update ci/cd config

install workflow
update pw set
2026-05-21 11:05:53 +08:00 · 2026-05-20 16:38:08 +08:00 · 2026-05-20 16:18:57 +08:00 · 2026-05-19 10:19:47 +08:00 · 2026-05-19 10:03:40 +08:00 · 2026-05-19 09:37:39 +08:00
11 changed files with 11130 additions and 10 deletions
@@ -0,0 +1,180 @@
+name: build-and-push
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  REGISTRY: repo.yneed.cn
+  REPO_PATH: wpic-dev/datahub
+
+jobs:
+  # ─────────────────────────────────────────────────────────────
+  # Pre-gate: tag must point to a commit reachable from master
+  # ─────────────────────────────────────────────────────────────
+  guard-master-only:
+    runs-on: podman
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Verify tag is on master
+        run: |
+          git fetch origin master:refs/remotes/origin/master
+          if ! git branch -r --contains "${{ gitea.sha }}" | grep -qE '(^|\s)origin/master(\s|$)'; then
+            echo "::error::Tag ${{ gitea.ref_name }} (commit ${{ gitea.sha }}) is NOT on master branch. Refusing to build."
+            exit 1
+          fi
+          echo "OK: tag ${{ gitea.ref_name }} is on master"
+
+  # ─────────────────────────────────────────────────────────────
+  # Test gates
+  # ─────────────────────────────────────────────────────────────
+  test-backend:
+    runs-on: podman
+    needs: [guard-master-only]
+    container:
+      image: docker.io/hyperf/hyperf:8.3-alpine-v3.19-swoole
+    steps:
+      - uses: actions/checkout@v4
+      - name: composer install (incl. dev for phpstan)
+        run: cd backend && composer install --no-interaction --no-progress
+      - name: PHP syntax check (parallel)
+        run: |
+          cd backend && find app config bin migrations -name '*.php' -print0 \
+            | xargs -0 -n1 -P4 php -l
+      - name: phpstan static analysis
+        run: cd backend && composer analyse
+
+  test-frontend-build:
+    runs-on: podman
+    needs: [guard-master-only]
+    container:
+      image: docker.io/library/node:24.15.0-alpine
+      env:
+        PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: '1'
+    steps:
+      - uses: actions/checkout@v4
+      - name: npm ci
+        run: cd frontend && npm ci --no-audit --no-fund
+      - name: lint (pre-existing baseline tolerated)
+        run: cd frontend && npm run lint
+        continue-on-error: true
+      - name: type-check (vue-tsc)
+        run: cd frontend && npm run type-check
+      - name: unit tests (pre-existing baseline tolerated)
+        run: cd frontend && npm run test:unit -- --run
+        continue-on-error: true
+      - name: build (vite)
+        run: cd frontend && npm run build
+      - name: upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: frontend-build
+          path: |
+            frontend/dist
+            frontend/node_modules
+
+  test-frontend-e2e:
+    runs-on: podman
+    needs: [test-frontend-build]
+    container:
+      image: mcr.microsoft.com/playwright:v1.60.0-noble
+    steps:
+      - uses: actions/checkout@v4
+      - name: download artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: frontend-build
+          path: frontend
+      - name: playwright smoke (chromium only)
+        run: cd frontend && CI=true npx playwright test --project=chromium
+
+  # ─────────────────────────────────────────────────────────────
+  # Build & push (4 images, parallel where possible)
+  # ─────────────────────────────────────────────────────────────
+  build-backend:
+    runs-on: podman
+    needs: [test-backend]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Login to Gitea Registry
+        run: |
+          echo "${{ secrets.DATAHUB_CI_CD }}" | \
+            podman login -u "${{ gitea.actor }}" --password-stdin ${{ env.REGISTRY }}
+      - name: Build
+        run: |
+          podman build --pull --layers \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/backend:${{ gitea.ref_name }} \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/backend:stable \
+            -f backend/Containerfile \
+            backend/
+      - name: Push
+        run: |
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/backend:${{ gitea.ref_name }}
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/backend:stable
+
+  build-frontend:
+    runs-on: podman
+    needs: [test-frontend-e2e]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Login to Gitea Registry
+        run: |
+          echo "${{ secrets.DATAHUB_CI_CD }}" | \
+            podman login -u "${{ gitea.actor }}" --password-stdin ${{ env.REGISTRY }}
+      - name: Build
+        run: |
+          podman build --pull --layers \
