From f9fb4ce4cd49d41f6ed7f2f478b276cac3cdade4 Mon Sep 17 00:00:00 2001 From: Fadhli Azhari Date: Tue, 28 Apr 2026 15:06:00 +0800 Subject: [PATCH] build: add frontend-builder image and bake buf into java-builder ci/frontend-builder (new): Node 24 + pnpm 10 + buf 1.55 + global @bufbuild/protoc-gen-es 2.4 + Playwright chromium runtime libs + ORAS. Used by KollectAI-ETL frontend CI to run TS proto codegen locally (buf.gen.yaml uses `local: protoc-gen-es`) instead of the rate-limited BSR remote-plugin path. ci/java-builder: added the standalone buf binary so `buf lint` runs in CI without an inline curl install. Backend Java codegen stays in the Maven build (protobuf-maven-plugin), so no protoc plugins are added to this image. Co-Authored-By: Claude Opus 4.7 (1M context) --- ci/frontend-builder/Dockerfile | 91 ++++++++++++++++++++++++++++++++++ ci/frontend-builder/README.md | 72 +++++++++++++++++++++++++++ ci/java-builder/Dockerfile | 22 +++++++- ci/java-builder/README.md | 15 +++++- 4 files changed, 196 insertions(+), 4 deletions(-) create mode 100644 ci/frontend-builder/Dockerfile create mode 100644 ci/frontend-builder/README.md diff --git a/ci/frontend-builder/Dockerfile b/ci/frontend-builder/Dockerfile new file mode 100644 index 0000000..8faf8bd --- /dev/null +++ b/ci/frontend-builder/Dockerfile @@ -0,0 +1,91 @@ +# KollectAI CI - Frontend Builder Image +# +# Pre-baked build environment for SvelteKit frontend CI jobs and +# protobuf TypeScript code generation. +# Contains: Node.js, pnpm, buf CLI, @bufbuild/protoc-gen-es plugin +# (global so buf 'local: protoc-gen-es' resolves via PATH), Playwright +# system deps, ORAS CLI, common build tools. +# +# Build: +# docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/ +# +# Usage in CI: +# container: +# image: 192.168.1.72/kollect-tools/ci/frontend-builder:latest + +ARG NODE_MAJOR=24 +FROM node:${NODE_MAJOR}-bookworm-slim + +ARG PNPM_VERSION=10.15.0 +ARG BUF_VERSION=1.55.0 +# Pin protoc-gen-es to a known-good major. Bump in lockstep with the +# frontend's @bufbuild/protobuf runtime version in package.json. +ARG PROTOC_GEN_ES_VERSION=2.4.0 +ARG ORAS_VERSION=1.2.2 + +# ───────────────────────────────────────────────────────────────────── +# System dependencies +# +# The Playwright system libs (libnss3 ... libasound2) are pre-installed +# so test-e2e jobs can skip `playwright install --with-deps` and just +# run `playwright install chromium` (browser binary still cached at +# ~/.cache/ms-playwright in CI). Saves ~30s per E2E run. +# ───────────────────────────────────────────────────────────────────── +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + git \ + jq \ + unzip \ + # Playwright chromium runtime libs + libasound2 \ + libatk1.0-0 \ + libatk-bridge2.0-0 \ + libcups2 \ + libdbus-1-3 \ + libdrm2 \ + libgbm1 \ + libnspr4 \ + libnss3 \ + libxcomposite1 \ + libxdamage1 \ + libxfixes3 \ + libxkbcommon0 \ + libxrandr2 \ + && rm -rf /var/lib/apt/lists/* + +# ───────────────────────────────────────────────────────────────────── +# pnpm via corepack (ships with Node.js) +# ───────────────────────────────────────────────────────────────────── +RUN corepack enable \ + && corepack prepare "pnpm@${PNPM_VERSION}" --activate + +# ───────────────────────────────────────────────────────────────────── +# buf CLI - single static binary, used for `buf lint` and `buf generate` +# ───────────────────────────────────────────────────────────────────── +RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \ + -o /usr/local/bin/buf \ + && chmod +x /usr/local/bin/buf + +# ───────────────────────────────────────────────────────────────────── +# protoc-gen-es - TypeScript codegen plugin for buf 'local:' references. +# Installed globally so it lands on PATH; buf v2 resolves +# `local: protoc-gen-es` via PATH lookup. +# ───────────────────────────────────────────────────────────────────── +RUN npm install -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}" + +# ───────────────────────────────────────────────────────────────────── +# ORAS CLI - for uploading artifacts (test reports, audit logs) to Harbor +# ───────────────────────────────────────────────────────────────────── +RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \ + | tar -xz -C /usr/local/bin oras + +WORKDIR /workspace + +# Verify installation +RUN node --version \ + && pnpm --version \ + && buf --version \ + && protoc-gen-es --version \ + && oras version \ + && jq --version diff --git a/ci/frontend-builder/README.md b/ci/frontend-builder/README.md new file mode 100644 index 0000000..0501a94 --- /dev/null +++ b/ci/frontend-builder/README.md @@ -0,0 +1,72 @@ +# Frontend Builder — CI Image + +Pre-baked build environment for KollectAI-ETL frontend (SvelteKit) CI jobs and protobuf TypeScript code generation. + +## What's included + +- Node.js 24 (`node:24-bookworm-slim`) +- pnpm 10 (via corepack) +- [buf](https://buf.build) CLI — for `buf lint` and `buf generate` +- [`@bufbuild/protoc-gen-es`](https://www.npmjs.com/package/@bufbuild/protoc-gen-es) — installed globally so `buf` v2 `local: protoc-gen-es` resolves via PATH (no BSR remote-plugin calls) +- Playwright chromium runtime libraries pre-installed (`libnss3`, `libgbm1`, `libasound2`, etc.) — so `playwright install chromium` works without `--with-deps` apt fetches +- ORAS CLI — for uploading test reports / audit artifacts to Harbor +- `git`, `jq`, `curl`, `unzip` + +## Build + +```bash +docker build -t 192.168.1.72/kollect-tools/ci/frontend-builder:latest ci/frontend-builder/ +docker push 192.168.1.72/kollect-tools/ci/frontend-builder:latest +``` + +### Build args + +| Arg | Default | Description | +|-----|---------|-------------| +| `NODE_MAJOR` | `24` | Node.js major version (matches Node base image) | +| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) | +| `BUF_VERSION` | `1.55.0` | buf CLI version | +| `PROTOC_GEN_ES_VERSION` | `2.4.0` | `@bufbuild/protoc-gen-es` version (bump in lockstep with frontend's `@bufbuild/protobuf` runtime) | +| `ORAS_VERSION` | `1.2.2` | ORAS CLI version | + +## Usage in CI + +```yaml +jobs: + test-unit: + runs-on: ubuntu-latest + container: + image: 192.168.1.72/kollect-tools/ci/frontend-builder:latest + steps: + - uses: actions/checkout@v6 + - run: pnpm install --frozen-lockfile + working-directory: frontend/svelte + - run: pnpm test + working-directory: frontend/svelte +``` + +For protobuf TS codegen (`buf.gen.yaml` declares `local: protoc-gen-es`): + +```yaml +- name: Generate proto TS bindings + working-directory: proto + run: buf generate +``` + +For Playwright E2E (drop `--with-deps` because system libs are pre-installed): + +```yaml +- name: Install Playwright browsers + working-directory: frontend/svelte + run: pnpm exec playwright install chromium +``` + +## Maintenance + +Rebuild on dependency bumps: + +- New Node major → bump `NODE_MAJOR`, push image +- pnpm bump → bump `PNPM_VERSION`, push image +- buf protocol changes → bump `BUF_VERSION` and `PROTOC_GEN_ES_VERSION`, push image + +The CI workflow's weekly schedule rebuilds the image to keep base layers patched. diff --git a/ci/java-builder/Dockerfile b/ci/java-builder/Dockerfile index 4a1bf90..2294fbb 100644 --- a/ci/java-builder/Dockerfile +++ b/ci/java-builder/Dockerfile @@ -1,7 +1,8 @@ # KollectAI CI — Java Builder Image # # Pre-baked build environment for backend + plugin CI jobs. -# Contains: Java 21, Maven 3.9.9, common dependencies, OWASP NVD database. +# Contains: Java 21, Maven 3.9.9, Node.js + pnpm, buf CLI, OWASP NVD +# database, ORAS CLI, common dependencies. # # Build: # docker build -t 192.168.1.72/kollect-tools/ci/java-builder:latest ci/java-builder/ @@ -79,7 +80,24 @@ ARG ORAS_VERSION=1.2.2 RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" \ | tar -xz -C /usr/local/bin oras +# ───────────────────────────────────────────────────────────────────── +# buf CLI — single static binary used for `buf lint` in CI and pre-push +# parity. Backend Java codegen lives in the Maven build (protobuf-maven- +# plugin), not buf, so no protoc plugins are needed in this image. +# ───────────────────────────────────────────────────────────────────── +ARG BUF_VERSION=1.55.0 + +RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" \ + -o /usr/local/bin/buf \ + && chmod +x /usr/local/bin/buf + WORKDIR /workspace # Verify installation -RUN java -version && mvn -version && node --version && pnpm --version && oras version && jq --version +RUN java -version \ + && mvn -version \ + && node --version \ + && pnpm --version \ + && buf --version \ + && oras version \ + && jq --version diff --git a/ci/java-builder/README.md b/ci/java-builder/README.md index 8f7ec00..43630a4 100644 --- a/ci/java-builder/README.md +++ b/ci/java-builder/README.md @@ -9,9 +9,16 @@ Pre-baked build environment for KollectAI-ETL backend and plugin CI jobs. - Pre-cached Maven dependencies (Spring Boot, Flink, MyBatis, etc.) - Pre-installed `plugin-api` in local Maven repo - OWASP NVD database snapshot +- Node.js + pnpm (via corepack) +- [buf](https://buf.build) CLI — for `buf lint` parity with pre-push - ORAS CLI (Harbor artifact uploads) - git, jq, curl +> **Note**: Backend Java protobuf codegen lives in the Maven build via +> `protobuf-maven-plugin`, not buf — so this image deliberately omits +> protoc plugins. For TypeScript proto codegen and frontend CI jobs use +> the [`frontend-builder`](../frontend-builder/) image. + ## Build ```bash @@ -23,10 +30,14 @@ docker push 192.168.1.72/kollect-tools/ci/java-builder:latest | Arg | Default | Description | |-----|---------|-------------| -| `MAVEN_VERSION` | `3.9.9` | Maven version | +| `JAVA_VERSION` | `25` | Eclipse Temurin JDK version | +| `MAVEN_VERSION` | `3.9.14` | Maven version | | `OWASP_DC_VERSION` | `12.1.1` | OWASP Dependency-Check version | -| `ETL_BRANCH` | `001-ai-etl-platform` | Branch to fetch pom.xml files from | +| `NODE_MAJOR` | `24` | Node.js major version | +| `PNPM_VERSION` | `10.15.0` | pnpm version (corepack-activated) | +| `BUF_VERSION` | `1.55.0` | buf CLI version | | `ORAS_VERSION` | `1.2.2` | ORAS CLI version | +| `NVD_API_KEY` | (empty) | Optional NVD API key — speeds up the OWASP database update during image build | ## Usage in CI