Document tier-2 key-cape Forgejo image pilot (T10 complete)

Adds archive-checkout image workflow evidence and k3s pull verification;
tiers 0-2 satisfied before state-hub cutover.
This commit is contained in:
codex
2026-07-04 10:26:28 +02:00
parent 1745c37f2c
commit 5d3270e564
2 changed files with 38 additions and 8 deletions

View File

@@ -1,7 +1,13 @@
# Forgejo Repo Migration Pilot — glas-harness
# Forgejo Repo Migration Pilots (tier 12)
Date: 2026-07-03 (tier 1), 2026-07-04 (tier 2)
Workplan: `CUST-WP-0054-T04`, `RAIL-HO-WP-0005-T10`
Pilots: `glas-harness` (tier 1), `key-cape` (tier 2)
---
## Tier 1 — glas-harness
Date: 2026-07-03
Workplan: `CUST-WP-0054-T04`, `RAIL-HO-WP-0005-T10` (tier 1)
Pilot repo: `coulomb/glas-harness` (non-production tooling; safe routing drill)
## Why this repo
@@ -94,12 +100,35 @@ git push "https://<user>:<token>@forgejo.coulomb.social/coulomb/<repo>.git" main
7. Leave Gitea repo read-only; do not delete (safety contract).
8. Record results in this doc or a per-repo row in the migration inventory.
## Tier 2 — key-cape (2026-07-04)
Pilot repo: `coulomb/key-cape` — non-production identity tooling with a real
multi-stage `Dockerfile` (Go build + distroless).
| Step | Result | Notes |
| --- | --- | --- |
| Mirror git to Forgejo | **pass** | `main` mirrored; `origin=forgejo-remote` |
| Port `.gitea/workflows/image.yaml``.forgejo/workflows/image.yaml` | **pass** | Archive checkout + static docker-cli; no `actions/checkout` |
| Build and push on `container-build` | **pass** | `build-and-push` workflow `success` @ `ec706da` |
| k3s pull on railiance01 | **pass** | `sudo crictl pull forgejo.coulomb.social/coulomb/key-cape:latest` |
Workflow pattern (tier 2+):
```yaml
# Checkout: repo archive (no git binary required on non-root runner)
wget -qO /tmp/repo.tar.gz "https://forgejo.coulomb.social/${GITHUB_REPOSITORY}/archive/${GITHUB_SHA}.tar.gz"
tar xzf /tmp/repo.tar.gz -C buildctx --strip-components=1
# Build: static docker-cli + DOCKER_HOST=tcp://127.0.0.1:2375
```
Image: `forgejo.coulomb.social/coulomb/key-cape:latest`
## Not ready for state-hub yet
Before `state-hub`, the pilot still needs:
Before `state-hub`, the ladder still needs:
- [ ] Operator/user SSH identity on Forgejo (not only `forgejo_admin`)
- [ ] Reusable workflow template with `hub-core` build context and `git clone` checkout pattern
- [ ] Reusable workflow template with `hub-core` build context (multi-repo checkout)
- [ ] State Hub `remote_url` + sweep checkout path update playbook
- [ ] Gitea read-only mirror or push-disable policy for repos after cutover
@@ -108,4 +137,5 @@ Before `state-hub`, the pilot still needs:
- `docs/forgejo-production-decisions.md`
- `railiance-forge/docs/forgejo-actions-runner-substrate.md`
- `railiance-apps/docs/forgejo-on-railiance01.md`
- Forgejo repo: https://forgejo.coulomb.social/coulomb/glas-harness
- Tier 1: https://forgejo.coulomb.social/coulomb/glas-harness
- Tier 2: https://forgejo.coulomb.social/coulomb/key-cape

View File

@@ -172,8 +172,8 @@ state_hub_task_id: "79b9ee4d-f792-434c-a2ea-2fe216a948ca"
Execute/absorb `RAIL-HO-WP-0005`: Forgejo production on railiance01 becomes
the canonical remote for all repos; coulombcore Gitea becomes a read-only
mirror until decommission. Staged migration ladder (T10): tier 01 done;
tier 2 image pilot next; tier 3 production repos gated on T09 backup +
mirror until decommission. Staged migration ladder (T10): tiers 02 done (`forgejo-actions-probe`,
`glas-harness`, `key-cape`); tier 3 production repos gated on T09 backup +
`state-hub` approval. Stand up Actions runners so container images build and
push in CI from tags — the workstation stops being the build/publish host.