chore: hand cameleer-runtime-loader image build to cameleer-saas

The loader is infra glue (per-replica init container that fetches the tenant JAR from a signed URL) — same shape as runtime-base, postgres, clickhouse, traefik, logto images already living in cameleer-saas. Move the source + CI build there so all sidecar/infra image builds are in one place; cameleer-server's CI is back to building only what it owns (server, server-ui). Coordination: cameleer-saas@ac8d628 added the build step and copied the source verbatim. Published tag path is unchanged (gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running tenant servers continue pulling the same image without disruption. This commit: - Deletes cameleer-runtime-loader/ (Dockerfile, entrypoint.sh, README). - Removes the conditional "Build and push runtime-loader" step and its upstream "Detect runtime-loader changes" detection from .gitea/workflows/ci.yml. Drops the fetch-depth: 0 + outputs.loader_changed plumbing that only existed for the change-detection path. - Drops cameleer-runtime-loader from the in-job and cleanup-branch image cleanup loops — saas owns the registry lifecycle now. - Rewrites LoaderHardeningIT to pull the published :latest from the registry (via Testcontainers GenericContainer) instead of building from a local Dockerfile. The IT now functions as a cross-repo contract test: cameleer-server's hardening expectations vs. the saas-published artifact. Local devs need `docker login gitea.siegeln.net`; CI runners are pre-authenticated. - Updates .claude/rules/docker-orchestration.md to point at the new source-of-truth location and reframe LoaderHardeningIT as the cross-repo contract test. The image's runtime contract (ARTIFACT_URL, ARTIFACT_EXPECTED_SIZE, /app/jars/app.jar mount, exit code semantics) is unchanged. Future contract changes need coordinated commits across both repos. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 13:02:54 +02:00
parent 2871bdcc92
commit 3334f0a1d2
6 changed files with 13 additions and 114 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -30,29 +30,8 @@ jobs:
      credentials:
        username: cameleer
        password: ${{ secrets.REGISTRY_TOKEN }}
-    outputs:
-      loader_changed: ${{ steps.loader_changed.outputs.changed }}
    steps:
      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Detect runtime-loader changes
-        id: loader_changed
-        run: |
-          BEFORE="${{ github.event.before }}"
-          if [ -z "$BEFORE" ] \
-            || [ "$BEFORE" = "0000000000000000000000000000000000000000" ] \
-            || ! git cat-file -e "$BEFORE^{commit}" 2>/dev/null; then
-            echo "No prior commit available — assuming loader changed."
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          elif git diff --name-only "$BEFORE" "${{ github.sha }}" | grep -q '^cameleer-runtime-loader/'; then
-            echo "cameleer-runtime-loader/ changed since $BEFORE."
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "No changes under cameleer-runtime-loader/ — skipping image build."
-            echo "changed=false" >> "$GITHUB_OUTPUT"
-          fi

      - name: Configure Gitea Maven Registry
        run: |
@@ -177,19 +156,6 @@ jobs:
            --push ui/
        env:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-      - name: Build and push runtime-loader
-        if: needs.build.outputs.loader_changed == 'true'
-        run: |
-          TAGS="-t gitea.siegeln.net/cameleer/cameleer-runtime-loader:${{ github.sha }}"
-          for TAG in $IMAGE_TAGS; do
-            TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:$TAG"
-          done
-          docker buildx build --platform linux/amd64 \
-            $TAGS \
-            --provenance=false \
-            --push cameleer-runtime-loader/
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
      - name: Cleanup local Docker
        run: docker system prune -af --filter "until=24h"
        if: always()
@@ -203,7 +169,7 @@ jobs:
          if [ "$BRANCH_SLUG" != "main" ]; then
            KEEP_TAGS="$KEEP_TAGS branch-$BRANCH_SLUG"
          fi
-          for PKG in cameleer-server cameleer-server-ui cameleer-runtime-loader; do
+          for PKG in cameleer-server cameleer-server-ui; do
            curl -sf -H "$AUTH" "$API/packages/cameleer/container/$PKG" | \
              jq -r '.[] | "\(.id) \(.version)"' | \
              while read id version; do
@@ -433,7 +399,7 @@ jobs:
        run: |
          API="https://gitea.siegeln.net/api/v1"
          AUTH="Authorization: token ${REGISTRY_TOKEN}"
-          for PKG in cameleer-server cameleer-server-ui cameleer-runtime-loader; do
+          for PKG in cameleer-server cameleer-server-ui; do
            # Delete branch-specific tag
            curl -sf -X DELETE -H "$AUTH" "$API/packages/cameleer/container/$PKG/branch-${BRANCH_SLUG}" || true
          done