ci: add Docker image pull validation job (Phase 2)

.gitea/workflows/ci.yml

@@ -52,3 +52,39 @@ jobs:
             echo "==> $f"
             nomad job validate "$f"
           done
+
+  image-pull:
+    name: Docker image pull validation
+    runs-on: ubuntu-latest
+    # Only run on PRs that touch nomad job specs
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Pull changed images
+        run: |
+          git fetch origin ${{ github.base_ref }}
+          IMAGES=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.nomad.hcl' \
+            | grep '^+\s*image\s*=' \
+            | grep -oP '"[^"]+:[^"]+"' \
+            | tr -d '"' \
+            | sort -u)
+
+          if [ -z "$IMAGES" ]; then
+            echo "No image changes detected, skipping pull."
+            exit 0
+          fi
+
+          FAILED=0
+          while IFS= read -r image; do
+            echo "==> Pulling $image"
+            if ! docker pull "$image"; then
+              echo "ERROR: Failed to pull $image"
+              FAILED=1
+            fi
+          done <<< "$IMAGES"
+
+          exit $FAILED

cicd-plan.md

@@ -296,7 +296,7 @@ exit 1
 - [x] **Phase 1a**: Create `act-runner.nomad.hcl` + Terraform wrapper, register runner token in Gitea, get a hello-world workflow green
 - [x] **Phase 1b**: Add `terraform fmt` + `terraform validate -backend=false` workflow — no secrets needed
 - [x] **Phase 1c**: Add Nomad validate step — add `NOMAD_ADDR` + read-only `NOMAD_TOKEN` to Gitea secrets
-- [ ] **Phase 2**: Add image pull validation step to the workflow
+- [x] **Phase 2**: Add image pull validation step to the workflow
 - [ ] **Phase 3a**: Add `update` stanzas to ntfy and glance (simplest, no volume conflict)
 - [ ] **Phase 3b**: Add rolling `update` stanzas to remaining service jobs (jellyfin, sonarr, etc.)
 - [ ] **Phase 3c**: Add health checks to openreader and unifi before adding update stanzas