fix: harden CI cargo downloads

This commit is contained in:
Codex
2026-06-11 09:54:46 +00:00
parent 06f0c43867
commit f4d2b72405
4 changed files with 68 additions and 1 deletions
+37
View File
@@ -0,0 +1,37 @@
import { readFileSync } from "node:fs";
function assertCondition(condition: unknown, message: string, detail: unknown = {}): void {
if (!condition) throw new Error(`${message}: ${JSON.stringify(detail)}`);
}
const dockerfile = readFileSync("src/components/backend-core/Dockerfile", "utf8");
const d601Pipeline = readFileSync("src/components/microservices/k3sctl-adapter/k3s/ci/unidesk-ci.pipeline.yaml", "utf8");
const g14Pipeline = readFileSync("src/components/microservices/k3sctl-adapter/k3s/ci/unidesk-ci.pipeline.g14.yaml", "utf8");
for (const name of [
"CARGO_HTTP_TIMEOUT",
"CARGO_HTTP_LOW_SPEED_LIMIT",
"CARGO_NET_RETRY",
"CARGO_HTTP_MULTIPLEXING",
"CARGO_REGISTRIES_CRATES_IO_PROTOCOL",
]) {
assertCondition(dockerfile.includes(`ARG ${name}=`), `backend-core Dockerfile must accept ${name}`, { name });
assertCondition(dockerfile.includes(`${name}=${`$\{${name}\}`}`), `backend-core Dockerfile must export ${name}`, { name });
assertCondition(d601Pipeline.includes(`--build-arg ${name}=`), `D601 CI pipeline must pass ${name}`, { name });
assertCondition(g14Pipeline.includes(`--build-arg ${name}=`), `G14 CI pipeline must pass ${name}`, { name });
}
assertCondition(
dockerfile.includes("CARGO_HTTP_LOW_SPEED_LIMIT=1") && dockerfile.includes("CARGO_HTTP_TIMEOUT=180"),
"backend-core Dockerfile must raise Cargo low-speed tolerance for proxied CI builds",
dockerfile,
);
console.log(JSON.stringify({
ok: true,
checks: [
"backend-core Dockerfile accepts Cargo HTTP/retry build args",
"D601/G14 CI pipelines pass Cargo HTTP/retry build args",
"backend-core CI build tolerates slow proxied crates.io downloads",
],
}));
+11 -1
View File
@@ -2,7 +2,17 @@
FROM rust:1-bookworm AS build
WORKDIR /app/src/components/backend-core
ARG CARGO_BUILD_JOBS=1
ENV CARGO_BUILD_JOBS=${CARGO_BUILD_JOBS}
ARG CARGO_HTTP_TIMEOUT=180
ARG CARGO_HTTP_LOW_SPEED_LIMIT=1
ARG CARGO_NET_RETRY=5
ARG CARGO_HTTP_MULTIPLEXING=false
ARG CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
ENV CARGO_BUILD_JOBS=${CARGO_BUILD_JOBS} \
CARGO_HTTP_TIMEOUT=${CARGO_HTTP_TIMEOUT} \
CARGO_HTTP_LOW_SPEED_LIMIT=${CARGO_HTTP_LOW_SPEED_LIMIT} \
CARGO_NET_RETRY=${CARGO_NET_RETRY} \
CARGO_HTTP_MULTIPLEXING=${CARGO_HTTP_MULTIPLEXING} \
CARGO_REGISTRIES_CRATES_IO_PROTOCOL=${CARGO_REGISTRIES_CRATES_IO_PROTOCOL}
COPY src/components/backend-core/Cargo.toml ./Cargo.toml
COPY src/components/backend-core/Cargo.lock ./Cargo.lock
RUN mkdir -p src \
@@ -448,6 +448,11 @@ spec:
--build-arg HTTPS_PROXY=http://127.0.0.1:18789 \
--build-arg ALL_PROXY=http://127.0.0.1:18789 \
--build-arg NO_PROXY=localhost,127.0.0.1,::1,host.docker.internal,registry.npmjs.org,.registry.npmjs.org \
--build-arg CARGO_HTTP_TIMEOUT=180 \
--build-arg CARGO_HTTP_LOW_SPEED_LIMIT=1 \
--build-arg CARGO_NET_RETRY=5 \
--build-arg CARGO_HTTP_MULTIPLEXING=false \
--build-arg CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
--label "unidesk.ai/service-id=backend-core" \
--label "unidesk.ai/source-repo=$(params.repo-url)" \
--label "unidesk.ai/source-commit=$commit" \
@@ -716,6 +721,11 @@ spec:
--build-arg HTTPS_PROXY=http://127.0.0.1:18789 \
--build-arg ALL_PROXY=http://127.0.0.1:18789 \
--build-arg NO_PROXY=localhost,127.0.0.1,::1,host.docker.internal,registry.npmjs.org,.registry.npmjs.org \
--build-arg CARGO_HTTP_TIMEOUT=180 \
--build-arg CARGO_HTTP_LOW_SPEED_LIMIT=1 \
--build-arg CARGO_NET_RETRY=5 \
--build-arg CARGO_HTTP_MULTIPLEXING=false \
--build-arg CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
--label "unidesk.ai/service-id=$service_id" \
--label "unidesk.ai/source-repo=$(params.repo-url)" \
--label "unidesk.ai/source-commit=$commit" \
@@ -448,6 +448,11 @@ spec:
--build-arg HTTPS_PROXY=http://127.0.0.1:18789 \
--build-arg ALL_PROXY=http://127.0.0.1:18789 \
--build-arg NO_PROXY=localhost,127.0.0.1,::1,host.docker.internal,registry.npmjs.org,.registry.npmjs.org \
--build-arg CARGO_HTTP_TIMEOUT=180 \
--build-arg CARGO_HTTP_LOW_SPEED_LIMIT=1 \
--build-arg CARGO_NET_RETRY=5 \
--build-arg CARGO_HTTP_MULTIPLEXING=false \
--build-arg CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
--label "unidesk.ai/service-id=backend-core" \
--label "unidesk.ai/source-repo=$(params.repo-url)" \
--label "unidesk.ai/source-commit=$commit" \
@@ -716,6 +721,11 @@ spec:
--build-arg HTTPS_PROXY=http://127.0.0.1:18789 \
--build-arg ALL_PROXY=http://127.0.0.1:18789 \
--build-arg NO_PROXY=localhost,127.0.0.1,::1,host.docker.internal,registry.npmjs.org,.registry.npmjs.org \
--build-arg CARGO_HTTP_TIMEOUT=180 \
--build-arg CARGO_HTTP_LOW_SPEED_LIMIT=1 \
--build-arg CARGO_NET_RETRY=5 \
--build-arg CARGO_HTTP_MULTIPLEXING=false \
--build-arg CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
--label "unidesk.ai/service-id=$service_id" \
--label "unidesk.ai/source-repo=$(params.repo-url)" \
--label "unidesk.ai/source-commit=$commit" \