Files
pikasTech-unidesk/docs/reference/cicd-standardization.md
T
2026-05-20 00:27:51 +00:00

6.5 KiB

CI/CD Standardization Precheck

This document classifies CI/CD paths while UniDesk converges on image-artifact delivery. It is a precheck and guardrail document, not a mass-deletion plan.

Target Shape

The standard release shape is:

  1. CI builds or locks the artifact from a pushed commit or verified upstream digest.
  2. The artifact is published to the D601 artifact registry or a controlled mirror.
  3. Dev validation consumes that same artifact.
  4. Production CD is pull-only and verifies live commit or upstream digest.
  5. Runtime metadata can be traced back to a live Git commit or upstream image digest.

backend-core and D601 code-queue may be validated only in dev in this phase. This document must not be used to introduce production deploy validation for either service.

Upstream Image Consumers

filebrowser and filebrowser-d601 are upstream-image consumers, not source-built UniDesk services.

Service Upstream image Source revision Catalog home CI Dockerfile build Digest / mirror strategy CD validation
filebrowser docker.io/filebrowser/filebrowser:v2.63.3 ca5e249e3c0c94159c2136a0cd431a424eb18472 CI.json.upstreamImageConsumers[] and config.json.microservices[].repository.artifactSource forbidden resolve tag to docker.io/filebrowser/filebrowser@sha256:<manifest-digest>, then optionally mirror to 127.0.0.1:5000/upstream/filebrowser/filebrowser@sha256:<manifest-digest> pull by digest or mirror digest, verify OCI labels, container image id/digest, and private proxy health
filebrowser-d601 docker.io/filebrowser/filebrowser:v2.63.3 ca5e249e3c0c94159c2136a0cd431a424eb18472 CI.json.upstreamImageConsumers[] and config.json.microservices[].repository.artifactSource forbidden same as filebrowser same as filebrowser

The current precheck could inspect the locally cached image labels and image id, but Docker Hub and registry HTTP requests timed out from this container. Therefore the catalog records digestPin.status=pending-network-verification; rollout must remain blocked until a reachable registry path resolves the manifest digest and records the mirror digest. The locally cached image shows org.opencontainers.image.version=2.63.3, org.opencontainers.image.revision=ca5e249e3c0c94159c2136a0cd431a424eb18472, linux/amd64, and image id sha256:6a4d051140ef9313ad87b443f55ccb1cd6331e7463b4becbec2174b494ea533c, but a local image id is not a registry digest pin.

Legacy Path Classification

Path Classification Current guardrail Cleanup condition
deploy apply --env prod for services without a reviewed artifact consumer Must stay disabled/degraded returns structured unsupported and refuses maintenance-channel fallback enable only after each service has a documented artifact producer, dev consumer, prod consumer and live verification
Local-manifest deploy apply for prod artifact consumers (backend-core, frontend, baidu-netdisk, decision-center) Must stay disabled/degraded as a standard prod path blocked before source build; operator is pointed to deploy apply --env prod remove only after all production deploys use env-ref artifact consumers and no recovery runbook depends on local manifests
artifact-registry deploy-backend-core Legacy compatibility entry returns structured deprecated result; replacement is deploy apply --env prod --service backend-core remove after callers and docs use only deploy apply --env prod
server rebuild frontend and server rebuild baidu-netdisk Maintenance / non-standard docs classify as maintenance-only; standard release requires CI artifact plus dev/prod artifact consumer keep until recovery runbooks have equivalent pull-only repair commands
server rebuild backend-core Diagnostic/recovery only; not Rust iteration or prod CD docs forbid Rust iteration and prod backend-core artifact CD through this command keep for bootstrap/recovery until backend-core artifact CD and rollback are proven under outage conditions
server rebuild dev-frontend-proxy, code-queue-mgr, project-manager, oa-event-flow, todo-note, provider-gateway on main-server Compose Bootstrap / recovery / diagnostic still serialized through Compose lock and post-up validation reassess service by service after artifact consumers exist
provider.upgrade mode=schedule for provider-gateway Must be retained protected upgrade path with validation; Host SSH self-rebuild remains forbidden do not delete; it is the provider-gateway recovery path
D601 direct docker build, kubectl apply, docker compose up --build used by deploy executor for allowed dev/backend bootstrap and native k3s setup Bootstrap / recovery / controlled dev limited to allowed target-side executor, native k3s initialization, and dev backend-core; Code Queue prod is not enabled convert only after artifact consumers or native bootstrap replacements exist
D601 direct Code Queue / old codex deploy Must stay disabled/degraded compatibility command throws; docs classify direct deployment as forbidden wait for controlled Code Queue dev/prod CD worker
File Browser docker run image-only path Needs later worker now cataloged as upstream-image consumer; no CI Dockerfile build allowed implement digest-resolved pull-only/mirror CD before treating it as standard deployment

Guardrails Added

  • Upstream-image services are represented in CI.json.upstreamImageConsumers[] and in config.json.microservices[].repository.artifactSource; they are explicitly outside CI.json.artifacts[].
  • ci publish-user-service rejects registered upstream-image services instead of trying to interpret repository.dockerfile as a source Dockerfile.
  • Local-manifest production deploy for reviewed artifact consumers is blocked before source materialization/build, so prod cannot silently fall back to target-side source build or a dirty worktree.
  • artifact-registry deploy-backend-core is demoted to a structured deprecated result; backend-core production CD must enter through deploy apply --env prod.

Not Removed Yet

Bootstrap and repair paths remain because they still protect recovery: native k3s initialization, provider-gateway protected upgrade, k3sctl-adapter control bridge repair, main-server Compose maintenance rebuilds, and File Browser docker-run operations. These paths must be replaced by reviewed artifact consumers or explicit recovery runbooks before deletion.