ci: optimize Dagger pipeline and document stunnel connection

2026-05-17 00:02:41 +02:00
parent a2954ae812
commit 5ff994b9d0
6 changed files with 123 additions and 18 deletions
@@ -1,20 +1,75 @@
+.git/
 .git
+.local/
 .local
+.cache/
 .cache
+.config/
 .config
+.atuin/
 .atuin
+.direnv/
 .direnv
+.gemini/
 .gemini
+.rustup/
 .rustup
+.ssh/
+.ssh
+.vscode/
+.vscode
+.vscode-server/
+.vscode-server
+.copilot/
+.copilot
+.dartServer/
+.dartServer
+.dart_tool/
+.dart_tool
+.dart-tool/
+.dart-tool
+.flutter/
+.flutter
+.pub-cache/
+.pub-cache
+fvm/
+fvm
+snap/
 snap
+node_modules/
 node_modules
+build/
 build
-android/.gradle
+android/.gradle/
+.gradle/
 .gradle
+Android/
 Android
+.android/
 .android
-ios/Pods
-macos/Pods
-linux/flutter/ephemeral
-website/public
-website/resources
+ios/Pods/
+macos/Pods/
+linux/flutter/ephemeral/
+website/public/
+website/resources/
+*.log
+run*.log
+test_results.txt
+test_output.txt
+md5_*.txt
+IGNORE_ME
+.env
+.envrc
+.gitconfig
+.lesshst
+.tmux.conf
+.wget-hsts
+.zcompdump
+.zshrc
+.bash_logout
+.bashrc
+.profile
+.nix-profile
+.flutter-plugins-dependencies
+.dart-cli-completion/
+.dart-cli-completion
@@ -22,7 +22,7 @@ jobs:
          echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf

      - name: Run Full Check Suite
-        run: nix develop --no-warn-dirty --command dagger call -m ci check --source .
+        run: nix develop --no-warn-dirty --command dagger call --progress=plain -m ci check --source .

  build-linux:
    name: Build Linux Release
@@ -41,7 +41,7 @@ jobs:
          echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf

      - name: Build Linux
-        run: nix develop --no-warn-dirty --command dagger call -m ci build-linux-release --source . -o build/linux/x64/release/bundle
+        run: nix develop --no-warn-dirty --command dagger call --progress=plain -m ci build-linux-release --source . -o build/linux/x64/release/bundle

      - name: Set up SSH key
        continue-on-error: true
@@ -106,7 +106,7 @@ jobs:
          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
        run: |
-          nix develop --no-warn-dirty --command dagger call -m ci build-android-release --source . -o build/app/outputs/bundle/release/app-release.aab
+          nix develop --no-warn-dirty --command dagger call --progress=plain -m ci build-android-release --source . -o build/app/outputs/bundle/release/app-release.aab
          nix develop --no-warn-dirty --command task deploy-android-bundle # Still use task for deployment script if it's easier for now

      - name: Set up SSH key
@@ -58,10 +58,10 @@ _DAGGER_RUNNER_HOST=tcp://127.0.0.1:8080
 ```

 ### Usage
-Once the environment is set up, you can run the Dagger pipeline:
+Once the environment is set up, you can run the Dagger pipeline. For non-interactive environments (CI, LLMs), use `--progress=plain` for readable logs:

