devops/ci_success.png

This is a binary file and will not be displayed.

devops/ci_success.webp

This is a binary file and will not be displayed.

devops/cicd.pdf

This is a binary file and will not be displayed.

+396

devops/cicd.typ

··· 1 1 + // CI/CD Pipeline Description Template (Typst) 2 2 + // ------------------------------------------ 3 3 + // Fill in the bracketed placeholders and duplicate blocks as needed. 4 4 + 5 5 + #set page( 6 6 + margin: (top: 0.9in, bottom: 0.9in, left: 1.0in, right: 1.0in), 7 7 + ) 8 8 + #set text(font: "Libertinus Serif", size: 11pt) 9 9 + #set par(leading: 1.1em) 10 10 + #set heading(numbering: "1.") 11 11 + #set outline(indent: 1.1em) 12 12 + 13 13 + #let meta(label, value) = { 14 14 + table( 15 15 + columns: (22%, 78%), 16 16 + inset: (x: 6pt, y: 4pt), 17 17 + stroke: (paint: luma(220), thickness: 0.8pt), 18 18 + fill: luma(248), 19 19 + [*#label*], [#value], 20 20 + ) 21 21 + } 22 22 + 23 23 + #let tag(text) = { 24 24 + box( 25 25 + inset: (x: 6pt, y: 2pt), 26 26 + radius: 4pt, 27 27 + fill: luma(235), 28 28 + stroke: (paint: luma(210), thickness: 0.8pt), 29 29 + )[ `#text` ] 30 30 + } 31 31 + 32 32 + #let callout(title, body) = { 33 33 + block( 34 34 + inset: 10pt, 35 35 + radius: 6pt, 36 36 + fill: luma(248), 37 37 + stroke: (paint: luma(220), thickness: 0.8pt), 38 38 + )[ 39 39 + *#title* \ 40 40 + #body 41 41 + ] 42 42 + } 43 43 + 44 44 + #let gate(name, condition, on_fail) = { 45 45 + block[ 46 46 + \ 47 47 + == #name \ 48 48 + - *Pass condition:* #condition \ 49 49 + - *On failure:* #on_fail 50 50 + ] 51 51 + } 52 52 + 53 53 + #let stage( 54 54 + name, 55 55 + purpose: "", 56 56 + triggers: [], 57 57 + inputs: [], 58 58 + steps: [], 59 59 + outputs: [], 60 60 + runtime: "", 61 61 + runner: "", 62 62 + gates: [], 63 63 + ) = { 64 64 + heading(level: 2, name) 65 65 + 66 66 + if purpose != "" { 67 67 + [*Purpose:* #purpose] 68 68 + linebreak() 69 69 + } 70 70 + if runtime != "" { 71 71 + [*Expected runtime:* #runtime] 72 72 + linebreak() 73 73 + } 74 74 + if runner != "" { 75 75 + [*Runner/agent:* #runner] 76 76 + linebreak() 77 77 + } 78 78 + 79 79 + if triggers.len() > 0 { 80 80 + [*Triggers:*] 81 81 + for t in triggers { 82 82 + [- #t] 83 83 + } 84 84 + } 85 85 + 86 86 + if inputs.len() > 0 { 87 87 + [*Inputs:*] 88 88 + for i in inputs { 89 89 + [- #i] 90 90 + } 91 91 + } 92 92 + 93 93 + if steps.len() > 0 { 94 94 + [*Steps:*] 95 95 + for s in steps { 96 96 + [- #s] 97 97 + } 98 98 + } 99 99 + 100 100 + if outputs.len() > 0 { 101 101 + [*Outputs:*] 102 102 + for o in outputs { 103 103 + [- #o] 104 104 + } 105 105 + } 106 106 + 107 107 + if gates.len() > 0 { 108 108 + [*Quality gates:*] 109 109 + for g in gates { 110 110 + [- #g] 111 111 + } 112 112 + } 113 113 + linebreak() 114 114 + } 115 115 + 116 116 + #let env_table(rows) = { 117 117 + table( 118 118 + columns: (18%, 16%, 26%, 40%), 119 119 + inset: (x: 6pt, y: 4pt), 120 120 + stroke: (paint: luma(220), thickness: 0.8pt), 121 121 + align: (left, left, left, left), 122 122 + [*Environment*], [*Type*], [*Promotion rule*], [*Notes*], 123 123 + ..rows.flatten(), 124 124 + ) 125 125 + } 126 126 + 127 127 + #let simple_pipeline_diagram(items) = { 128 128 + let n = items.len() 129 129 + if n == 0 { return } 130 130 + let elements = () 131 131 + 132 132 + for (i, item) in items.enumerate() { 133 133 + elements.push(box( 134 134 + inset: 8pt, 135 135 + radius: 6pt, 136 136 + fill: luma(245), 137 137 + stroke: (paint: luma(210), thickness: 0.8pt), 138 138 + )[ *#item* ]) 139 139 + 140 140 + if i < n - 1 { 141 141 + elements.push(align(center + horizon)[→]) 142 142 + } 143 143 + } 144 144 + 145 145 + let box_width = 1fr 146 146 + let arrow_width = auto 147 147 + let columns = () 148 148 + 149 149 + for i in range(elements.len()) { 150 150 + if calc.even(i) { 151 151 + columns.push(box_width) 152 152 + } else { 153 153 + columns.push(arrow_width) 154 154 + } 155 155 + } 156 156 + 157 157 + grid( 158 158 + columns: