forgejo_admin/minio-api
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add Dockerfile and Woodpecker CI pipeline #7

Merged
forgejo_admin merged 2 commits from 6-add-dockerfile-and-woodpecker-ci-pipeline into main 2026-03-22 08:36:36 +00:00
Conversation 1 Commits 2 Files changed 3 +80
forgejo_admin commented 2026-03-22 08:01:10 +00:00
Owner
Copy link

Summary

Adds container build and CI pipeline for minio-api. Multi-stage Dockerfile keeps the runtime image slim (no git, no build tools). Woodpecker pipeline lints, tests, and builds/pushes to Harbor on merge to main.

Changes

  • Dockerfile -- Multi-stage build on python:3.12-slim. Builder stage installs git (needed for git+https:// minio-sdk dependency) and runs pip install --extra-index-url pointing at Forgejo PyPI. Runtime stage copies only site-packages and source, runs uvicorn on port 8000.
  • .woodpecker.yaml -- Clone override (cluster-internal Forgejo URL), test step (ruff check + ruff format --check + pytest unit tests), build-and-push step (kaniko to harbor.tail5b443a.ts.net/minio-api/api:{sha}). Build only runs on push to main.
  • .dockerignore -- Excludes .venv, tests, docs, cache dirs from build context.

Test Plan

  • Woodpecker CI pipeline passes (lint + unit tests) on this PR
  • docker build . succeeds locally
  • docker run with env vars starts uvicorn, /health returns 200
  • On merge to main, image pushed to harbor.tail5b443a.ts.net/minio-api/api
  • Existing 63 unit tests still pass (auth, permissions, auth_middleware)

Review Checklist

  • No unrelated changes
  • Ruff lint and format pass
  • Unit tests pass locally (63/63)
  • Follows existing CI patterns (basketball-api, mcd-tracker-api)
  • Health check endpoint already exists at /health
  • Harbor project minio-api may need to be created before first push to main

Related

  • Plan: plan-minio-mobile (traceability)
  • Forgejo issue: #6

Closes #6

## Summary Adds container build and CI pipeline for minio-api. Multi-stage Dockerfile keeps the runtime image slim (no git, no build tools). Woodpecker pipeline lints, tests, and builds/pushes to Harbor on merge to main. ## Changes - `Dockerfile` -- Multi-stage build on python:3.12-slim. Builder stage installs git (needed for `git+https://` minio-sdk dependency) and runs `pip install --extra-index-url` pointing at Forgejo PyPI. Runtime stage copies only site-packages and source, runs uvicorn on port 8000. - `.woodpecker.yaml` -- Clone override (cluster-internal Forgejo URL), test step (ruff check + ruff format --check + pytest unit tests), build-and-push step (kaniko to `harbor.tail5b443a.ts.net/minio-api/api:{sha}`). Build only runs on push to main. - `.dockerignore` -- Excludes .venv, tests, docs, cache dirs from build context. ## Test Plan - [ ] Woodpecker CI pipeline passes (lint + unit tests) on this PR - [ ] `docker build .` succeeds locally - [ ] `docker run` with env vars starts uvicorn, `/health` returns 200 - [ ] On merge to main, image pushed to `harbor.tail5b443a.ts.net/minio-api/api` - [ ] Existing 63 unit tests still pass (auth, permissions, auth_middleware) ## Review Checklist - [x] No unrelated changes - [x] Ruff lint and format pass - [x] Unit tests pass locally (63/63) - [x] Follows existing CI patterns (basketball-api, mcd-tracker-api) - [x] Health check endpoint already exists at `/health` - [ ] Harbor project `minio-api` may need to be created before first push to main ## Related - Plan: `plan-minio-mobile` (traceability) - Forgejo issue: #6 Closes #6
Multi-stage Dockerfile (python:3.12-slim) with minio-sdk installed from
Forgejo PyPI via --extra-index-url. Woodpecker pipeline runs ruff lint,
ruff format check, and unit tests (auth/permissions) on push and PR,
then builds and pushes to Harbor on merge to main.

Closes #6

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Acceptance criteria requires both tags. The kaniko plugin supports
comma-separated tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-22 08:04:15 +00:00
Author
Owner
Copy link

PR #7 Review

DOMAIN REVIEW

Tech stack: Python 3.12 / FastAPI / Dockerfile (multi-stage) / Woodpecker CI / Kaniko / Harbor

Dockerfile (Dockerfile, 26 lines)

  • Multi-stage build: base -> builder -> runtime. Correct pattern matching basketball-api.
  • Builder stage installs git (needed because pyproject.toml declares minio-sdk @ git+https://...), then uses --extra-index-url pointing at Forgejo PyPI. Both paths are covered -- if the package is on the PyPI index it resolves there, otherwise falls back to the git reference. This is sound.
  • Runtime stage copies only site-packages, /usr/local/bin, and src/. No build tools, no git, no .venv in the final image. Clean.
  • BUILD_SHA ARG piped to ENV -- matches basketball-api pattern.
  • PYTHONPATH=/app/src, EXPOSE 8000, uvicorn binding to 0.0.0.0:8000 -- all correct.
  • No hardcoded credentials. No secrets.

