Commit dc4716c
feat: Docker image optimization + container_mode + sécurité
* feat: add Docker image mode and JAR caching to reduce CI minutes
- New inputs use_docker_image (default true) and docker_image
- SUSHI, IG Publisher, PlantUML and validator_cli now run inside
ghcr.io/ansforge/fhir-ig-builder when use_docker_image=true
- Cache publisher.jar and validator_cli.jar via actions/cache keyed
on resolved version tag
- Legacy path preserved via use_docker_image=false (backward compat)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* add Dockerfile and build workflow for ghcr.io/ansforge/fhir-ig-builder
Colocating the Dockerfile in IG-workflows so the GITHUB_TOKEN
(scoped to ansforge) can push directly to ghcr.io/ansforge/.
Weekly cron rebuild picks up new SUSHI versions automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* set use_docker_image default to false for safe rollout
Avoids breaking existing workflows during initial deployment.
Opt-in by setting use_docker_image: true.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* use fhir-package-installer to pre-load FHIR packages in Docker image
Replace manual curl/tar approach with the fhir-package-installer library
which handles correct ~/.fhir/packages/<id>#<version>/ storage, latest
version resolution, and rate limiting automatically.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* perf: cache ~/.fhir/packages + monter le répertoire dans les containers Docker
- Ajoute actions/cache@v4 pour ~/.fhir/packages (les deux modes) afin d'éviter
les re-téléchargements de packages FHIR à chaque run
- Monte ~/.fhir/packages du runner dans les containers SUSHI et Publisher pour
éliminer l'overhead du filesystem overlay (+34s observé sur cercle-de-soins)
- Clé de cache basée sur sushi-config.yaml avec fallback fhir-packages-
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: ajout du mode container_mode pour runs-on avec container: image:
Nouveau input container_mode (default: false). Quand true :
- Skip setup-java, setup-node, setup-ruby, gem install jekyll/graphviz
- Skip docker pull et wrappers docker run (SUSHI/Publisher tournent directement)
- Conserve actions/cache pour ~/.fhir/packages et publisher.jar
- Compatible avec les steps deploy gh-pages, plantuml, validator_cli, release
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: forcer HOME=/root en container_mode pour trouver les packages FHIR de l'image
GHA peut setter HOME à une valeur autre que /root dans un job container:,
ce qui fait que ~/.fhir/packages ne pointe pas vers /root/.fhir/packages
où fhir-package-installer a installé les packages lors du build de l'image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(container_mode): correct cache path and HOME for SUSHI
actions/cache is a JavaScript action that runs on the HOST, where
HOME=/home/runner. Setting HOME=/root via GITHUB_ENV (removed) was
causing it to cache to /root/.fhir/packages on the host instead of
/home/runner/.fhir/packages — breaking the volume mount bridge.
Fix:
- Dedicated cache step for container_mode uses explicit absolute path
/home/runner/.fhir/packages, matching the volume mount source.
- SUSHI in container_mode sets HOME=/root inline (process-scoped only)
so it reads from /root/.fhir/packages inside the container, which is
the volume mount target.
- Java (Publisher) naturally uses user.home=/root as the container
runs as root — no explicit fix needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(container_mode): force HOME=/root for Publisher to fix internal Sushi
The IG Publisher spawns a Sushi subprocess that inherits HOME=/github/home
(GHA's default container HOME), causing packages to be re-downloaded to
/github/home/.fhir/packages on every run instead of using the bind-mounted
/root/.fhir/packages.
Setting HOME=/root before the java command ensures the Publisher's internal
Sushi subprocess also uses /root/.fhir/packages (the volume-mount target).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(container_mode): use /root/.fhir/packages as cache path
actions/cache runs INSIDE the container via docker exec in a container job,
not on the host runner. /home/runner/.fhir/packages does not exist inside
the container, causing the save to silently fail.
Use the absolute path /root/.fhir/packages which is where SUSHI and the
Publisher actually write packages (with HOME=/root set inline).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat(docker): add hl7.fhir.uv.extensions.r4 to pre-loaded FHIR packages
* feat(docker): add hl7.fhir.xver-extensions to pre-loaded FHIR packages
* feat(docker): add ans.fr.nos 1.3.0 and 1.5.0 to pre-loaded FHIR packages
* feat(docker): add hl7.fhir.pubpack to pre-loaded FHIR packages
* ci: add workflow_dispatch to docker build for manual triggers
* Optimisations : publisher bundlé dans image, cache PlantUML, bug fixes
- Dockerfile : pré-télécharge publisher.jar au build (version latest)
- action.yml : en container_mode, détecte /root/publisher.jar et skip API call + download
- action.yml : cache des JARs PlantUML (plantuml.jar et plantuml-mapping.jar)
- action.yml : fix bug plantuml-mapping output dir (./plantuml → ./plantuml_mapping)
- action.yml : fix bug testscript-generator (ig_directory./igs → ig_directory=./igs)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Suppression du mode use_docker_image (obsolète)
Remplacé par container_mode qui est plus rapide et plus simple.
Supprimé : inputs use_docker_image et docker_image, tous les steps
docker run wrappers, le Setup Java JDK for release.
Toutes les conditions simplifiées en conséquence.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Clarification commentaire cache FHIR packages container_mode
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Dockerfile : installe toujours la dernière version de SUSHI
Suppression de l'ARG SUSHI_VERSION et du build-arg associé dans build-docker.yml.
Le rebuild hebdomadaire garantit une version récente.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: correction vulnérabilités script injection (inputs via env vars)
Toutes les expressions ${{ inputs.* }} et ${{ steps.*.outputs.* }}
utilisées dans des blocs run: sont désormais passées via des variables
d'environnement (env:) pour éviter l'injection de code shell.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent 520a2c7 commit dc4716c
4 files changed
Lines changed: 304 additions & 188 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| 10 | + | |
10 | 11 | | |
11 | 12 | | |
12 | 13 | | |
| |||
21 | 22 | | |
22 | 23 | | |
23 | 24 | | |
24 | | - | |
25 | | - | |
26 | | - | |
27 | | - | |
28 | | - | |
29 | | - | |
30 | | - | |
31 | | - | |
32 | 25 | | |
33 | 26 | | |
34 | 27 | | |
| |||
44 | 37 | | |
45 | 38 | | |
46 | 39 | | |
47 | | - | |
48 | 40 | | |
49 | 41 | | |
50 | | - | |
51 | 42 | | |
52 | 43 | | |
53 | 44 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
4 | 3 | | |
5 | 4 | | |
6 | 5 | | |
| |||
31 | 30 | | |
32 | 31 | | |
33 | 32 | | |
34 | | - | |
35 | | - | |
| 33 | + | |
| 34 | + | |
36 | 35 | | |
37 | 36 | | |
38 | 37 | | |
| |||
56 | 55 | | |
57 | 56 | | |
58 | 57 | | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
59 | 64 | | |
0 commit comments