diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 97fe3d0..b158eb8 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -52,3 +52,39 @@ jobs: echo "==> $f" nomad job validate "$f" done + + image-pull: + name: Docker image pull validation + runs-on: ubuntu-latest + # Only run on PRs that touch nomad job specs + if: github.event_name == 'pull_request' + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Pull changed images + run: | + git fetch origin ${{ github.base_ref }} + IMAGES=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.nomad.hcl' \ + | grep '^+\s*image\s*=' \ + | grep -oP '"[^"]+:[^"]+"' \ + | tr -d '"' \ + | sort -u) + + if [ -z "$IMAGES" ]; then + echo "No image changes detected, skipping pull." + exit 0 + fi + + FAILED=0 + while IFS= read -r image; do + echo "==> Pulling $image" + if ! docker pull "$image"; then + echo "ERROR: Failed to pull $image" + FAILED=1 + fi + done <<< "$IMAGES" + + exit $FAILED diff --git a/cicd-plan.md b/cicd-plan.md index 059d15f..98416b2 100644 --- a/cicd-plan.md +++ b/cicd-plan.md @@ -296,7 +296,7 @@ exit 1 - [x] **Phase 1a**: Create `act-runner.nomad.hcl` + Terraform wrapper, register runner token in Gitea, get a hello-world workflow green - [x] **Phase 1b**: Add `terraform fmt` + `terraform validate -backend=false` workflow — no secrets needed - [x] **Phase 1c**: Add Nomad validate step — add `NOMAD_ADDR` + read-only `NOMAD_TOKEN` to Gitea secrets -- [ ] **Phase 2**: Add image pull validation step to the workflow +- [x] **Phase 2**: Add image pull validation step to the workflow - [ ] **Phase 3a**: Add `update` stanzas to ntfy and glance (simplest, no volume conflict) - [ ] **Phase 3b**: Add rolling `update` stanzas to remaining service jobs (jellyfin, sonarr, etc.) - [ ] **Phase 3c**: Add health checks to openreader and unifi before adding update stanzas