update ci/cd config

.gitea/workflows/build-and-push.yml

@@ -6,7 +6,7 @@ on:
       - 'v*'
 
 env:
-  REGISTRY: 192.168.30.181:3000
+  REGISTRY: repo.yneed.cn
   REPO_PATH: wpic-dev/datahub
 
 jobs:
@@ -51,7 +51,7 @@ jobs:
     runs-on: podman
     needs: [guard-master-only]
     container:
-      image: docker.io/library/node:22-alpine
+      image: docker.io/library/node:24.15.0-alpine
       env:
         PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
     steps:
@@ -108,7 +108,7 @@ jobs:
           podman build --pull --layers \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/backend:${{ gitea.ref_name }} \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/backend:stable \
-            -f backend/Dockerfile \
+            -f backend/Containerfile \
             backend/
       - name: Push
         run: |
@@ -130,7 +130,7 @@ jobs:
             --ulimit nofile=65536:65536 \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/frontend:${{ gitea.ref_name }} \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/frontend:stable \
-            -f frontend/Dockerfile \
+            -f frontend/Containerfile \
             frontend/
       - name: Push
         run: |
@@ -151,8 +151,8 @@ jobs:
           podman build --pull --layers \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:${{ gitea.ref_name }} \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:stable \
-            -f docs/tmp/deploy-ref/ci-cd/03-timescaledb-image/Containerfile \
+            -f timescaledb2/Containerfile \
-            docs/tmp/deploy-ref/ci-cd/03-timescaledb-image/
+            timescaledb2/
       - name: Push
         run: |
           podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:${{ gitea.ref_name }}
@@ -172,8 +172,8 @@ jobs:
           podman build --pull --layers \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:${{ gitea.ref_name }} \
             -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:stable \
-            -f docs/tmp/deploy-ref/ci-cd/04-rabbitmq-image/Containerfile \
+            -f rabbitmq3/Containerfile \
-            docs/tmp/deploy-ref/ci-cd/04-rabbitmq-image/
+            rabbitmq3/
       - name: Push
         run: |
           podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:${{ gitea.ref_name }}

.gitea/workflows/rollback.yml

@@ -12,7 +12,7 @@ on:
         default: 'all'
 
 env:
-  REGISTRY: 192.168.30.181:3000
+  REGISTRY: repo.yneed.cn
   REPO_PATH: wpic-dev/datahub
 
 jobs:

backend/Containerfile

@@ -2,8 +2,8 @@ FROM docker.io/hyperf/hyperf:8.3-alpine-v3.19-swoole
 
 LABEL org.opencontainers.image.title="datahub-backend" \
       org.opencontainers.image.vendor="WPIC" \
-      org.opencontainers.image.licenses="MIT" \
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
-      org.opencontainers.image.source="https://192.168.30.181:3000/wpic-dev/datahub"
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"
 
 ARG TIMEZONE=Asia/Shanghai
 ENV TIMEZONE=${TIMEZONE} \

frontend/Containerfile

@@ -1,7 +1,7 @@
 # ============================================================
 # Stage 1: builder
 # ============================================================
-FROM docker.io/library/node:22-alpine AS builder
+FROM docker.io/library/node:24.15.0-alpine AS builder
 
 WORKDIR /app
 
@@ -22,8 +22,8 @@ FROM docker.io/library/nginx:1.27-alpine
 
 LABEL org.opencontainers.image.title="datahub-frontend" \
       org.opencontainers.image.vendor="WPIC" \
-      org.opencontainers.image.licenses="MIT" \
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
-      org.opencontainers.image.source="https://192.168.30.181:3000/wpic-dev/datahub"
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"
 
 ARG TIMEZONE=Asia/Shanghai
 ENV TIMEZONE=${TIMEZONE}

rabbitmq3/Containerfile

@@ -0,0 +1,16 @@
+FROM docker.io/library/rabbitmq:3.13.7-management
+
+LABEL org.opencontainers.image.title="datahub-rabbitmq3" \
+      org.opencontainers.image.vendor="WPIC" \
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"
+
+ARG TIMEZONE=Asia/Shanghai
+ENV TZ=${TIMEZONE}
+
+# management plugin is pre-enabled in `-management-alpine` upstream tag.
+# topology (vhost / users / exchanges / queues / bindings) is NOT baked into
+# the image; it's loaded at runtime from a host-mounted definitions.json
+# (rendered from SSOT credentials.yml by Round 06 ops scripts) per cicd §A/§B.
+
+EXPOSE 5672 15672

timescaledb2/Containerfile

@@ -0,0 +1,14 @@
+FROM docker.io/timescale/timescaledb:2.27.1-pg16
+
+LABEL org.opencontainers.image.title="datahub-timescaledb2" \
+      org.opencontainers.image.vendor="WPIC" \
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"
+
+ARG TIMEZONE=Asia/Shanghai
+ENV TZ=${TIMEZONE} \
+    LANG=en_US.utf8
+
+COPY initdb/ /docker-entrypoint-initdb.d/
+
+EXPOSE 5432

timescaledb2/initdb/01-create-extensions.sql

@@ -0,0 +1,19 @@
+-- Triggered on first start only (when $PGDATA is empty).
+-- Enables TimescaleDB extension in the datahub database.
+--
+-- Three-layer defense for extension activation:
+--   1. Upstream timescale image: /docker-entrypoint-initdb.d/000_install_timescaledb.sh
+--      already runs CREATE EXTENSION in $POSTGRES_DB; this file is defensive backup.
+--   2. This script: explicit \connect datahub then CREATE EXTENSION.
+--   3. backend/migrations/2026_05_07_100000_enable_timescaledb_extension.php
+--      runs CREATE EXTENSION IF NOT EXISTS on application boot.
+--
+-- All three layers are idempotent (IF NOT EXISTS), zero runtime cost.
+
+\connect datahub
+
+CREATE EXTENSION IF NOT EXISTS timescaledb;
+
+-- Future extensions can be added here, e.g.:
+-- CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+-- CREATE EXTENSION IF NOT EXISTS pg_trgm;