From 98fe46b07e85b9f7c4e0b476d55d79b93a354bee Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 11 May 2026 05:06:04 +0200
Subject: [PATCH] fix(containers): switch VeriSimDB to pre-built GHCR image
 (#27)

Both compose files were broken on fresh clone because VeriSimDB was
referenced as a local build context (../../nextgen-databases/verisimdb)
that is never present in a burble checkout. Replace the build stanza
with a pull from ghcr.io/hyperpolymath/verisimdb:latest in both
compose.toml and selur-compose.toml.

Add publish-verisimdb.yml to build and push the image from
hyperpolymath/nextgen-databases on a weekly schedule and on manual
dispatch, so the registry image stays fresh without requiring end-users
to have the VeriSimDB source.

Closes #27

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish-verisimdb.yml | 72 +++++++++++++++++++++++++
 containers/compose.toml                 |  2 +-
 containers/selur-compose.toml           |  2 +-
 3 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/publish-verisimdb.yml

diff --git a/.github/workflows/publish-verisimdb.yml b/.github/workflows/publish-verisimdb.yml
new file mode 100644
index 0000000..d598ee7
--- /dev/null
+++ b/.github/workflows/publish-verisimdb.yml
@@ -0,0 +1,72 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
+#
+# Publish VeriSimDB container image to GHCR.
+#
+# Triggered manually or on a weekly schedule.
+# Builds from hyperpolymath/nextgen-databases (verisimdb/ subdirectory).
+# Pushes to ghcr.io/hyperpolymath/verisimdb.
+#
+# If nextgen-databases is private, set NEXTGEN_DATABASES_TOKEN secret to a
+# PAT with repo read access.
+name: Publish VeriSimDB Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Image tag to publish (default: latest)'
+        required: false
+        default: latest
+  schedule:
+    - cron: '0 4 * * 1'  # weekly, Monday 04:00 UTC
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    name: Build and Push VeriSimDB
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout nextgen-databases
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          repository: hyperpolymath/nextgen-databases
+          path: nextgen-databases
+          token: ${{ secrets.NEXTGEN_DATABASES_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+
+      - name: Log in to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract image metadata
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ghcr.io/hyperpolymath/verisimdb
+          tags: |
+            type=raw,value=${{ inputs.tag || 'latest' }}
+            type=sha,prefix=sha-
+
+      - name: Build and push
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        with:
+          context: nextgen-databases/verisimdb
+          file: nextgen-databases/verisimdb/Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/containers/compose.toml b/containers/compose.toml
index b9a126e..990a2ad 100644
--- a/containers/compose.toml
+++ b/containers/compose.toml
@@ -18,7 +18,7 @@
 name = "burble"
 
 [services.verisimdb]
-build = { context = "../../nextgen-databases/verisimdb", dockerfile = "Containerfile" }
+image = "ghcr.io/hyperpolymath/verisimdb:latest"
 restart = "unless-stopped"
 networks = ["burble-net"]
 healthcheck = { test = "wget -q --spider http://localhost:8080/health || exit 1", interval = "30s", timeout = "5s", retries = 3 }
diff --git a/containers/selur-compose.toml b/containers/selur-compose.toml
index 52c81a9..fd1672a 100644
--- a/containers/selur-compose.toml
+++ b/containers/selur-compose.toml
@@ -29,7 +29,7 @@ name = "burble"
 # VeriSimDB — Persistent store (internal network only, not exposed)
 # =============================================================================
 [services.verisimdb]
-build = { context = "../../nextgen-databases/verisimdb", dockerfile = "Containerfile" }
+image = "ghcr.io/hyperpolymath/verisimdb:latest"
 restart = "unless-stopped"
 networks = ["burble-internal"]
 healthcheck = { test = "wget -q --spider http://localhost:8080/health || exit 1", interval = "30s", timeout = "5s", retries = 3 }