draft: add image build, push, and promotion workflows#17
Draft
josh-tracey wants to merge 22 commits into
Draft
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Adds a safe, non-mutating stage for planning image pushes. Introduces the ImagePushPlan model and wiring in the WorkflowPlanner. Verifies safe step configurations for profiles.
Replace the intermediate ImagePushPlan/ImagePushPlanReport indirection with a flat ImagePushPlanReport that owns environment, mutates_registry, and a vec of ImagePushPlanItem (with action, image_ref fields). - Rename WorkflowPlan.push_plan to image_push_plan (ImagePushPlanReport) - Compute ImagePushPlanReport during planning, attach to WorkflowPlan - Write image_push_plan into JSON report via write_workflow_report - Add render_image_push_plan_text for CLI output - Add ImageArtifact::from_push_plan_item helper - Fix tests: set profile.name manually (field is #[serde(skip)]) - Use tempdir in runner report test to avoid project-dir side effects
…tion This commit implements the first registry-mutating workflow, `ci-build-push`, proving that Sailr can safely build, push, and capture immutable image artifacts in a CI pipeline. Key changes: - **Profiles**: Added `ci-build-push` profile to `sailr.workflow.toml` and `default_config.toml` configured with `push=run` and `apply=true`. - **Registry Configs**: Refactored `Environment.registry` to parse either a string or a detailed `RegistryConfig`, enabling dynamic namespace configuration instead of relying on hardcoded defaults. - **Push Execution**: Generated `ServicePush` and `ImageReport` tasks in `planner.rs` to orchestrate `docker push`. - **Digest Capture**: Implemented `parse_pushed_digest` for safe, regex-free substring scanning to capture immutable image digests from Docker output. - **Workflow Accumulator**: Introduced the Sailr-owned `WorkflowReportAccumulator` to securely collect pushed `ImageArtifact` records at runtime and plumb them back into the final JSON execution report without polluting `runkernel`. - **Safety Gates**: Enforced strict safety validations in `runner.rs`, mandating `--apply` and `approval=external` to execute `push=run`. - **Workflows**: Added a manual `.github/workflows/image-push.yml` GitHub action to test the pipeline. Implements Stage 3 of PR #17.
- Splitting format, lint, and test into parallel jobs - Fixing formatting in src/ - Fixing test panics for planner.rs
… and handle docker tag correctly
…hen normalizing a mutating build profile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stage 1: image artifact model
Status: complete
Includes:
ImageArtifactStage 2:
ci-build-push-planStatus: complete
Includes:
pushworkflow stepci-build-push-planworkflow:push-planWorkflowPlan.image_push_planStage 3:
ci-build-pushStatus: complete
Includes:
ci-build-pushprofile.ImageArtifactreports.push=runplan/graph/explain support.Stage 4: promotion plan
Status: next
Goals:
ImageArtifact.Remaining hardening:
push=runplan/graph/explain.Known limitation:
Image push is limited to a fixture service in this stage. Promotion, production deploy, signing, SBOMs, provenance, and multi-arch builds remain out of scope.