Woodpecker CI (.woodpecker.yaml, 43 lines)

  • Clone override uses http://forgejo-http.forgejo.svc.cluster.local:80/${CI_REPO}.git -- matches basketball-api pattern and the platform fix in commit 763af17.
  • Test step: installs git, creates venv, installs .[dev] with --extra-index-url, runs ruff check, ruff format --check, then pytest on the 3 unit test files (63 tests). Integration tests (test_buckets, test_objects, test_presign, test_multipart) are correctly excluded since CI has no MinIO service container.
  • Build step: kaniko pushes to harbor.tail5b443a.ts.net/minio-api/api with tags ${CI_COMMIT_SHA},latest. Credentials from harbor_username/harbor_password secrets. Build only on push to main. Correct.
  • Event triggers: push to main + pull_request. Matches other repos.

.dockerignore (11 entries)

  • Excludes .venv/, __pycache__/, *.pyc, .pytest_cache/, .ruff_cache/, .git/, .gitignore, .claude/, tests/, README.md, CLAUDE.md. Comprehensive and correct.

Health endpoint: Confirmed at /health in src/minio_api/main.py:52-55, returns {"status": "ok"}.

BLOCKERS

None.

  • No new functionality requiring new tests (this PR adds only build/CI infrastructure, no application code changes).
  • No unvalidated user input introduced.
  • No secrets or credentials in code -- Harbor creds come from from_secret.
  • No DRY violations in auth/security paths.

NITS

  1. latest tag divergence: The tags field uses "${CI_COMMIT_SHA},latest" but basketball-api and mcd-tracker-api only tag with ${CI_COMMIT_SHA}. Adding latest is not wrong (it is common practice), but it diverges from the established platform pattern. Consider aligning for consistency, or accept the divergence as intentional for minio-api's deployment model.

  2. Missing clone override in mcd-tracker-api: This is not a minio-api issue, but noting that mcd-tracker-api lacks the clone override while basketball-api and minio-api both have it. Discovered scope for mcd-tracker-api.

  3. Test count mismatch in PR body: PR body says "63 unit tests" but the actual count across the 3 unit test files is 63 functions. The conftest has 1 test_ function too (likely a false positive in my grep -- test_bucket_name is a fixture, not a test). Accurate enough, no action needed.

  4. Harbor project pre-creation: PR checklist correctly notes Harbor project minio-api may need to be created before first push to main. This should be verified before merge to avoid the first CI build failing on push.

SOP COMPLIANCE

  • Branch named after issue: 6-add-dockerfile-and-woodpecker-ci-pipeline references issue #6
  • PR body follows template: Summary, Changes, Test Plan, Review Checklist, Related sections present
  • Related references plan slug: plan-minio-mobile referenced
  • No secrets committed: Harbor creds use from_secret, no plaintext credentials anywhere
  • No unnecessary file changes: 3 files added (Dockerfile, .woodpecker.yaml, .dockerignore), all directly scoped to the issue
  • Commit messages are descriptive: feat: add Dockerfile and Woodpecker CI pipeline

PROCESS OBSERVATIONS

  • Deployment frequency: This PR enables CI/CD for minio-api, directly enabling automated builds and future deployment. Positive DORA impact.
  • Change failure risk: Low. Infrastructure-only change with no application code modifications. Existing 63 unit tests are wired into CI. Integration tests are correctly excluded (no MinIO service container in CI).
  • Pattern compliance: Follows established basketball-api Dockerfile and CI patterns closely. The latest tag is the only divergence.
  • Prerequisite: Harbor project minio-api must exist before merging, or the first build-and-push step will fail.

