6.5 KiB
CI/CD Standardization Precheck
This document classifies CI/CD paths while UniDesk converges on image-artifact delivery. It is a precheck and guardrail document, not a mass-deletion plan.
Target Shape
The standard release shape is:
- CI builds or locks the artifact from a pushed commit or verified upstream digest.
- The artifact is published to the D601 artifact registry or a controlled mirror.
- Dev validation consumes that same artifact.
- Production CD is pull-only and verifies live commit or upstream digest.
- Runtime metadata can be traced back to a live Git commit or upstream image digest.
backend-core and D601 code-queue may be validated only in dev in this phase. This document must not be used to introduce production deploy validation for either service.
Upstream Image Consumers
filebrowser and filebrowser-d601 are upstream-image consumers, not source-built UniDesk services.
| Service | Upstream image | Source revision | Catalog home | CI Dockerfile build | Digest / mirror strategy | CD validation |
|---|---|---|---|---|---|---|
filebrowser |
docker.io/filebrowser/filebrowser:v2.63.3 |
ca5e249e3c0c94159c2136a0cd431a424eb18472 |
CI.json.upstreamImageConsumers[] and config.json.microservices[].repository.artifactSource |
forbidden | resolve tag to docker.io/filebrowser/filebrowser@sha256:<manifest-digest>, then optionally mirror to 127.0.0.1:5000/upstream/filebrowser/filebrowser@sha256:<manifest-digest> |
pull by digest or mirror digest, verify OCI labels, container image id/digest, and private proxy health |
filebrowser-d601 |
docker.io/filebrowser/filebrowser:v2.63.3 |
ca5e249e3c0c94159c2136a0cd431a424eb18472 |
CI.json.upstreamImageConsumers[] and config.json.microservices[].repository.artifactSource |
forbidden | same as filebrowser |
same as filebrowser |
The current precheck could inspect the locally cached image labels and image id, but Docker Hub and registry HTTP requests timed out from this container. Therefore the catalog records digestPin.status=pending-network-verification; rollout must remain blocked until a reachable registry path resolves the manifest digest and records the mirror digest. The locally cached image shows org.opencontainers.image.version=2.63.3, org.opencontainers.image.revision=ca5e249e3c0c94159c2136a0cd431a424eb18472, linux/amd64, and image id sha256:6a4d051140ef9313ad87b443f55ccb1cd6331e7463b4becbec2174b494ea533c, but a local image id is not a registry digest pin.
Legacy Path Classification
| Path | Classification | Current guardrail | Cleanup condition |
|---|---|---|---|
deploy apply --env prod for services without a reviewed artifact consumer |
Must stay disabled/degraded | returns structured unsupported and refuses maintenance-channel fallback | enable only after each service has a documented artifact producer, dev consumer, prod consumer and live verification |
Local-manifest deploy apply for prod artifact consumers (backend-core, frontend, baidu-netdisk, decision-center) |
Must stay disabled/degraded as a standard prod path | blocked before source build; operator is pointed to deploy apply --env prod |
remove only after all production deploys use env-ref artifact consumers and no recovery runbook depends on local manifests |
artifact-registry deploy-backend-core |
Legacy compatibility entry | returns structured deprecated result; replacement is deploy apply --env prod --service backend-core |
remove after callers and docs use only deploy apply --env prod |
server rebuild frontend and server rebuild baidu-netdisk |
Maintenance / non-standard | docs classify as maintenance-only; standard release requires CI artifact plus dev/prod artifact consumer | keep until recovery runbooks have equivalent pull-only repair commands |
server rebuild backend-core |
Diagnostic/recovery only; not Rust iteration or prod CD | docs forbid Rust iteration and prod backend-core artifact CD through this command | keep for bootstrap/recovery until backend-core artifact CD and rollback are proven under outage conditions |
server rebuild dev-frontend-proxy, code-queue-mgr, project-manager, oa-event-flow, todo-note, provider-gateway on main-server Compose |
Bootstrap / recovery / diagnostic | still serialized through Compose lock and post-up validation | reassess service by service after artifact consumers exist |
provider.upgrade mode=schedule for provider-gateway |
Must be retained | protected upgrade path with validation; Host SSH self-rebuild remains forbidden | do not delete; it is the provider-gateway recovery path |
D601 direct docker build, kubectl apply, docker compose up --build used by deploy executor for allowed dev/backend bootstrap and native k3s setup |
Bootstrap / recovery / controlled dev | limited to allowed target-side executor, native k3s initialization, and dev backend-core; Code Queue prod is not enabled | convert only after artifact consumers or native bootstrap replacements exist |
D601 direct Code Queue / old codex deploy |
Must stay disabled/degraded | compatibility command throws; docs classify direct deployment as forbidden | wait for controlled Code Queue dev/prod CD worker |
File Browser docker run image-only path |
Needs later worker | now cataloged as upstream-image consumer; no CI Dockerfile build allowed | implement digest-resolved pull-only/mirror CD before treating it as standard deployment |
Guardrails Added
- Upstream-image services are represented in
CI.json.upstreamImageConsumers[]and inconfig.json.microservices[].repository.artifactSource; they are explicitly outsideCI.json.artifacts[]. ci publish-user-servicerejects registeredupstream-imageservices instead of trying to interpretrepository.dockerfileas a source Dockerfile.- Local-manifest production deploy for reviewed artifact consumers is blocked before source materialization/build, so prod cannot silently fall back to target-side source build or a dirty worktree.
artifact-registry deploy-backend-coreis demoted to a structured deprecated result; backend-core production CD must enter throughdeploy apply --env prod.
Not Removed Yet
Bootstrap and repair paths remain because they still protect recovery: native k3s initialization, provider-gateway protected upgrade, k3sctl-adapter control bridge repair, main-server Compose maintenance rebuilds, and File Browser docker-run operations. These paths must be replaced by reviewed artifact consumers or explicit recovery runbooks before deletion.