feat(image): KEY-WP-0002 T01/T02/T06 — Makefile image targets, Gitea Actions workflow, README CI docs

- Makefile: add IMAGE_REGISTRY/IMAGE_REPO/IMAGE_TAG vars + image, push, image-tag targets - .gitea/workflows/image.yaml: build+push on main push and v* tags via metadata-action - README: Container Image section with pull/build/push/CI secret docs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 23:27:39 +00:00
parent 393ef3ca76
commit 7822ba0703
4 changed files with 125 additions and 4 deletions
--- a/.gitea/workflows/image.yaml
+++ b/.gitea/workflows/image.yaml
@@ -0,0 +1,51 @@
+name: Build and Publish Container Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+
+env:
+  REGISTRY: 92.205.130.254:32166
+  IMAGE_NAME: netkingdom/key-cape
+
+jobs:
+  build-and-push:
+    runs-on: act_runner
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Gitea registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha,prefix=main-,format=short,enable={{is_default_branch}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/16
+++ b/16
@@ -1,4 +1,9 @@
-.PHONY: dev seed build test lint
+IMAGE_REGISTRY ?= 92.205.130.254:32166
+IMAGE_REPO     ?= netkingdom/key-cape
+IMAGE_TAG      ?= latest
+IMAGE          := $(IMAGE_REGISTRY)/$(IMAGE_REPO):$(IMAGE_TAG)
+
+.PHONY: dev seed build test lint image push image-tag

 dev:
 	docker compose -f docker-compose.dev.yml up
@@ -14,3 +19,12 @@ test:

 lint:
 	cd src && go vet ./...
+
+image:
+	docker build -t $(IMAGE) .
+
+push: image
+	docker push $(IMAGE)
+
+image-tag:
+	docker tag $(IMAGE) $(IMAGE_REGISTRY)/$(IMAGE_REPO):$(IMAGE_TAG)
--- a/README.md
+++ b/README.md
@@ -177,6 +177,62 @@ wiki/                   # Specifications
 - `wiki/KeyCapeSpecificationPack_v0.1.md` — Normative implementation spec
 - `docs/adr/ADR-0001-choose-go-for-keycape.md` — Language decision (Go vs Rust)

+## Container Image
+
+The KeyCape image is published to the Gitea OCI registry on CoulombCore.
+
+**Registry:** `92.205.130.254:32166`
+**Image:** `92.205.130.254:32166/netkingdom/key-cape`
+
+### Pull
+
+```bash
+docker pull 92.205.130.254:32166/netkingdom/key-cape:latest
+```
+
+The registry runs over plain HTTP. Configure Docker to allow it:
+
+```json
+// /etc/docker/daemon.json
+{ "insecure-registries": ["92.205.130.254:32166"] }
+```
+
+### Build and push locally
+
+```bash
+# Build with default tag (latest)
+make image
+
+# Build with a specific tag
+IMAGE_TAG=dev make image
+
+# Push to registry (requires prior docker login)
+docker login 92.205.130.254:32166
+make push
+
+# Push with a specific tag
+IMAGE_TAG=v1.0.0 make push
+```
+
+### Tags
+
+| Trigger | Tags |
+|---------|------|
+| Push to `main` | `latest`, `main-<short-sha>` |
+| Tag `v1.2.3` | `1.2.3`, `1.2`, `1`, `latest` |
+
+### CI (Gitea Actions)
+
+The workflow at `.gitea/workflows/image.yaml` builds and publishes automatically
+on every push to `main` and on semver tags (`v*`).
+
+Required Gitea Actions secrets on the `key-cape` repo:
+
+| Secret | Value |
+|--------|-------|
+| `REGISTRY_USER` | Gitea username or machine account (e.g. `ci-netkingdom`) |
+| `REGISTRY_TOKEN` | Gitea personal access token with `write:packages` scope |
+
 ## Domain

 Part of the **NetKingdom** domain. Tracked in the Custodian State Hub under
--- a/workplans/KEY-WP-0002-container-image-gitea.md
+++ b/workplans/KEY-WP-0002-container-image-gitea.md
@@ -115,7 +115,7 @@ same file.

 ```task
 id: KEY-WP-0002-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "749472fc-edb9-4948-9ebc-58d5f38327ee"
 ```
@@ -133,7 +133,7 @@ produces a differently-tagged image.

 ```task
 id: KEY-WP-0002-T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "8ecf18cc-a3bb-4ede-a09c-fcd0d26d7f9d"
 ```
@@ -220,7 +220,7 @@ Gate: pull succeeds; image is listed in Gitea → Packages → netkingdom/key-ca

 ```task
 id: KEY-WP-0002-T06
-status: todo
+status: done
 priority: low
 state_hub_task_id: "946cd34d-94da-4fa9-a781-ed36f6c827a3"
 ```