VERDICT: APPROVED

## PR #7 Review ### DOMAIN REVIEW **Tech stack**: Python 3.12 / FastAPI / Dockerfile (multi-stage) / Woodpecker CI / Kaniko / Harbor **Dockerfile** (`Dockerfile`, 26 lines) - Multi-stage build: `base` -> `builder` -> `runtime`. Correct pattern matching basketball-api. - Builder stage installs `git` (needed because `pyproject.toml` declares `minio-sdk @ git+https://...`), then uses `--extra-index-url` pointing at Forgejo PyPI. Both paths are covered -- if the package is on the PyPI index it resolves there, otherwise falls back to the git reference. This is sound. - Runtime stage copies only `site-packages`, `/usr/local/bin`, and `src/`. No build tools, no git, no `.venv` in the final image. Clean. - `BUILD_SHA` ARG piped to ENV -- matches basketball-api pattern. - `PYTHONPATH=/app/src`, `EXPOSE 8000`, uvicorn binding to `0.0.0.0:8000` -- all correct. - No hardcoded credentials. No secrets. **Woodpecker CI** (`.woodpecker.yaml`, 43 lines) - Clone override uses `http://forgejo-http.forgejo.svc.cluster.local:80/${CI_REPO}.git` -- matches basketball-api pattern and the platform fix in commit `763af17`. - Test step: installs `git`, creates venv, installs `.[dev]` with `--extra-index-url`, runs `ruff check`, `ruff format --check`, then `pytest` on the 3 unit test files (63 tests). Integration tests (`test_buckets`, `test_objects`, `test_presign`, `test_multipart`) are correctly excluded since CI has no MinIO service container. - Build step: kaniko pushes to `harbor.tail5b443a.ts.net/minio-api/api` with tags `${CI_COMMIT_SHA},latest`. Credentials from `harbor_username`/`harbor_password` secrets. Build only on push to main. Correct. - Event triggers: push to main + pull_request. Matches other repos. **.dockerignore** (11 entries) - Excludes `.venv/`, `__pycache__/`, `*.pyc`, `.pytest_cache/`, `.ruff_cache/`, `.git/`, `.gitignore`, `.claude/`, `tests/`, `README.md`, `CLAUDE.md`. Comprehensive and correct. **Health endpoint**: Confirmed at `/health` in `src/minio_api/main.py:52-55`, returns `{"status": "ok"}`. ### BLOCKERS None. - No new functionality requiring new tests (this PR adds only build/CI infrastructure, no application code changes). - No unvalidated user input introduced. - No secrets or credentials in code -- Harbor creds come from `from_secret`. - No DRY violations in auth/security paths. ### NITS 1. **`latest` tag divergence**: The `tags` field uses `"${CI_COMMIT_SHA},latest"` but basketball-api and mcd-tracker-api only tag with `${CI_COMMIT_SHA}`. Adding `latest` is not wrong (it is common practice), but it diverges from the established platform pattern. Consider aligning for consistency, or accept the divergence as intentional for minio-api's deployment model. 2. **Missing clone override in mcd-tracker-api**: This is not a minio-api issue, but noting that mcd-tracker-api lacks the clone override while basketball-api and minio-api both have it. Discovered scope for mcd-tracker-api. 3. **Test count mismatch in PR body**: PR body says "63 unit tests" but the actual count across the 3 unit test files is 63 functions. The conftest has 1 `test_` function too (likely a false positive in my grep -- `test_bucket_name` is a fixture, not a test). Accurate enough, no action needed. 4. **Harbor project pre-creation**: PR checklist correctly notes `Harbor project minio-api may need to be created before first push to main`. This should be verified before merge to avoid the first CI build failing on push. ### SOP COMPLIANCE - [x] Branch named after issue: `6-add-dockerfile-and-woodpecker-ci-pipeline` references issue #6 - [x] PR body follows template: Summary, Changes, Test Plan, Review Checklist, Related sections present - [x] Related references plan slug: `plan-minio-mobile` referenced - [x] No secrets committed: Harbor creds use `from_secret`, no plaintext credentials anywhere - [x] No unnecessary file changes: 3 files added (Dockerfile, .woodpecker.yaml, .dockerignore), all directly scoped to the issue - [x] Commit messages are descriptive: `feat: add Dockerfile and Woodpecker CI pipeline` ### PROCESS OBSERVATIONS - **Deployment frequency**: This PR enables CI/CD for minio-api, directly enabling automated builds and future deployment. Positive DORA impact. - **Change failure risk**: Low. Infrastructure-only change with no application code modifications. Existing 63 unit tests are wired into CI. Integration tests are correctly excluded (no MinIO service container in CI). - **Pattern compliance**: Follows established basketball-api Dockerfile and CI patterns closely. The `latest` tag is the only divergence. - **Prerequisite**: Harbor project `minio-api` must exist before merging, or the first build-and-push step will fail. ### VERDICT: APPROVED
forgejo_admin deleted branch 6-add-dockerfile-and-woodpecker-ci-pipeline 2026-03-22 08:36:36 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/minio-api!7
No description provided.