Skip to content

feat(release): self-contained image and release CI (GHCR image, Helm chart)#20

Merged
Bugs5382 merged 6 commits into
mainfrom
feat/19-release-ci
Jul 14, 2026
Merged

feat(release): self-contained image and release CI (GHCR image, Helm chart)#20
Bugs5382 merged 6 commits into
mainfrom
feat/19-release-ci

Conversation

@Bugs5382

Copy link
Copy Markdown
Contributor

What and why

Slice B of productionize. Ships the Fleet Manager as consumable artifacts anyone can run on their own infrastructure.

  • internal/webuigo:embed the web dist/ and serve the SPA on the same mux as the Connect API (the API path wins by longest-prefix; a directory path or unknown route falls back to index.html, no directory listings). Mounted at / in cmd/manager, so it sits behind the same client-cert-mTLS listener (Slice A) — no unauthenticated hole.
  • Dockerfile — multi-stage BuildKit build: build the web bundle (Node) → embed → static distroless nonroot image. Verified with a real build.
  • .github/workflows/job-release-image.yaml — on a v* tag, build+push the image (buildx → ghcr.io/cryptos-pki/manager) and package+push the Helm chart (oci://ghcr.io/cryptos-pki/charts).
  • chart/fleet-manager — Helm chart; bring-your-own server cert + operator CA + node inventory; authBypass defaults false; required guards on the trust material when not bypassing.
  • README — Deploying (docker/helm) + the release/changelog flow.

The image and chart assume no particular deploy environment — adopters bring their own registry, trust material, and orchestrator. Builds on Slice A (#18, merged).

Closes #19

Verification

  • Lint clean (gofmt / go vet / golangci-lint 0)
  • Tests pass (webui serve + SPA fallback; whole suite green)
  • docker build succeeds (distroless image ~6.8 MB content)
  • helm lint clean; renders verified for authBypass true (no TLS volumes) and false (TLS + operator-CA volumes)
  • actionlint clean on the release workflow
  • License headers (task license 0 changed)

How this was verified

Whole-branch review confirmed: the Connect API path still wins over the SPA mount (proven by a real mux test), no unauthenticated path is introduced, the Dockerfile bakes no secrets and embeds the real bundle before go build, the workflow triggers only on tags with no run: injection risk, and the chart renders correctly in both auth modes. The node ISO ships separately from cryptos.

@Bugs5382 Bugs5382 self-assigned this Jul 14, 2026
@github-actions github-actions Bot added the enhancement New feature (feat). Minor version bump. label Jul 14, 2026
@Bugs5382
Bugs5382 merged commit 3e7234f into main Jul 14, 2026
12 checks passed
@Bugs5382
Bugs5382 deleted the feat/19-release-ci branch July 14, 2026 13:41
@Bugs5382 Bugs5382 added this to the v1.0.0 milestone Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature (feat). Minor version bump.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(release): self-contained image + release CI (GHCR image, Helm chart)

1 participant