+            --ulimit nofile=65536:65536 \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/frontend:${{ gitea.ref_name }} \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/frontend:stable \
+            -f frontend/Containerfile \
+            frontend/
+      - name: Push
+        run: |
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/frontend:${{ gitea.ref_name }}
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/frontend:stable
+
+  build-timescaledb2:
+    runs-on: podman
+    needs: [guard-master-only]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Login to Gitea Registry
+        run: |
+          echo "${{ secrets.DATAHUB_CI_CD }}" | \
+            podman login -u "${{ gitea.actor }}" --password-stdin ${{ env.REGISTRY }}
+      - name: Build
+        run: |
+          podman build --pull --layers \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:${{ gitea.ref_name }} \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:stable \
+            -f timescaledb2/Containerfile \
+            timescaledb2/
+      - name: Push
+        run: |
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:${{ gitea.ref_name }}
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/timescaledb2:stable
+
+  build-rabbitmq3:
+    runs-on: podman
+    needs: [guard-master-only]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Login to Gitea Registry
+        run: |
+          echo "${{ secrets.DATAHUB_CI_CD }}" | \
+            podman login -u "${{ gitea.actor }}" --password-stdin ${{ env.REGISTRY }}
+      - name: Build
+        run: |
+          podman build --pull --layers \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:${{ gitea.ref_name }} \
+            -t ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:stable \
+            -f rabbitmq3/Containerfile \
+            rabbitmq3/
+      - name: Push
+        run: |
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:${{ gitea.ref_name }}
+          podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/rabbitmq3:stable
@@ -0,0 +1,65 @@
+name: rollback
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_tag:
+        description: 'Target release tag to rollback to (e.g. v1.2.3)'
+        required: true
+      component:
+        description: 'Component (backend / frontend / timescaledb2 / rabbitmq3 / all)'
+        required: true
+        default: 'all'
+
+env:
+  REGISTRY: repo.yneed.cn
+  REPO_PATH: wpic-dev/datahub
+
+jobs:
+  retag:
+    runs-on: podman
+    steps:
+      - name: Validate target_tag format
+        run: |
+          if [[ ! "${{ inputs.target_tag }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
+            echo "::error::target_tag must match semver pattern v<MAJOR>.<MINOR>.<PATCH>[-suffix]"
+            exit 1
+          fi
+
+      - name: Validate component
+        run: |
+          case "${{ inputs.component }}" in
+            backend|frontend|timescaledb2|rabbitmq3|all) ;;
+            *)
+              echo "::error::component must be one of: backend / frontend / timescaledb2 / rabbitmq3 / all"
+              exit 1
+              ;;
+          esac
+
+      - name: Login to Gitea Registry
+        run: |
+          echo "${{ secrets.DATAHUB_CI_CD }}" | \
+            podman login -u "${{ gitea.actor }}" --password-stdin ${{ env.REGISTRY }}
+
+      - name: Re-tag stable to target release
+        run: |
+          set -euo pipefail
+          components_to_rollback=""
+          if [[ "${{ inputs.component }}" == "all" ]]; then
+            components_to_rollback="backend frontend timescaledb2 rabbitmq3"
+          else
+            components_to_rollback="${{ inputs.component }}"
+          fi
+
+          for img in $components_to_rollback; do
+            echo "=== Rolling back $img to ${{ inputs.target_tag }} ==="
+            podman pull ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/$img:${{ inputs.target_tag }}
+            podman tag  ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/$img:${{ inputs.target_tag }} \
+                        ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/$img:stable
+            podman push ${{ env.REGISTRY }}/${{ env.REPO_PATH }}/$img:stable
+            echo "✓ $img:stable now points to ${{ inputs.target_tag }}"
+          done
+
+          echo
+          echo "Rollback complete. wpic-virt podman-auto-update.timer will pull the new"
+          echo ":stable digest within ~5 minutes and restart affected containers."
@@ -24,9 +24,6 @@ frontend/coverage/
 frontend/*.local
 frontend/.eslintcache
 frontend/*.tsbuildinfo
-frontend/package-lock.json
-frontend/pnpm-lock.yaml
-frontend/yarn.lock

