — buildkit sees
the reference as undefined and fails with "invalid reference format".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-18 08:28:52 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e340c4-96ebce
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — No obvious security issues or bugs found - the detected "credential" is just a GitHub Actions secret reference which is expected.
Complexity: moderate

Safety Check Review

Summary

This PR adds CI deployment triggering and multi-stage Docker builds. The automated flag about credentials is a false positive - it's detecting ${{ secrets.FORGEJO_TOKEN }} which is the standard way to reference secrets in GitHub Actions workflows.

Key Changes Reviewed

  • CI workflow: Added deployment dispatch logic using proper secret handling
  • Dockerfile: Refactored to support multiple runtime stages based on BINARY arg
  • Version: Go 1.26 is reasonable (newer than my training cutoff but within expected range)

No Issues Found

  • Secret handling uses proper GitHub Actions syntax
  • HTTP response validation looks correct
  • Dockerfile multi-stage build logic is sound
  • No exposed credentials or obvious security vulnerabilities
*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e340c4-96ebce`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — No obvious security issues or bugs found - the detected "credential" is just a GitHub Actions secret reference which is expected. **Complexity:** moderate # Safety Check Review ## Summary This PR adds CI deployment triggering and multi-stage Docker builds. The automated flag about credentials is a false positive - it's detecting `${{ secrets.FORGEJO_TOKEN }}` which is the standard way to reference secrets in GitHub Actions workflows. ## Key Changes Reviewed - **CI workflow**: Added deployment dispatch logic using proper secret handling - **Dockerfile**: Refactored to support multiple runtime stages based on BINARY arg - **Version**: Go 1.26 is reasonable (newer than my training cutoff but within expected range) ## No Issues Found - Secret handling uses proper GitHub Actions syntax - HTTP response validation looks correct - Dockerfile multi-stage build logic is sound - No exposed credentials or obvious security vulnerabilities
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
brooktrails/directory-pacifier!12
No description provided.