From fa30153c0d4d9e04722ffe00fffda32a8564297c Mon Sep 17 00:00:00 2001 From: latte Date: Fri, 27 Feb 2026 11:02:48 +0100 Subject: [PATCH] Enhance Docker workflow with gated publish Expand workflow triggers to push/pull_request on main and dev and to PR reviews. Run lint/test only for non-review events or when a review is approved. Add a docker-test job that smoke-tests the built image. Add a docker-publish job that resolves SHA and stable tags (latest/dev), builds the releasable image, and optionally pushes when PUSH_IMAGE=true. Update docs/deployment.md --- .gitea/workflows/docker.yml | 183 +++++++++++++++++++++++------------- docs/deployment.md | 2 +- 2 files changed, 120 insertions(+), 65 deletions(-) diff --git a/.gitea/workflows/docker.yml b/.gitea/workflows/docker.yml index 5ad3c4f..9c4f154 100644 --- a/.gitea/workflows/docker.yml +++ b/.gitea/workflows/docker.yml @@ -1,74 +1,129 @@ name: docker on: - push: - pull_request: + push: + branches: + - main + - dev + pull_request: + branches: + - main + - dev + pull_request_review: + types: + - submitted jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.12' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements-dev.txt - - name: Run lint - run: | - ruff check src tests - ruff format --check src tests - black --check src tests - mypy src + lint: + if: ${{ github.event_name != 'pull_request_review' || github.event.review.state == 'approved' }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements-dev.txt + - name: Run lint + run: | + ruff check src tests + ruff format --check src tests + black --check src tests + mypy src - test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.12' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements-dev.txt - - name: Run tests - run: pytest --cov=aegis_gitea_mcp --cov-report=term-missing --cov-fail-under=80 + test: + if: ${{ github.event_name != 'pull_request_review' || github.event.review.state == 'approved' }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements-dev.txt + - name: Run tests + run: pytest --cov=aegis_gitea_mcp --cov-report=term-missing --cov-fail-under=80 - docker-build: - runs-on: ubuntu-latest - needs: [lint, test] - env: - IMAGE_NAME: aegis-gitea-mcp - steps: - - name: Checkout - uses: actions/checkout@v4 + docker-test: + if: ${{ github.event_name != 'pull_request_review' || github.event.review.state == 'approved' }} + runs-on: ubuntu-latest + needs: [lint, test] + env: + IMAGE_NAME: aegis-gitea-mcp + steps: + - name: Checkout + uses: actions/checkout@v4 - - name: Build image tagged with commit SHA - run: | - SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}" - docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${SHA_TAG} . + - name: Build candidate image + run: | + SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}" + docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${SHA_TAG} . - - name: Tag latest on main - run: | - REF_NAME="${GITHUB_REF_NAME:-${CI_COMMIT_REF_NAME:-}}" - SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}" - if [ "${REF_NAME}" = "main" ]; then - docker tag ${IMAGE_NAME}:${SHA_TAG} ${IMAGE_NAME}:latest - fi + - name: Smoke-test image + run: | + SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}" + docker run --rm --entrypoint python ${IMAGE_NAME}:${SHA_TAG} -c "import aegis_gitea_mcp" - - name: Optional registry push - if: ${{ vars.PUSH_IMAGE == 'true' }} - run: | - SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}" - docker push ${IMAGE_NAME}:${SHA_TAG} - REF_NAME="${GITHUB_REF_NAME:-${CI_COMMIT_REF_NAME:-}}" - if [ "${REF_NAME}" = "main" ]; then - docker push ${IMAGE_NAME}:latest - fi + docker-publish: + runs-on: ubuntu-latest + needs: [lint, test, docker-test] + if: >- + (github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'dev')) || + (github.event_name == 'pull_request_review' && + github.event.review.state == 'approved' && + (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'dev')) + env: + IMAGE_NAME: aegis-gitea-mcp + PR_BASE_REF: ${{ github.event.pull_request.base.ref }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + + - name: Resolve tags + id: tags + run: | + EVENT_NAME="${GITHUB_EVENT_NAME:-${CI_EVENT_NAME:-}}" + REF_NAME="${GITHUB_REF_NAME:-${CI_COMMIT_REF_NAME:-}}" + BASE_REF="${PR_BASE_REF:-${GITHUB_BASE_REF:-${CI_BASE_REF:-}}}" + SHA_TAG="${GITHUB_SHA:-${CI_COMMIT_SHA:-local}}" + + if [ "${EVENT_NAME}" = "pull_request_review" ]; then + TARGET_BRANCH="${BASE_REF}" + SHA_TAG="${PR_HEAD_SHA:-$SHA_TAG}" + else + TARGET_BRANCH="${REF_NAME}" + fi + + if [ "${TARGET_BRANCH}" = "main" ]; then + STABLE_TAG="latest" + elif [ "${TARGET_BRANCH}" = "dev" ]; then + STABLE_TAG="dev" + else + echo "Unsupported target branch '${TARGET_BRANCH}'" + exit 1 + fi + + echo "sha_tag=${SHA_TAG}" >> "${GITHUB_OUTPUT}" + echo "stable_tag=${STABLE_TAG}" >> "${GITHUB_OUTPUT}" + + - name: Build releasable image + run: | + docker build -f docker/Dockerfile -t ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} . + docker tag ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} ${IMAGE_NAME}:${{ steps.tags.outputs.stable_tag }} + + - name: Optional registry push + if: ${{ vars.PUSH_IMAGE == 'true' }} + run: | + docker push ${IMAGE_NAME}:${{ steps.tags.outputs.sha_tag }} + docker push ${IMAGE_NAME}:${{ steps.tags.outputs.stable_tag }} diff --git a/docs/deployment.md b/docs/deployment.md index 22214ca..b1e69c2 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -39,7 +39,7 @@ Workflows live in `.gitea/workflows/`: - `lint.yml`: ruff + format checks + mypy. - `test.yml`: lint + tests + coverage fail-under `80`. -- `docker.yml`: gated Docker build (depends on lint+test), SHA tag, `latest` on `main`. +- `docker.yml`: lint + test + docker smoke-test gating; image publish on push to `main`/`dev` and on approved PR review targeting `main`/`dev`; tags include commit SHA plus `latest` (`main`) or `dev` (`dev`). ## Production Recommendations