From 99a80783d35559041841626e6844edf394f26ab6 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 15 May 2026 11:29:01 +0000 Subject: [PATCH 1/2] fix(container-stack): repair clean-build breakages + add podman smoke CI Resolves the maintenance pass tracked in stapeln#17. - vordr/.gitignore: stop ignoring Cargo.lock. The binary crate's lockfile must stay tracked (Containerfile builds with `cargo build --locked`); the ignore rule was the root cause of the "Cargo.lock not committed" clean-build failure. - cerro-torre/Containerfile: drop `COPY config/ config/`. config/ is Alire-generated and gitignored, so it is absent on a fresh clone and the COPY broke the build; `alr build` regenerates it. - Add .github/workflows/container-stack-smoke.yml: matrix `podman build` of every container-stack Containerfile so the whole class of early build-step regressions is gated on every push. cerro-torre's full Ada build depends on the un-vendored upstream `proven` library and is built non-blocking until that is available. https://claude.ai/code/session_014cznZXkqptPSoZDFhp7bhc --- .github/workflows/container-stack-smoke.yml | 55 +++++++++++++++++++++ container-stack/cerro-torre/Containerfile | 5 +- container-stack/vordr/.gitignore | 4 +- 3 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/container-stack-smoke.yml diff --git a/.github/workflows/container-stack-smoke.yml b/.github/workflows/container-stack-smoke.yml new file mode 100644 index 0000000..7d18b9c --- /dev/null +++ b/.github/workflows/container-stack-smoke.yml @@ -0,0 +1,55 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# Smoke-builds every container-stack/ Containerfile with `podman build`. +# +# Rationale (stapeln#17): the container-stack/ subdirectories are advertised +# as the canonical Containerfiles for each component, yet four of five shipped +# a Containerfile that failed on a clean build (stale Alire URL, uncommitted +# Cargo.lock, npm/rescript-vs-Deno layout mismatch, un-parseable Deno install +# script). Every one of those bugs lives in an early build step, so a real +# `podman build` on each Containerfile is the durable guard that keeps the +# whole class from regressing. +name: container-stack smoke build +on: + push: + paths: + - 'container-stack/**' + - '.github/workflows/container-stack-smoke.yml' + pull_request: + paths: + - 'container-stack/**' + - '.github/workflows/container-stack-smoke.yml' + +permissions: + contents: read + +jobs: + build: + name: podman build (${{ matrix.component }}) + runs-on: ubuntu-latest + timeout-minutes: 45 + strategy: + fail-fast: false + matrix: + include: + - component: vordr + - component: svalinn + - component: rokur + - component: selur + # cerro-torre's full `alr build` depends on the upstream `proven` + # Ada library, which is not vendored into this snapshot and is + # tracked separately from stapeln#17. The Containerfile is still + # built every run so the Alire-download step (stapeln#13) and the + # rest of the early steps stay exercised and visible in the log; + # the deeper Ada link is non-blocking until `proven` is available. + - component: cerro-torre + continue-on-error: true + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: podman version + run: podman version + + - name: podman build ${{ matrix.component }} + continue-on-error: ${{ matrix.continue-on-error == true }} + working-directory: container-stack/${{ matrix.component }} + run: podman build -f Containerfile -t "stapeln-smoke/${{ matrix.component }}:ci" . diff --git a/container-stack/cerro-torre/Containerfile b/container-stack/cerro-torre/Containerfile index b8e750f..a78a54b 100644 --- a/container-stack/cerro-torre/Containerfile +++ b/container-stack/cerro-torre/Containerfile @@ -48,8 +48,11 @@ ENV PATH="/root/.cargo/bin:${PATH}" WORKDIR /build COPY alire.toml cerro_torre.gpr ./ COPY src/ src/ -COPY config/ config/ +# config/ is intentionally NOT copied: Alire generates +# config/cerro_torre_config.gpr (referenced by cerro_torre.gpr) during +# `alr build`. The directory is gitignored and absent on a clean checkout, +# so `COPY config/ config/` broke builds from a fresh clone (stapeln#17). RUN alr build # Build the Rust signing utility diff --git a/container-stack/vordr/.gitignore b/container-stack/vordr/.gitignore index f5fa316..21c10e9 100644 --- a/container-stack/vordr/.gitignore +++ b/container-stack/vordr/.gitignore @@ -12,7 +12,9 @@ build/ build/ # Rust -Cargo.lock +# Cargo.lock is intentionally tracked: vordr ships a binary crate and the +# Containerfile builds with `cargo build --locked`. Ignoring it caused the +# clean-build failure tracked in stapeln#17. debug/ *.rlib *.rmeta From 00c65d7bc0efc82b5ef4e980b14827921131da92 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 15 May 2026 11:30:38 +0000 Subject: [PATCH 2/2] ci(container-stack): install podman on the runner GitHub's ubuntu-latest image no longer ships podman preinstalled, so the smoke jobs failed in ~14s at the `podman version` step. Install podman via apt before building. https://claude.ai/code/session_014cznZXkqptPSoZDFhp7bhc --- .github/workflows/container-stack-smoke.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/container-stack-smoke.yml b/.github/workflows/container-stack-smoke.yml index 7d18b9c..d61db72 100644 --- a/.github/workflows/container-stack-smoke.yml +++ b/.github/workflows/container-stack-smoke.yml @@ -46,6 +46,14 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + # podman is no longer preinstalled on GitHub's ubuntu-latest runner + # image, so install it explicitly (the smoke build is podman-based + # per stapeln#17's recommendation). + - name: Install podman + run: | + sudo apt-get update + sudo apt-get install -y --no-install-recommends podman + - name: podman version run: podman version