docker/runtime-loader/entrypoint.sh

#!/bin/sh
# cameleer-runtime-loader: fetches one JAR from a signed URL into the shared
# /app/jars/ volume, verifies size, exits. Runs in the same hardened sandbox as
# the main container (cap_drop ALL, read-only rootfs, etc.) — only /app/jars/
# is writeable.
set -eu

: "${ARTIFACT_URL:?ARTIFACT_URL is required}"
: "${ARTIFACT_EXPECTED_SIZE:?ARTIFACT_EXPECTED_SIZE is required}"

OUT=/app/jars/app.jar
mkdir -p /app/jars

echo "loader: fetching artifact (expected $ARTIFACT_EXPECTED_SIZE bytes)"
# -q quiet, -O output, --tries=3 retry transient network blips,
# --timeout=30 cap stalls. wget exits non-zero on HTTP >=400.
wget -q --tries=3 --timeout=30 -O "$OUT" "$ARTIFACT_URL"

actual=$(wc -c < "$OUT")
if [ "$actual" -ne "$ARTIFACT_EXPECTED_SIZE" ]; then
    echo "loader: size mismatch — expected $ARTIFACT_EXPECTED_SIZE, got $actual" >&2
    exit 2
fi

echo "loader: artifact written to $OUT ($actual bytes)"
feat(ci): build and push cameleer-runtime-loader image Move the init-container loader image build from cameleer-server CI into this repo so all sidecar/infra image builds (runtime-base, postgres, clickhouse, traefik, logto, and now runtime-loader) live in one place. The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as a per-replica init container that fetches the tenant JAR from a signed URL into a named volume before the main container starts. Source + Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with the volume-permission fix). The published tag path is unchanged (gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running tenant servers continue pulling the same image. Build step matches the runtime-base/postgres/clickhouse/traefik pattern (unconditional rebuild on every push, sha + branch tags, --provenance=false for Gitea). cameleer-server will follow up with a commit removing its loader-build step and switching its LoaderHardeningIT to pull the published image instead of building from a local Dockerfile. 2026-04-28 13:00:23 +02:00			`#!/bin/sh`
			`# cameleer-runtime-loader: fetches one JAR from a signed URL into the shared`
			`# /app/jars/ volume, verifies size, exits. Runs in the same hardened sandbox as`
			`# the main container (cap_drop ALL, read-only rootfs, etc.) — only /app/jars/`
			`# is writeable.`
			`set -eu`

			`: "${ARTIFACT_URL:?ARTIFACT_URL is required}"`
			`: "${ARTIFACT_EXPECTED_SIZE:?ARTIFACT_EXPECTED_SIZE is required}"`

			`OUT=/app/jars/app.jar`
			`mkdir -p /app/jars`

			`echo "loader: fetching artifact (expected $ARTIFACT_EXPECTED_SIZE bytes)"`
			`# -q quiet, -O output, --tries=3 retry transient network blips,`
			`# --timeout=30 cap stalls. wget exits non-zero on HTTP >=400.`
			`wget -q --tries=3 --timeout=30 -O "$OUT" "$ARTIFACT_URL"`

			`actual=$(wc -c < "$OUT")`
			`if [ "$actual" -ne "$ARTIFACT_EXPECTED_SIZE" ]; then`
			`echo "loader: size mismatch — expected $ARTIFACT_EXPECTED_SIZE, got $actual" >&2`
			`exit 2`
			`fi`

			`echo "loader: artifact written to $OUT ($actual bytes)"`