columns, 159 159 + column-gutter: 8pt, 160 160 + align: center + horizon, 161 161 + ..elements 162 162 + ) 163 163 + } 164 164 + 165 165 + 166 166 + = CI/CD Pipeline: [PacketMix] 167 167 + 168 168 + #meta("Owner", "FreshlyBakedCake") 169 169 + #meta("Repository", "Patisserie (default branch: main)") 170 170 + #meta("CI/CD System", "Tangled Actions") 171 171 + 172 172 + #callout( 173 173 + "Scope", 174 174 + [ 175 175 + This document describes the CI/CD pipeline for *Patisserie/PacketMix*, including triggers, 176 176 + stages, environments, artifacts, quality gates, and operational procedures. 177 177 + ], 178 178 + ) 179 179 + 180 180 + #outline() 181 181 + 182 182 + = Overview 183 183 + 184 184 + == Goals 185 185 + - Deliver *PacketMix* safely and repeatably. 186 186 + - Enforce quality gates (tests, approvals). 187 187 + - Provide auditable deployments and fast rollback. 188 188 + 189 189 + == Non-goals 190 190 + - [e.g., Build system internals not covered] 191 191 + 192 192 + == High-level flow 193 193 + #simple_pipeline_diagram(( 194 194 + "Commit/PR", 195 195 + "Test", 196 196 + "Build", 197 197 + "Deploy", 198 198 + )) 199 199 + 200 200 + = Triggers & Branching 201 201 + 202 202 + == Trigger events 203 203 + - `push` to `[main]` 204 204 + - `pull_request` targeting `[main]` 205 205 + 206 206 + == Branching strategy 207 207 + - Primary branch: `[main]` 208 208 + - Release branch: `[release]` 209 209 + 210 210 + = Environments & Promotion 211 211 + 212 212 + #env_table(( 213 213 + ([Development], [ephemeral], [On PR], [Runs in Nixery engine]), 214 214 + ([Staging], [ephemeral], [On merge to main], [Runs in Nixery engine]), 215 215 + ([Release], [shared], [Main passes checks], [Sets code for release to machines]), 216 216 + )) 217 217 + 218 218 + == Promotion rules 219 219 + - Development → Staging: automatic on successful PR to main pipeline. 220 220 + - Staging → Production: automatic on main checks passing. 221 221 + 222 222 + = Secrets and Variables 223 223 + 224 224 + == Secrets 225 225 + - Storage: Bitwarden vault 226 226 + - Access model: Provisioned on machine run. 227 227 + 228 228 + == Key variables (examples) 229 229 + - `KEY_SSH_RELEASE`: SSH Key used for pushing to git 230 230 + - `KEY_SSH_REMOTE_BUILD`: SSH Key used for accessing the remote builder 231 231 + 232 232 + = Pipeline Stages 233 233 + 234 234 + #stage( 235 235 + "deadnix", 236 236 + purpose: "Check for dead nix expressions.", 237 237 + triggers: ("PR", "push to main"), 238 238 + inputs: ( 239 239 + "Source code", 240 240 + ), 241 241 + steps: ( 242 242 + "Check for unused nix bindings", 243 243 + ), 244 244 + outputs: (), 245 245 + runtime: "~5 seconds", 246 246 + runner: "linux-x64 via nixery container", 247 247 + gates: ( 248 248 + "No dead nix expressions.", 249 249 + ), 250 250 + ) 251 251 + 252 252 + #stage( 253 253 + "reuse", 254 254 + purpose: "Ensure all files are properly licensed", 255 255 + triggers: ("PR", "push to main"), 256 256 + inputs: ( 257 257 + "Source code", 258 258 + ), 259 259 + steps: ( 260 260 + "Check for REUSE compliance", 261 261 + ), 262 262 + outputs: (), 263 263 + runtime: "~5 seconds", 264 264 + runner: "linux-x64 via nixery container", 265 265 + gates: ( 266 266 + "All files are properly licensed.", 267 267 + ), 268 268 + ) 269 269 + 270 270 + #stage( 271 271 + "packetmix-npins-duplicate-check", 272 272 + purpose: "Catch duplicate npins keys.", 273 273 + triggers: ("PR", "push to main"), 274 274 + inputs: ( 275 275 + "Source code", 276 276 + ), 277 277 + steps: ( 278 278 + "Check for duplicate npins keys", 279 279 + ), 280 280 + outputs: (), 281 281 + runtime: "~5 seconds", 282 282 + runner: "linux-x64 via nixery container", 283 283 + gates: ( 284 284 + "No duplicate keys.", 285 285 + ), 286 286 + ) 287 287 + 288 288 + #stage( 289 289 + "packetmix-treefmt", 290 290 + purpose: "Check formatting of changed files.", 291 291 + triggers: ("PR", "push to main"), 292 292 + inputs: ("Source