 # 前端日志文件
 frontend/logs/
@@ -2,8 +2,8 @@ FROM docker.io/hyperf/hyperf:8.3-alpine-v3.19-swoole

 LABEL org.opencontainers.image.title="datahub-backend" \
      org.opencontainers.image.vendor="WPIC" \
-      org.opencontainers.image.licenses="MIT" \
-      org.opencontainers.image.source="https://192.168.30.181:3000/wpic-dev/datahub"
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"

 ARG TIMEZONE=Asia/Shanghai
 ENV TIMEZONE=${TIMEZONE} \
@@ -1,7 +1,7 @@
 # ============================================================
 # Stage 1: builder
 # ============================================================
-FROM docker.io/library/node:22-alpine AS builder
+FROM docker.io/library/node:24.15.0-alpine AS builder

 WORKDIR /app

@@ -22,8 +22,8 @@ FROM docker.io/library/nginx:1.27-alpine

 LABEL org.opencontainers.image.title="datahub-frontend" \
      org.opencontainers.image.vendor="WPIC" \
-      org.opencontainers.image.licenses="MIT" \
-      org.opencontainers.image.source="https://192.168.30.181:3000/wpic-dev/datahub"
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"

 ARG TIMEZONE=Asia/Shanghai
 ENV TIMEZONE=${TIMEZONE}
@@ -18,7 +18,7 @@
    "format": "prettier --write src/"
  },
  "dependencies": {
-    "@antv/g2plot": "^2.4.35",
+    "@antv/g2plot": "^2.3.32",
    "@tailwindcss/vite": "^4.1.16",
    "ant-design-vue": "^4.2.6",
    "dayjs": "^1.11.20",
@@ -28,7 +28,7 @@
    "vue-router": "^4.6.3"
  },
  "devDependencies": {
-    "@playwright/test": "~1.50.0",
+    "@playwright/test": "^1.60.0",
    "@tsconfig/node22": "^22.0.2",
    "@types/jsdom": "^27.0.0",
    "@types/node": "^22.18.11",
@@ -101,6 +101,12 @@ export default defineConfig({
    /**
     * Use the dev server by default for faster feedback loop.
     * Use the preview server on CI for more realistic testing.
+     *
+     * CI mode assumes `dist/` is already built by an upstream node container
+     * (Step 1 of the two-step e2e flow); preview only serves dist here, never
+     * builds. See docs/tmp/deploy-ref/ci-cd/02-frontend-image/design.md §7.0.1
+     * for the two-container workflow contract.
+     *
     * Playwright will re-use the local server if there is already a dev-server running.
     */
    command: process.env.CI ? 'npm run preview' : 'npm run dev',
@@ -0,0 +1,16 @@
+FROM docker.io/library/rabbitmq:3.13.7-management
+
+LABEL org.opencontainers.image.title="datahub-rabbitmq3" \
+      org.opencontainers.image.vendor="WPIC" \
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"
+
+ARG TIMEZONE=Asia/Shanghai
+ENV TZ=${TIMEZONE}
+
+# management plugin is pre-enabled in `-management-alpine` upstream tag.
+# topology (vhost / users / exchanges / queues / bindings) is NOT baked into
+# the image; it's loaded at runtime from a host-mounted definitions.json
+# (rendered from SSOT credentials.yml by Round 06 ops scripts) per cicd §A/§B.
+
+EXPOSE 5672 15672
@@ -0,0 +1,14 @@
+FROM docker.io/timescale/timescaledb:2.27.1-pg16
+
+LABEL org.opencontainers.image.title="datahub-timescaledb2" \
+      org.opencontainers.image.vendor="WPIC" \
+      org.opencontainers.image.licenses="LicenseRef-WPIC-Proprietary" \
+      org.opencontainers.image.source="https://repo.yneed.cn/wpic-dev/datahub"
+
+ARG TIMEZONE=Asia/Shanghai
+ENV TZ=${TIMEZONE} \
+    LANG=en_US.utf8
+
+COPY initdb/ /docker-entrypoint-initdb.d/
+
+EXPOSE 5432
@@ -0,0 +1,19 @@
+-- Triggered on first start only (when $PGDATA is empty).
+-- Enables TimescaleDB extension in the datahub database.
+--
+-- Three-layer defense for extension activation:
+--   1. Upstream timescale image: /docker-entrypoint-initdb.d/000_install_timescaledb.sh
+--      already runs CREATE EXTENSION in $POSTGRES_DB; this file is defensive backup.
+--   2. This script: explicit \connect datahub then CREATE EXTENSION.
+--   3. backend/migrations/2026_05_07_100000_enable_timescaledb_extension.php
+--      runs CREATE EXTENSION IF NOT EXISTS on application boot.
+--
+-- All three layers are idempotent (IF NOT EXISTS), zero runtime cost.
+
+\connect datahub
+
+CREATE EXTENSION IF NOT EXISTS timescaledb;
+
+-- Future extensions can be added here, e.g.:
+-- CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+-- CREATE EXTENSION IF NOT EXISTS pg_trgm;
Author	SHA1	Message	Date
nz	ef7d3a5351	update ci/cd config	2026-05-21 11:05:53 +08:00
nz	008fb370d5	install workflow	2026-05-20 16:38:08 +08:00
nz	444907aac4	update pw set	2026-05-20 16:18:57 +08:00
nz	aa63d3db1c	update playwright	2026-05-19 10:19:47 +08:00
nz	418c04980f	update lock	2026-05-19 10:03:40 +08:00
nz	9107cf4651	upgrade playwright test deps to 1.60	2026-05-19 09:37:39 +08:00