Merge pull request #11 from internetarchive/build-ci-build-cd

traceypooh · web-flow · commit 922952433841 · 2025-09-29T16:10:46.000-07:00
feature: build 2 docker images, one for CI, one for CD (opt-in by repo)
diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ _**Note:** For urls like https://archive.org/services/project -- watch out for r
 ### Customizing
 There are various options that can be used in conjunction with the `project.nomad` and `.gitlab-ci.yml` files, keys:
 ```text
+NOMAD_VAR_BUILD_DEPLOY
 NOMAD_VAR_CHECK_PATH
 NOMAD_VAR_CHECK_PROTOCOL
 NOMAD_VAR_CHECK_TIMEOUT
@@ -81,12 +82,21 @@ NOMAD_VAR_VOLUMES
 - You can simply insert them, with values, in your project's `.gitlab-ci.yml` file before including _our_ [ci.yml](ci.yml) like above.
 - Examples 👇
 #### Don't actually deploy containers to nomad
-Perhaps your project just wants to leverage the CI (Continuous Integration) for [buil] and/or [test] steps - but not CD (Continuous Deployment).  An example might be a back-end container that runs elsewhere and doesn't have web listener.
+Perhaps your project just wants to leverage the CI (Continuous Integration) for [build] and/or [test] steps - but not CD (Continuous Deployment).  An example might be a back-end container that runs elsewhere and doesn't have web listener.
 ```yaml
 variables:
   NOMAD_VAR_NO_DEPLOY: 'true'
 ```
 
+#### Build one docker image for CI and one docker image for CD
+If your project might want to build & use a larger docker image for the CI (Continuous Integration)
+and a smaller docker image for CD (Continuous Deploy), you can set this variable to an alternate
+Dockerfile location in your repo, relative to the top dir.
+```yaml
+variables:
+  NOMAD_VAR_BUILD_DEPLOY: 'Dockerfile.deploy'
+```
+
 #### Custom default RAM expectations from (default) 300 MB to 1 GB
 This value is the _expected_ value for your container's average running needs/usage, helpful for `nomad` scheduling purposes.  It is a "soft limit" and we use *ten times* this amount to be the amount used for a "hard limit".  If your allocated container exceeds the hard limit, the container may be restarted by `nomad` if there is memory pressure on the Virtual Machine the container is running on.
 ```yaml
@@ -216,6 +226,16 @@ variables:
   NOMAD_VAR_NAMESPACE: 'team-titan'
 ```
 
+#### Only `docker tag` to `:latest` after all CI passes
+This is useful for repos that are setting up "serverless" docker images (typically don't do CD),
+and the `:latest` tag could get re-pulled anytime after that tag is pushed to the registry.
+The normal commit hash related tag will still get tagged & pushed, during [build], for CI tests.
+The `:latest` tag will get tagged & pushed *after* all CI tests have succeeded.
+```yaml
+variables:
+  NOMAD_VAR_SERVERLESS: 'true'
+```
+
 
 
 #### More customizations
diff --git a/build.sh b/build.sh
@@ -29,10 +29,24 @@ gl_write_auto_build_variables_file() {
   echo "CI_APPLICATION_TAG=$CI_APPLICATION_TAG@$(podman --remote image inspect --format='{{ index (split (index .RepoDigests 0) "@") 1 }}' "$image_tagged")" > gl-auto-build-variables.env
 }
 
+PUSH_LATEST=true
+if [ "$NOMAD_VAR_SERVERLESS" != "" ]; then
+  PUSH_LATEST=
+fi
+
+if [ "$NOMAD_VAR_BUILD_DEPLOY" ]; then
+  PUSH_LATEST=
+  export CI_REGISTRY_TAG=${CI_COMMIT_SHA}-deploy
+  export DOCKERFILE_PATH=$NOMAD_VAR_BUILD_DEPLOY
+fi
+
+if [[ -z "$CI_REGISTRY_TAG" ]]; then
+  export CI_REGISTRY_TAG=$CI_COMMIT_SHA
+fi
 
 if [[ -z "$CI_COMMIT_TAG" ]]; then
   export CI_APPLICATION_REPOSITORY=${CI_APPLICATION_REPOSITORY:-$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG}
-  export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_SHA}
+  export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_REGISTRY_TAG}
 else
   export CI_APPLICATION_REPOSITORY=${CI_APPLICATION_REPOSITORY:-$CI_REGISTRY_IMAGE}
   export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG}
@@ -57,7 +71,7 @@ build_args=(
   --tag "$image_tagged"
 )
 
-if [ "$NOMAD_VAR_SERVERLESS" = "" ]; then
+if [ $PUSH_LATEST ]; then
   build_args+=(--tag "$image_latest")
 fi
 
@@ -83,7 +97,7 @@ fi
   set -x
   podman --remote push "$image_tagged"
 )
-if [ "$NOMAD_VAR_SERVERLESS" = "" ]; then
+if [ $PUSH_LATEST ]; then
   (
     set -x
     podman --remote push "$image_latest"
