chore: adopt NiceGuyIT governance build/CI standards #3

Merged

David merged 1 commit from chore/governance-conformance into main

2026-05-25 01:32:04 +02:00

David commented

2026-05-25 01:28:33 +02:00

Owner

Brings the fork up to par with the a8n-run/governance CHECKLIST.md, using monkey (same org, public Rust CLI shipping a binary) as the blueprint.

What this adds

oci-build/Dockerfile - org-standard multi-stage glibc build (rust-builder-glibc builder, scratch binary export, debian:trixie-slim runtime). Copies build.rs + localization/ before the dependency-prime build because build.rs validates every messages.ftl at compile time.
oci-build/Dockerfile.windows - mingw cross-compile (x86_64-pc-windows-gnu) for the Windows binary.
oci-build/get-tags.nu - shared tag computation, copied from the governance template.
.forgejo/workflows/: check.yml (fmt + clippy + build + tests), build-binary.yml (Linux x86_64 to Generic Packages), build-binary-windows.yml (Windows x86_64), create-release.yml (tag + release on release/* merge).
justfile - the monkey recipe set (hooks, dev, checks, build, release), glibc dev image, fj/forgejo-cli names.
.dockerignore, CLAUDE.md (project doc).
Removes the superseded root Dockerfile.

Decisions

glibc, not musl: fj dynamically links OpenSSL and uses git2/ssh2, and glibc matches upstream's "Linux GNU" release promise.
Binary deliverable, not a service image: per BUILD.md's decision tree, CI publishes the binary to the Generic Packages registry; the runtime image stage stays a local convenience (just build-docker) and is never pushed.
Targets: Linux x86_64 + Windows x86_64. aarch64 deferred (no org builder image exists for it yet).
Does NOT add compose*.yml, .env.example, .devcontainer/, ports/HOST_IP - SaaS-only items that do not apply to a CLI (monkey omits them too).

Validation

Locally confirmed: the glibc builder compiles forgejo-cli v0.5.0 with --locked, the full image runs fj version (v0.5.0) as non-root appuser, get-tags.nu runs, all four workflows are valid YAML, and cargo fmt --check is clean. The Windows OpenSSL/libgit2 cross-compile is left for the first CI run to confirm; if openssl-sys cannot find a cross OpenSSL, the fix is its vendored feature.

🤖 Generated with Claude Code

Brings the fork up to par with the `a8n-run/governance` `CHECKLIST.md`, using `monkey` (same org, public Rust CLI shipping a binary) as the blueprint. ## What this adds - `oci-build/Dockerfile` - org-standard multi-stage glibc build (`rust-builder-glibc` builder, `scratch` binary export, `debian:trixie-slim` runtime). Copies `build.rs` + `localization/` before the dependency-prime build because `build.rs` validates every `messages.ftl` at compile time. - `oci-build/Dockerfile.windows` - mingw cross-compile (`x86_64-pc-windows-gnu`) for the Windows binary. - `oci-build/get-tags.nu` - shared tag computation, copied from the governance template. - `.forgejo/workflows/`: `check.yml` (fmt + clippy + build + tests), `build-binary.yml` (Linux x86_64 to Generic Packages), `build-binary-windows.yml` (Windows x86_64), `create-release.yml` (tag + release on `release/*` merge). - `justfile` - the monkey recipe set (hooks, dev, checks, build, release), glibc dev image, `fj`/`forgejo-cli` names. - `.dockerignore`, `CLAUDE.md` (project doc). - Removes the superseded root `Dockerfile`. ## Decisions - **glibc, not musl**: `fj` dynamically links OpenSSL and uses `git2`/`ssh2`, and glibc matches upstream's "Linux GNU" release promise. - **Binary deliverable, not a service image**: per BUILD.md's decision tree, CI publishes the binary to the Generic Packages registry; the runtime image stage stays a local convenience (`just build-docker`) and is never pushed. - **Targets**: Linux x86_64 + Windows x86_64. aarch64 deferred (no org builder image exists for it yet). - Does NOT add `compose*.yml`, `.env.example`, `.devcontainer/`, ports/HOST_IP - SaaS-only items that do not apply to a CLI (monkey omits them too). ## Validation Locally confirmed: the glibc builder compiles `forgejo-cli v0.5.0` with `--locked`, the full image runs `fj version` (`v0.5.0`) as non-root `appuser`, `get-tags.nu` runs, all four workflows are valid YAML, and `cargo fmt --check` is clean. The Windows OpenSSL/libgit2 cross-compile is left for the first CI run to confirm; if `openssl-sys` cannot find a cross OpenSSL, the fix is its `vendored` feature. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

David added 1 commit

2026-05-25 01:28:33 +02:00

chore: adopt NiceGuyIT governance build/CI standards

Check / fmt + clippy + build + tests (pull_request) Failing after 20s

Details

Create release / Create release from merged PR (pull_request) Has been skipped

Details

266b53d716

Brings the fork up to par with the a8n-run/governance CHECKLIST.md, using monkey (same org, public Rust CLI shipping a binary) as the blueprint. Adds the org-standard oci-build multi-stage Dockerfile, Forgejo Actions workflows, justfile recipe set, .dockerignore, and a project CLAUDE.md; removes the superseded root Dockerfile.

The build is glibc-based (debian:trixie-slim runtime on rust-builder-glibc) because fj dynamically links OpenSSL and uses git2/ssh2, and because that matches upstream's "Linux GNU" release promise. The Dockerfile copies build.rs and localization/ before the dependency-prime build since build.rs validates every messages.ftl at compile time.

fj is a binary deliverable, not a service container, so CI publishes the binary to the Generic Packages registry (Linux x86_64 via oci-build/Dockerfile, Windows x86_64 cross-compiled via oci-build/Dockerfile.windows) and never pushes the runtime image; that stage stays a local convenience for just build-docker.

Validated locally: the glibc builder compiles forgejo-cli v0.5.0 with --locked, the full image runs fj version (v0.5.0) as non-root appuser, get-tags.nu runs, all four workflows are valid YAML, and cargo fmt --check is clean. The Windows OpenSSL/libgit2 cross-compile is left for the first CI run to confirm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>