code", "KEY_SSH_REMOTE_BUILD secret"), 293 293 + steps: ( 294 294 + "Get remote builds ssh key.", 295 295 + "Add base system files.", 296 296 + "Ensure files are formatted.", 297 297 + ), 298 298 + outputs: (), 299 299 + runtime: "~30 seconds", 300 300 + runner: "linux-x64 via nixery container", 301 301 + gates: ("All files are formatted.",), 302 302 + ) 303 303 + 304 304 + #stage( 305 305 + "packetmix-build", 306 306 + purpose: "Build the project.", 307 307 + triggers: ("PR", "push to main"), 308 308 + inputs: ("Source code", "KEY_SSH_REMOTE_BUILD secret"), 309 309 + steps: ( 310 310 + "Get remote builds SSH key.", 311 311 + "Add base system files.", 312 312 + "Evaluate all systems", 313 313 + "Build all systems" 314 314 + ), 315 315 + outputs: ("Build artifacts",), 316 316 + runtime: "~1 hour", 317 317 + runner: "linux-x64 via nixery container", 318 318 + gates: ( 319 319 + "All systems evaluate successfully.", 320 320 + "All builds succeed.", 321 321 + ), 322 322 + ) 323 323 + 324 324 + #stage( 325 325 + "packetmix-release", 326 326 + purpose: "Release to systems.", 327 327 + triggers: ("push to main",), 328 328 + inputs: ("Source code", "KEY_SSH_REMOTE_BUILD secret", "KEY_SSH_REMOTE_RELEASE secret"), 329 329 + steps: ( 330 330 + "Get remote builds SSH key.", 331 331 + "Get release push SSH key.", 332 332 + "Add base system files.", 333 333 + "Evaluate all systems.", 334 334 + "Build all systems.", 335 335 + "Push to release", 336 336 + ), 337 337 + outputs: ("Build artifacts",), 338 338 + runtime: "~1 hour", 339 339 + runner: "linux-x64 via nixery container", 340 340 + gates: ( 341 341 + "All systems evaluate successfully.", 342 342 + "All builds succeed.", 343 343 + "Push to release succeeds.", 344 344 + ), 345 345 + ) 346 346 + 347 347 + #stage( 348 348 + "github", 349 349 + purpose: "Mirror to github.", 350 350 + triggers: ("push to release",), 351 351 + inputs: ("Source code", "KEY_SSH_GITHUB secret", "KEY_SSH_GITHUB_PACKETMIX secret", "KEY_SSH_GITHUB_SPRINKLES secret"), 352 352 + steps: ( 353 353 + "Write github SSH Key.", 354 354 + "Add base system files.", 355 355 + "Push * to GitHub.", 356 356 + "Write packetmix github SSH Key.", 357 357 + "Push packetmix to GitHub.", 358 358 + "Write sprinkles github SSH Key.", 359 359 + "Push sprinkles to GitHub." 360 360 + ), 361 361 + outputs: (), 362 362 + runtime: "~1 minute", 363 363 + runner: "linux-x64 via nixery container", 364 364 + gates: ("All pushes to github succeed",) 365 365 + ) 366 366 + 367 367 + = Quality Gates (Centralized) 368 368 + 369 369 + #gate( 370 370 + "Required checks on PR", 371 371 + [All checks succeed (see @ci_pass), Human review approved (if required).], 372 372 + "Block merge; require fix or approved exception.", 373 373 + ) 374 374 + 375 375 + = Rollback & Recovery 376 376 + 377 377 + == Rollback strategy 378 378 + - Primary: Force push release branch to last known good image. 379 379 + 380 380 + == When to rollback 381 381 + - Any system fails to start or crash loops. 382 382 + 383 383 + = Appendix 384 384 + 385 385 + == Reference links 386 386 + - #link("https://tangled.org/freshlybakedca.ke/patisserie/")[FreshlyBakedCake/Patisserie Repo] 387 387 + 388 388 + == Images 389 389 + #figure( 390 390 + image("ci_success.png"), 391 391 + caption: "CI Pipeline Success." 392 392 + ) <ci_pass> 393 393 + #figure( 394 394 + image("deploy_success.png", width: 125%), 395 395 + caption: "Deploy to machine successful." 396 396 + ) <deploys>

devops/deploy_success.png

This is a binary file and will not be displayed.

devops/deploy_success.webp

This is a binary file and will not be displayed.

+14

nilla.nix

··· 181 181 ]; 182 182 }; 183 183 }; 184 184 + shells.cicd = { 185 185 + systems = ["x86_64-linux"]; 186 186 + shell = 187 187 + { 188 188 + mkShell, 189 189 + pkgs 190 190 + }: 191 191 + mkShell { 192 192 + packages = [ 193 193 + pkgs.typst 194 194 + pkgs.tinymist 195 195 + ]; 196 196 + }; 197 197 + }; 184 198 }; 185 199 } 186 200 )