init: Prove the concept of reproducible builds

2025-12-12 14:34:46 -08:00 · 2025-12-12 14:34:46 -08:00 · b957af3edb
commit b957af3edb
9 changed files with 2075 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,105 @@
+stages:
+  - build
+  - test
+  - package
+
+variables:
+  # Use Docker-outside-of-Docker (DooD) by mounting the host's Docker socket
+  DOCKER_HOST: unix:///var/run/docker.sock
+  # Disable TLS as we're using the local socket
+  DOCKER_TLS_CERTDIR: ""
+
+# Build the Rust application using Nix
+build:
+  stage: build
+  image: nixos/nix:latest
+  before_script:
+    # Enable flakes and nix-command
+    - mkdir -p ~/.config/nix
+    - echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+  script:
+    # Generate Cargo.lock if it doesn't exist
+    - nix develop --command cargo generate-lockfile || true
+    # Build the Rust application
+    - nix build .#app
+    # Copy the result for artifacts
+    - mkdir -p build-output
+    - cp -rL result/* build-output/ || cp result build-output/hello-world
+  artifacts:
+    paths:
+      - build-output/
+      - Cargo.lock
+    expire_in: 1 hour
+  tags:
+    - test-ci-cd
+
+# Test the application
+test:
+  stage: test
+  image: nixos/nix:latest
+  before_script:
+    - mkdir -p ~/.config/nix
+    - echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+  script:
+    # Run the application in a Nix shell with all dependencies
+    - nix develop --command cargo test
+    # You could also run the binary here if needed
+    # - nix run .#app
+  dependencies:
+    - build
+  tags:
+    - test-ci-cd
+
+# Build Docker image using Nix and load it into Docker (DooD pattern)
+build-docker-image:
+  stage: package
+  image: nixos/nix:latest
+  services:
+    # No docker:dind service - we'll use the host's Docker daemon
+  before_script:
+    # Install Docker CLI in the Nix container
+    - nix-env -iA nixpkgs.docker
+    # Enable flakes
+    - mkdir -p ~/.config/nix
+    - echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+  script:
+    # Build the Docker image using Nix
+    - nix build .#docker
+    # Load the image into Docker daemon (running on host via socket)
+    - docker load < result
+    # Tag the image
+    - docker tag hello-world:latest hello-world:${CI_COMMIT_SHORT_SHA}
+    # Test run the container
+    - docker run --rm hello-world:latest
+    # Optional: Push to registry if configured
+    # - docker tag hello-world:latest ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHORT_SHA}
+    # - docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHORT_SHA}
+  dependencies:
+    - build
+  tags:
+    - test-ci-cd
+  # This job requires a GitLab runner with Docker socket access
+  # The runner should have /var/run/docker.sock mounted
+
+# Alternative: Build using Docker directly (DooD)
+build-docker-traditional:
+  stage: package
+  image: docker:latest
+  services: []  # No dind service
+  variables:
+    DOCKER_HOST: unix:///var/run/docker.sock
+  before_script:
+    # Verify Docker access
+    - docker info
+  script:
+    # Build the Docker image
+    - docker build -t hello-world:traditional-${CI_COMMIT_SHORT_SHA} .
+    # Test run
+    - docker run --rm hello-world:traditional-${CI_COMMIT_SHORT_SHA}
+  dependencies:
+    - build
+  tags:
+    - test-ci-cd
+  only:
+    - branches
+  when: manual