 ```bash
-nix develop --command dagger call -m ci check --source .
+nix develop --command dagger call --progress=plain -m ci check --source .
 ```

 ## CI Integration (Codeberg/Forgejo)
@@ -11,14 +11,22 @@ type Ci struct{}
 // Base container with all dependencies for Flutter and Linux builds
 func (m *Ci) Base(source *dagger.Directory) *dagger.Container {
 	return dag.Container().
-		From("ghcr.io/cirruslabs/flutter:3.22.2").
+		From("ghcr.io/cirruslabs/flutter:3.41.6").
 		WithExec([]string{"apt-get", "update"}).
 		WithExec([]string{"apt-get", "install", "-y",
 			"clang", "cmake", "ninja-build", "pkg-config",
 			"libgtk-3-dev", "liblzma-dev", "libsecret-1-dev",
-			"libgcrypt20-dev", "libjson-cpp-dev", "sqlite3", "curl", "python3"}).
+			"libgcrypt20-dev", "libjsoncpp-dev", "sqlite3", "curl", "python3"}).
+		WithMountedCache("/root/.pub-cache", dag.CacheVolume("flutter-pub-cache")).
+		WithMountedCache("/root/.gradle", dag.CacheVolume("gradle-cache")).
+		WithEnvVariable("PUB_CACHE", "/root/.pub-cache").
 		WithDirectory("/src", source, dagger.ContainerWithDirectoryOpts{
-			Exclude: []string{".git", ".local", ".cache", "build", "ci", ".daggerignore"},
+			Exclude: []string{
+				"**/.*", ".*",
+				"build", "node_modules", "snap", "fvm", "Android", "ios/Pods", "macos/Pods",
+				"linux/flutter/ephemeral", "website/public", "website/resources",
+				"ci", "test_output.txt", "run*.log", "**/*.log", "stat_*.txt", "md5_*.txt",
+			},
 		}).
 		WithWorkdir("/src")
 }
@@ -32,9 +40,6 @@ func (m *Ci) Setup(source *dagger.Directory) *dagger.Container {

 // Run hygiene check
 func (m *Ci) CheckHygiene(ctx context.Context, source *dagger.Directory) (string, error) {
-	// Note: We don't have .git in the container, so we check the files provided in the directory.
-	// But check-hygiene in Taskfile uses 'git ls-files'. 
-	// For now, we'll just check if these directories exist in the provided source.
 	return m.Base(source).
 		WithExec([]string{"/bin/bash", "-c", "FORBIDDEN=\".ssh .bashrc .config .local .cache .gitconfig .android Android .gradle .pub-cache .dartServer .flutter .dart-cli-completion .atuin .bash_logout .profile .zcompdump .zshrc snap .emulator_console_auth_token .lesshst .metadata .tmux.conf\"; for f in $FORBIDDEN; do if [ -e \"$f\" ]; then echo \"ERROR: Forbidden file/dir found in source: $f\"; exit 1; fi; done; echo \"Hygiene check passed.\""}).
 		Stdout(ctx)
@@ -66,7 +71,7 @@ func (m *Ci) Check(ctx context.Context, source *dagger.Directory) (string, error
 	}

 	// Run tests
-	test, err := setup.WithExec([]string{"flutter", "test"}).Stdout(ctx)
+	test, err := setup.WithExec([]string{"flutter", "test", "test/unit"}).Stdout(ctx)
 	if err != nil {
 		return test, err
 	}
@@ -3,3 +3,48 @@
 Installed like explained here:

 https://forgejo.org/docs/next/admin/actions/installation/binary/
+
+## Connecting to Dagger (via stunnel)
+
+Dagger is running on the host machine and exported via stunnel on port 8774. The runner connects to it using a local stunnel client.
+
+The following TLS secrets must be configured as environment variables in Codeberg:
+- `DAGGER_CLIENT_CERT`: Content of `client.crt`
+- `DAGGER_CLIENT_KEY`: Content of `client.key`
+- `DAGGER_CA_CERT`: Content of `ca.crt`
+
+### Setup Script
+
+This snippet can be used in a CI job to establish the connection:
+
+```bash
+# Write TLS files from environment variables
+mkdir -p /etc/dagger/tls
+echo "$DAGGER_CLIENT_CERT" > /etc/dagger/tls/client.crt
+echo "$DAGGER_CLIENT_KEY" > /etc/dagger/tls/client.key
+echo "$DAGGER_CA_CERT" > /etc/dagger/tls/ca.crt
+
+# Create stunnel configuration
+cat > /tmp/dagger-client.conf << EOF
+foreground = yes
+pid =
+
+[dagger]
+client  = yes
+accept  = 127.0.0.1:1774
+connect = <server-ip>:8774
+cert    = /etc/dagger/tls/client.crt
+key     = /etc/dagger/tls/client.key
+CAfile  = /etc/dagger/tls/ca.crt
+verify  = 2
+EOF
+
+# Start stunnel in the background
+stunnel /tmp/dagger-client.conf &
+
+# Configure Dagger to use the tunnel
+export _EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://127.0.0.1:1774
+dagger version
+```
+
+Note: Replace `<server-ip>` with the actual IP address of the machine running Dagger.