diff --git a/ci.yml b/ci.yml
@@ -13,7 +13,7 @@
 # to whatever your Nomad cluster was setup to.
 
 
-# NOTE: changes to *this* repo, will fire of GitHub Actions here:
+# NOTE: changes to *this* repo, will fire off GitHub Actions here:
 #   https://github.com/internetarchive/nomad/blob/main/.github/workflows/cicd.yml
 # which will re/make this container image:
 image: ghcr.io/internetarchive/nomad:main
@@ -29,12 +29,9 @@ build:
   # This was adapted & simplified from:
   # https://gitlab.com/gitlab-org/gitlab/-/raw/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
   stage: build
-  variables:
-    DOCKER_HOST: 'unix:///run/podman/podman.sock'
-    DOCKER_TLS_CERTDIR: ''
-    DOCKER_BUILDKIT: 1
   script:
     # https://github.com/internetarchive/nomad/blob/main/build.sh
+    - export NOMAD_VAR_BUILD_DEPLOY=""
     - /build.sh
   artifacts:
     reports:
@@ -44,6 +41,16 @@ build:
       when: never
     - if: '$CI_COMMIT_TAG || $CI_COMMIT_BRANCH'
 
+build_deploy:
+  stage: build
+  script:
+    # https://github.com/internetarchive/nomad/blob/main/build.sh
+    - /build.sh
+  rules:
+    - if: '$BUILD_DISABLED'
+      when: never
+    - if: '$NOMAD_VAR_BUILD_DEPLOY && $CI_COMMIT_BRANCH'
+
 deploy:
   stage: deploy
   script:
diff --git a/deploy.sh b/deploy.sh
@@ -22,8 +22,16 @@ function main() {
     PRIVATE_REPO=${PRIVATE_REPO:-""}
     NOMAD_VAR_DEPLOY_WITH_PODMAN=${NOMAD_VAR_DEPLOY_WITH_PODMAN:-""}
     NOMAD_VAR_LEGACY_SERVICE_NAMES_URLPREFIX=${NOMAD_VAR_LEGACY_SERVICE_NAMES_URLPREFIX:-""}
+    CI_REGISTRY_TAG=${CI_REGISTRY_TAG:-""}
+    CI_COMMIT_SHA=${CI_COMMIT_SHA:-""}
+    NOMAD_VAR_BUILD_DEPLOY=${NOMAD_VAR_BUILD_DEPLOY:-""}
   fi
 
+  if [ "$NOMAD_VAR_BUILD_DEPLOY" ]; then
+    CI_REGISTRY_TAG=${CI_COMMIT_SHA}-deploy
+  else
+    CI_REGISTRY_TAG=$CI_COMMIT_SHA
+  fi
 
   # IF someone set this programmatically in their project yml `before_script:` tag, etc., exit
   if [ "$NOMAD_VAR_NO_DEPLOY" ]; then exit 0; fi
@@ -260,6 +268,7 @@ EOF
   export NOMAD_VAR_CI_PROJECT_PATH_SLUG="$CI_PROJECT_PATH_SLUG"
   export NOMAD_VAR_CI_REGISTRY="$CI_REGISTRY"
   export NOMAD_VAR_CI_REGISTRY_IMAGE="$CI_REGISTRY_IMAGE"
+  export NOMAD_VAR_CI_REGISTRY_TAG="$CI_REGISTRY_TAG"
   export NOMAD_VAR_CI_REGISTRY_PASSWORD="$CI_REGISTRY_PASSWORD"
   export NOMAD_VAR_CI_REGISTRY_READ_TOKEN="$CI_REGISTRY_READ_TOKEN"
   export NOMAD_VAR_CI_REGISTRY_USER="$CI_REGISTRY_USER"
diff --git a/project.nomad b/project.nomad
@@ -7,9 +7,10 @@ variables {
   #   what's needed for these first 7-8 vars.
   # GitLab:
   #   these all pass through from  [deploy] phase.
-  #   all 7-8 of these first vars get replaced during normal GitLab CI/CD from CI/CD variables.
+  #   all 8-9 of these first vars get replaced during normal GitLab CI/CD from CI/CD variables.
   CI_REGISTRY = "ghcr.io"                              # registry hostname
   CI_REGISTRY_IMAGE = "ghcr.io/internetarchive"        # registry image location
+  CI_REGISTRY_TAG = "main"                             # GH: branch name; GL: commit sha
   CI_COMMIT_REF_SLUG = "hello-js"                      # GH: repo name; GL: branch name. slugged
   CI_COMMIT_SHA = "main"                               # GH: branch name; GL: commit sha
   CI_PROJECT_PATH_SLUG = "internetarchive-hello-js"    # repo and group it is part of, slugged
@@ -149,7 +150,7 @@ locals {
   ports_all = merge(local.ports_main, local.ports_extra_https, local.ports_extra_tcp, {})
 
   # Use CI_GITHUB_IMAGE if set, otherwise use GitLab vars interpolated string
-  docker_image = var.CI_GITHUB_IMAGE != "" ? var.CI_GITHUB_IMAGE : "${var.CI_REGISTRY_IMAGE}/${var.CI_COMMIT_REF_SLUG}:${var.CI_COMMIT_SHA}"
+  docker_image = var.CI_GITHUB_IMAGE != "" ? var.CI_GITHUB_IMAGE : "${var.CI_REGISTRY_IMAGE}/${var.CI_COMMIT_REF_SLUG}:${var.CI_REGISTRY_TAG}"
   # "
 
   # GitLab docker login user/pass timeout rather quickly.  If admin set CI_REGISTRY_READ_TOKEN key
