242ef1f0af
- Maven: enable useIncrementalCompilation; Surefire forkCount=1C + reuseForks=true so unit-test JVMs are reused per CPU core instead of spawning per class (205 tests pass under the new strategy). - Testcontainers: opt-in reuse via .withReuse(true) on Postgres + ClickHouse base; per-developer enable via ~/.testcontainers.properties. - UI: drop redundant `tsc --noEmit` from `npm run build` (Vite already type-checks); split into a dedicated `npm run typecheck` script. - CI: cache ~/.npm and ui/node_modules/.vite alongside Maven; npm ci with --prefer-offline --no-audit --fund=false; paths-ignore for docs-only, .planning/ and .claude/ changes so doc-only pushes skip the pipeline. - Docs: CLAUDE.md + .claude/rules/cicd.md updated with the new build knobs and the Testcontainers reuse opt-in. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.8 KiB
2.8 KiB
paths
| paths | ||||
|---|---|---|---|---|
|
CI/CD & Deployment
- CI workflow:
.gitea/workflows/ci.yml— build -> docker -> deploy on push to main or feature branches.paths-ignoreskips the whole pipeline for docs-only /.planning//.claude//*.mdchanges (push and PR triggers). - Build step skips integration tests (
-DskipITs) — Testcontainers needs Docker daemon - Build caches (parallel
actions/cache@v4steps in thebuildjob):~/.m2/repository(key on allpom.xml),~/.npm(key onui/package-lock.json),ui/node_modules/.vite(key onui/package-lock.json+ui/vite.config.ts). UI install usesnpm ci --prefer-offline --no-audit --fund=falseso the npm cache is the primary source. - Maven build performance (set in
pom.xmlandcameleer-server-app/pom.xml):useIncrementalCompilation=trueon the compiler plugin; Surefire usesforkCount=1C+reuseForks=true(one JVM per CPU core, reused across test classes); Failsafe keepsforkCount=1+reuseForks=true. Unit tests must not rely on per-class JVM isolation. - UI build script (
ui/package.json):buildisvite buildonly — the type-check pass was split out intonpm run typecheck(run separately when you want a fulltsc --noEmitsweep). - Docker: multi-stage build (
Dockerfile),$BUILDPLATFORMfor native Maven on ARM64 runner, amd64 runtime.docker-entrypoint.shimports/certs/ca.peminto JVM truststore before starting the app (supports custom CAs for OIDC discovery withoutCAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY). REGISTRY_TOKENbuild arg required forcameleer-commondependency resolution- Registry:
gitea.siegeln.net/cameleer/cameleer-server(container images) - K8s manifests in
deploy/— Kustomize base + overlays (main/feature), shared infra (PostgreSQL, ClickHouse, Logto) as top-level manifests - Deployment target: k3s at 192.168.50.86, namespace
cameleer(main),cam-<slug>(feature branches) - Feature branches: isolated namespace, PG schema; Traefik Ingress at
<slug>-api.cameleer.siegeln.net - Secrets managed in CI deploy step (idempotent
--dry-run=client | kubectl apply):cameleer-auth,cameleer-postgres-credentials,cameleer-clickhouse-credentials - K8s probes: server uses
/api/v1/health, PostgreSQL usespg_isready -U "$POSTGRES_USER"(env var, not hardcoded) - K8s security: server and database pods run with
securityContext.runAsNonRoot. UI (nginx) runs without securityContext (needs root for entrypoint setup). - Docker: server Dockerfile has no default credentials — all DB config comes from env vars at runtime
- Docker build uses buildx registry cache +
--provenance=falsefor Gitea compatibility - CI: branch slug sanitization extracted to
.gitea/sanitize-branch.sh, sourced by docker and deploy-feature jobs