Dockerfile.ci

# wfe-ci: Prebuilt image for running wfe CI workflows in Kubernetes.
#
# Contains:
#   - Rust stable toolchain
#   - cargo-nextest, cargo-llvm-cov
#   - sccache (configured via env vars from Vault)
#   - buildkit client (buildctl) for in-cluster buildkitd
#   - tea CLI for Gitea release management
#   - git, curl, kubectl
#
# Usage in workflows: type: kubernetes, image: src.sunbeam.pt/studio/wfe-ci:latest

FROM rust:bookworm

# System packages
RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        git \
        jq \
        libssl-dev \
        pkg-config \
        protobuf-compiler \
        unzip \
        xz-utils \
    && rm -rf /var/lib/apt/lists/*

# Cargo tools
RUN cargo install --locked cargo-nextest cargo-llvm-cov sccache && \
    rm -rf /usr/local/cargo/registry

# Buildkit client (buildctl)
ARG BUILDKIT_VERSION=v0.28.0
RUN curl -fsSL "https://github.com/moby/buildkit/releases/download/${BUILDKIT_VERSION}/buildkit-${BUILDKIT_VERSION}.linux-amd64.tar.gz" \
      | tar -xz -C /usr/local --strip-components=1 bin/buildctl

# kubectl
RUN curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
      -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl

# tea CLI for Gitea
ARG TEA_VERSION=0.11.0
RUN curl -fsSL "https://gitea.com/gitea/tea/releases/download/v${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" \
      -o /usr/local/bin/tea && chmod +x /usr/local/bin/tea

# llvm tools (needed by cargo-llvm-cov)
RUN rustup component add llvm-tools-preview

# Sccache wrapper config — expects SCCACHE_S3_ENDPOINT, SCCACHE_BUCKET, etc. via env.
ENV RUSTC_WRAPPER=/usr/local/cargo/bin/sccache \
    CARGO_INCREMENTAL=0

WORKDIR /workspace

CMD ["bash"]
feat(wfectl): new CLI client + wfe-ci builder image wfectl is a command-line client for wfe-server with 17 subcommands covering the full workflow lifecycle: * Auth: login (OAuth2 PKCE via Ory Hydra), logout, whoami * Definitions: register (YAML → gRPC), validate (local compile), definitions list * Instances: run, get, list, cancel, suspend, resume * Events: publish * Streaming: watch (lifecycle), logs, search-logs (full-text) Key design points: * `validate` compiles YAML locally via `wfe-yaml::load_workflow_from_str` with the full executor feature set enabled — instant feedback, no server round-trip, no auth required. Uses the same compile path as the server's `register` RPC so what passes validation is guaranteed to register. * Lookup commands accept either UUID or human name; the server resolves the identifier for us. Display tables show both columns. * `run --name <N>` lets users override the auto-generated `{def_id}-{N}` instance name when they want a sticky reference. * Table and JSON output formats, shared bearer-token or cached-login auth path, direct token injection via `WFECTL_TOKEN`. * 5 new unit tests for the validate command cover happy path, unknown step type rejection, and missing file handling. Dockerfile.ci ships the prebuilt image used as the `image:` for kubernetes CI steps: rust stable, cargo-nextest, cargo-llvm-cov, sccache (configured via WFE_SCCACHE_* env), buildctl for in-cluster buildkitd, kubectl, tea for Gitea releases, and git. Published to `src.sunbeam.pt/studio/wfe-ci:latest`. 2026-04-07 19:09:26 +01:00			`# wfe-ci: Prebuilt image for running wfe CI workflows in Kubernetes.`
			`#`
			`# Contains:`
			`# - Rust stable toolchain`
			`# - cargo-nextest, cargo-llvm-cov`
			`# - sccache (configured via env vars from Vault)`
			`# - buildkit client (buildctl) for in-cluster buildkitd`
			`# - tea CLI for Gitea release management`
			`# - git, curl, kubectl`
			`#`
			`# Usage in workflows: type: kubernetes, image: src.sunbeam.pt/studio/wfe-ci:latest`

			`FROM rust:bookworm`

			`# System packages`
			`RUN apt-get update && apt-get install -y --no-install-recommends \`
			`ca-certificates \`
			`curl \`
			`git \`
			`jq \`
			`libssl-dev \`
			`pkg-config \`
			`protobuf-compiler \`
			`unzip \`
			`xz-utils \`
			`&& rm -rf /var/lib/apt/lists/*`

			`# Cargo tools`
			`RUN cargo install --locked cargo-nextest cargo-llvm-cov sccache && \`
			`rm -rf /usr/local/cargo/registry`

			`# Buildkit client (buildctl)`
			`ARG BUILDKIT_VERSION=v0.28.0`
			`RUN curl -fsSL "https://github.com/moby/buildkit/releases/download/${BUILDKIT_VERSION}/buildkit-${BUILDKIT_VERSION}.linux-amd64.tar.gz" \`
			`\| tar -xz -C /usr/local --strip-components=1 bin/buildctl`

			`# kubectl`
			`RUN curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \`
			`-o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl`

			`# tea CLI for Gitea`
			`ARG TEA_VERSION=0.11.0`
			`RUN curl -fsSL "https://gitea.com/gitea/tea/releases/download/v${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" \`
			`-o /usr/local/bin/tea && chmod +x /usr/local/bin/tea`

			`# llvm tools (needed by cargo-llvm-cov)`
			`RUN rustup component add llvm-tools-preview`

			`# Sccache wrapper config — expects SCCACHE_S3_ENDPOINT, SCCACHE_BUCKET, etc. via env.`
			`ENV RUSTC_WRAPPER=/usr/local/cargo/bin/sccache \`
			`CARGO_INCREMENTAL=0`

			`WORKDIR /workspace`

			`CMD ["bash"]`