akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
Files
fa7b4134307a2f869ebaf1fffbd23bf42a5b1e4a
Charon/docs/plans/ci_artifact_handover.md
GitHub Actions aa6db54795 chore(ci): use build artifact for integration tests 
Update CI pipeline to pass the built Docker image to integration tests as a file artifact instead of pulling from a registry.

Adds explicit list of integration tests to build-image job outputs logic
Adds step to export charon:local image to tarball in linux/amd64 architecture
Updates integration jobs to download and load the image artifact
Resolves "invalid reference format" errors when registry tags are missing or invalid
Enables integration testing on PRs that do not push to registry
2026-02-09 02:49:34 +00:00

5.1 KiB
Raw Blame History

title, status, scope
title status scope
CI Docker Image Artifact Handover draft ci/integration, docker/build

1. Introduction

This plan updates the CI pipeline to pass the Docker image between jobs as a build artifact instead of pulling from a registry. The goal is to eliminate the integration-stage "invalid reference format" error by loading a known-good local image tag (charon:local) in each integration job.

Objectives:

  • Export a Docker image tarball from the build stage, tagged charon:local.
  • Upload the tarball as a CI artifact and consume it in integration jobs.
  • Remove Docker Hub login and image pull steps from integration jobs.
  • Ensure the export step reuses build cache to avoid double build time.

2. Research Findings

  • The integration jobs in .github/workflows/ci-pipeline.yml currently log into Docker Hub and run docker pull using needs.build-image.outputs.image_ref_dockerhub.
  • The reported "invalid reference format" error is consistent with an empty or malformed image reference at the pull step.
  • The build job already uses docker/build-push-action for the main build/push step but does not export a local image tarball artifact.

3. Technical Specifications

3.1 Build Image Job: Export Artifact

Location: .github/workflows/ci-pipeline.yml job build-image.

Add a dedicated export step after the main build step:

  • Use docker/build-push-action with:
    • platforms: linux/amd64
    • outputs: type=docker,dest=/tmp/charon.tar
    • tags: charon:local
  • Ensure cache reuse to avoid a full rebuild:
    • Main build step: add cache-to: type=gha,mode=max
    • Export step: add cache-from: type=gha

Update the run_integration output in build-image:

  • Set run_integration to true when the artifact build succeeds.
  • Do not depend on steps.image-policy.outputs.push == true for integration gating.

Add an artifact upload step:

  • Use actions/upload-artifact.
  • name: docker-image
  • path: /tmp/charon.tar
  • retention-days: 1

3.2 Integration Jobs: Consume Artifact

Jobs:

  • integration-cerberus
  • integration-crowdsec
  • integration-waf
  • integration-ratelimit

Required changes:

  • Remove steps:
    • "Log in to Docker Hub"
    • "Pull shared image"
  • Add steps:
    • Download artifact via actions/download-artifact with name: docker-image and path: /tmp.
    • Load image via docker load --input /tmp/charon.tar.
    • Verify image availability with docker image inspect charon:local.

3.3 Image Tag Validation

  • Ensure the export step sets tags: charon:local so integration tests continue to use the existing charon:local tag without changes to test scripts.

4. Implementation Plan

Phase 1: CI Build Artifact Export

  1. Update build-image job to add cache settings to the existing docker/build-push-action step.
  2. Add a new export step using docker/build-push-action with platforms: linux/amd64, outputs: type=docker,dest=/tmp/charon.tar, and tags: charon:local.
  3. Upload /tmp/charon.tar as docker-image artifact.
  4. Update run_integration output to depend on artifact build success only.

Phase 2: Integration Job Artifact Handover

  1. Remove Docker Hub login and pull steps from each integration job.
  2. Add actions/download-artifact for docker-image.
  3. Add a docker load step and verify charon:local.

Phase 3: Validation

  1. Confirm integration jobs no longer call docker pull.
  2. Confirm docker image inspect charon:local succeeds before each integration test script.
  3. Confirm build logs show cache reuse for the export step.

5. Acceptance Criteria (EARS)

  • WHEN the build-image job completes, THE SYSTEM SHALL export a Docker tarball at /tmp/charon.tar tagged charon:local.
  • WHEN the build-image job completes, THE SYSTEM SHALL upload the tarball as an artifact named docker-image.
  • WHEN an integration job starts, THE SYSTEM SHALL download the docker-image artifact and load it with docker load.
  • WHEN the image is loaded in an integration job, THE SYSTEM SHALL verify charon:local exists before running integration scripts.
  • WHEN integration jobs run, THE SYSTEM SHALL NOT log into Docker Hub or pull from the registry.
  • WHEN the export step runs, THE SYSTEM SHALL reuse the build cache from the main build step to avoid a full rebuild.
  • WHEN the artifact build step succeeds, THE SYSTEM SHALL set run_integration to true regardless of registry push settings.

6. Risks and Mitigations

  • Risk: Export step rebuilds the image, increasing CI time. Mitigation: Use cache-to on the main build step and cache-from on the export step to reuse the Buildx cache.

  • Risk: Artifact download or load fails due to path issues. Mitigation: Use consistent /tmp/charon.tar path and add docker image inspect charon:local to fail fast.

7. Confidence Score

Confidence: 86 percent

Rationale: The workflow changes are limited to CI steps and standard Docker Buildx artifact handoff. The only uncertainty is whether the integration gate should also be adjusted to align with artifact-based handoff, which can be validated after implementation.

Reference in New Issue View Git Blame Copy Permalink