ci(loader): build & push cameleer-runtime-loader image only when its sources change

The init-container image referenced by DockerRuntimeOrchestrator
(`gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest`) had no CI
producer; it had to be built and pushed by hand. Replicates the
cameleer-saas pattern (single docker job with multiple buildx push
steps), but gates the loader build on a path-diff so unrelated commits
don't rebuild and re-tag a sidecar that didn't change.

- build job: fetch-depth=0 + Detect runtime-loader changes step that
  diffs `${{ github.event.before }}..${{ github.sha }}` for paths under
  cameleer-runtime-loader/. Falls back to `changed=true` when no prior
  commit is reachable (first push to a branch).
- docker job: new `Build and push runtime-loader` step gated on
  `needs.build.outputs.loader_changed == 'true'`. Tags with sha and
  latest/branch-<slug>, --provenance=false for Gitea, no buildcache
  (image is alpine + script).
- Cleanup loops in docker and cleanup-branch jobs include the new
  package.
- Rules and loader README updated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.claude/rules/cicd.md

@@ -16,6 +16,7 @@ paths:
 - Docker: multi-stage build (`Dockerfile`), `$BUILDPLATFORM` for native Maven on ARM64 runner, amd64 runtime. `docker-entrypoint.sh` imports `/certs/ca.pem` into JVM truststore before starting the app (supports custom CAs for OIDC discovery without `CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY`).
 - `REGISTRY_TOKEN` build arg required for `cameleer-common` dependency resolution
 - Registry: `gitea.siegeln.net/cameleer/cameleer-server` (container images)
+- `cameleer-runtime-loader` image (init container that fetches the deployable JAR before the runtime container starts) is built and pushed by the same `docker` job, but only when files under `cameleer-runtime-loader/` actually changed in the push. Detection runs in the `build` job (`Detect runtime-loader changes` step, diffs `${{ github.event.before }}..${{ github.sha }}`) and is exposed as the `loader_changed` job output. The loader build step uses `if: needs.build.outputs.loader_changed == 'true'`. Build job's checkout uses `fetch-depth: 0` so the diff has access to the prior commit.
 - K8s manifests in `deploy/` — Kustomize base + overlays (main/feature), shared infra (PostgreSQL, ClickHouse, Logto) as top-level manifests
 - Deployment target: k3s at 192.168.50.86, namespace `cameleer` (main), `cam-<slug>` (feature branches)
 - Feature branches: isolated namespace, PG schema; Traefik Ingress at `<slug>-api.cameleer.siegeln.net`

.gitea/workflows/ci.yml

@@ -30,8 +30,29 @@ jobs:
       credentials:
         username: cameleer
         password: ${{ secrets.REGISTRY_TOKEN }}
+    outputs:
+      loader_changed: ${{ steps.loader_changed.outputs.changed }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect runtime-loader changes
+        id: loader_changed
+        run: |
+          BEFORE="${{ github.event.before }}"
+          if [ -z "$BEFORE" ] \
+            || [ "$BEFORE" = "0000000000000000000000000000000000000000" ] \
+            || ! git cat-file -e "$BEFORE^{commit}" 2>/dev/null; then
+            echo "No prior commit available — assuming loader changed."
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          elif git diff --name-only "$BEFORE" "${{ github.sha }}" | grep -q '^cameleer-runtime-loader/'; then
+            echo "cameleer-runtime-loader/ changed since $BEFORE."
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "No changes under cameleer-runtime-loader/ — skipping image build."
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Configure Gitea Maven Registry
         run: |
@@ -156,6 +177,19 @@ jobs:
             --push ui/
         env:
           REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+      - name: Build and push runtime-loader
+        if: needs.build.outputs.loader_changed == 'true'
+        run: |
+          TAGS="-t gitea.siegeln.net/cameleer/cameleer-runtime-loader:${{ github.sha }}"
+          for TAG in $IMAGE_TAGS; do
+            TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:$TAG"
+          done
+          docker buildx build --platform linux/amd64 \
+            $TAGS \
+            --provenance=false \
+            --push cameleer-runtime-loader/
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
       - name: Cleanup local Docker
         run: docker system prune -af --filter "until=24h"
         if: always()
@@ -169,7 +203,7 @@ jobs:
           if [ "$BRANCH_SLUG" != "main" ]; then
             KEEP_TAGS="$KEEP_TAGS branch-$BRANCH_SLUG"
           fi
-          for PKG in cameleer-server cameleer-server-ui; do
+          for PKG in cameleer-server cameleer-server-ui cameleer-runtime-loader; do
             curl -sf -H "$AUTH" "$API/packages/cameleer/container/$PKG" | \
               jq -r '.[] | "\(.id) \(.version)"' | \
               while read id version; do
@@ -399,7 +433,7 @@ jobs:
         run: |
           API="https://gitea.siegeln.net/api/v1"
           AUTH="Authorization: token ${REGISTRY_TOKEN}"
-          for PKG in cameleer-server cameleer-server-ui; do
+          for PKG in cameleer-server cameleer-server-ui cameleer-runtime-loader; do
             # Delete branch-specific tag
             curl -sf -X DELETE -H "$AUTH" "$API/packages/cameleer/container/$PKG/branch-${BRANCH_SLUG}" || true
           done

cameleer-runtime-loader/README.md

@@ -6,6 +6,10 @@ main runtime container starts. Pairs with `DockerRuntimeOrchestrator` /
 
 ## Build
 
+CI (`.gitea/workflows/ci.yml`, `docker` job) builds and pushes this image
+automatically on pushes that change anything under `cameleer-runtime-loader/`.
+Manual build for local testing:
+
     docker build -t gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag> .
     docker push gitea.siegeln.net/cameleer/cameleer-runtime-loader:<tag>