Skip to content

Commit d3cce03

Browse files
authored
Merge pull request #1193 from Lind-Project/docs/pipeline-document
docs: add pipeline documentation
2 parents eec8869 + 6a09d6c commit d3cce03

3 files changed

Lines changed: 129 additions & 0 deletions

File tree

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
# lind-wasm
2+
3+
Its pipeline covers both code validation on pull requests and Docker image builds.
4+
5+
## Overview
6+
7+
This repository uses both GHA and GCP. GHA validates code on every pull request,
8+
while GCP handles the scheduled Docker image build that publishes the development image to Docker Hub.
9+
10+
| Platform | Role |
11+
| --- | --- |
12+
| GitHub Actions | Runs lint, end-to-end tests, and security scans on pull requests targeting `main`; publishes the release image |
13+
| Google Cloud Platform | Builds and publishes `securesystemslab/lind-wasm-dev` to Docker Hub on a daily schedule |
14+
15+
## GitHub Actions
16+
17+
Workflow files are located under `.github/workflows/` in the repository.
18+
19+
### Workflows
20+
21+
- **`lint.yml`** — Runs `cargo fmt --check` and `cargo clippy` for code formatting
22+
and static analysis.
23+
24+
- **`e2e.yml`** — Builds and runs the full test suite inside a container. Uploads
25+
HTML and JSON test reports as artifacts and posts a summary comment to the PR.
26+
27+
- [Testing](../testing.md) for details on test.
28+
- [End-to-End Testing](../e2e-testing.md) for details on e2e structure.
29+
30+
- **`zizmor.yml`** — Scans GHA workflow files for security vulnerabilities such as
31+
script injection and overly broad permissions.
32+
33+
- **`docs.yml`** — Builds and deploys the project documentation site to GitHub Pages.
34+
35+
- **`pr-cache-cleanup.yml`** — Removes the GHA build cache associated with a closed
36+
PR to keep storage usage under control.
37+
38+
- **`release.yml`** — Builds and pushes the `release` stage as `securesystemslab/lind-wasm` to Docker Hub.
39+
40+
### Workflow Triggers
41+
42+
| Event | Workflows Triggered |
43+
| --- | --- |
44+
| PR opened or updated (non-draft, targeting `main`) | `lint.yml`, `e2e.yml`, `zizmor.yml` |
45+
| Push to `main` | `lint.yml`, `docs.yml`, `release.yml` |
46+
| PR closed | `pr-cache-cleanup.yml` |
47+
48+
49+
## GCP Cloud Build
50+
51+
Build configuration files are located under `scripts/` in the repository.
52+
53+
### Workflows
54+
55+
**`dev-build`** — Cloning the `main` branch at the time of execution. Builds `Docker/Dockerfile.dev` and publishes the resulting image to Docker Hub as `securesystemslab/lind-wasm-dev`.
56+
57+
## Docker Images
58+
59+
The `lind-wasm` pipeline publishes two Docker images to Docker Hub.
60+
61+
### `securesystemslab/lind-wasm-dev`
62+
63+
The development image containing the full Lind toolchain for building and running WASM applications. Used as the base image for `lind-wasm-apps` and `lind-wasm-example-grates`.
64+
65+
| Property | Detail |
66+
| --- | --- |
67+
| Source | `Docker/Dockerfile.dev` |
68+
| Published by | GCP `dev-build` (daily) |
69+
| Tags | `latest` — most recent build; `sha-<commit>` — immutable snapshot for rollback |
70+
| Update frequency | Daily at 08:00 America/New_York |
71+
72+
### `securesystemslab/lind-wasm`
73+
74+
| Property | Detail |
75+
| --- | --- |
76+
| Source | `Docker/Dockerfile.e2e` (`release` stage) |
77+
| Published by | GHA `release.yml` (on push to `main`) |
78+
| Tags | `latest` — most recent build; `sha-<commit>` — immutable snapshot for rollback |
79+
| Version tags | `vX.Y.Z` — manually applied after a corresponding GitHub Release is created (e.g. `v0.1.0`) |
80+
| Update frequency | On every push to `main` |
81+
82+
### Pulling the Images
83+
84+
```bash
85+
# Latest development image
86+
docker pull securesystemslab/lind-wasm-dev:latest
87+
88+
# Latest release image
89+
docker pull securesystemslab/lind-wasm:latest
90+
```
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
# Pipelines
2+
3+
We use two CI/CD platforms across three repositories. This section documents the
4+
pipeline setup for each repository.
5+
6+
## Platforms
7+
8+
Pipelines run on **GitHub Actions (GHA)** and **Google Cloud Platform (GCP)**.
9+
10+
GitHub Actions handles code validation on every pull request — lint checks,
11+
end-to-end tests, and security scans.
12+
13+
GCP is used for large-scale builds and tests that exceed GHA's resource
14+
limits.
15+
16+
17+
18+
## Image Dependencies
19+
20+
The Lind project consists of three repositories with a clear dependency chain.
21+
`lind-wasm` is the core runtime; the other two repositories build on top of it.
22+
23+
```
24+
lind-wasm
25+
26+
│ produces
27+
28+
securesystemslab/lind-wasm-dev
29+
30+
├──────────────────────────────┐
31+
│ │
32+
▼ ▼
33+
lind-wasm-apps lind-wasm-example-grates
34+
```
35+
36+
`lind-wasm-apps` and `lind-wasm-example-grates` both pull the `lind-wasm-dev` image as their base.

mkdocs.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@ nav:
3636
- Security policy: contribute/security.md
3737
- Docker Hub release workflow: contribute/docker-release-workflow.md
3838
- End-to-End Testing: contribute/e2e-testing.md
39+
- Pipelines:
40+
- Overview: contribute/pipelines/overview.md
41+
- lind-wasm: contribute/pipelines/lind-wasm.md
3942
- Community:
4043
- community/index.md
4144
- Team: community/team.md

0 commit comments

Comments
 (0)