fix: [nomad-step-0] S0.5 — Woodpecker CI validation for nomad/vault artifacts (#825)

Locks in static validation for every Nomad+Vault artifact before it can merge. Four fail-closed steps in .woodpecker/nomad-validate.yml, gated to PRs touching nomad/, lib/init/nomad/, or bin/disinto: 1. nomad config validate nomad/server.hcl nomad/client.hcl 2. vault operator diagnose -config=nomad/vault.hcl -skip=storage -skip=listener 3. shellcheck --severity=warning lib/init/nomad/*.sh bin/disinto 4. bats tests/disinto-init-nomad.bats — dispatcher smoke tests bin/disinto picks up pre-existing SC2120 warnings on three passthrough wrappers (generate_agent_docker, generate_caddyfile, generate_staging_index); annotated with shellcheck disable=SC2120 so the new pipeline is clean without narrowing the warning for future code. Pinned image versions (hashicorp/nomad:1.9.5, hashicorp/vault:1.18.5) match lib/init/nomad/install.sh — bump both or neither. nomad/AGENTS.md documents the stack layout, how to add a jobspec in Step 1, how CI validates it, and the two-place version pinning rule. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 07:54:06 +00:00 · 2026-04-16 07:54:06 +00:00 · 5150f8c486
commit 5150f8c486
parent 271ec9d8f5
4 changed files with 276 additions and 0 deletions
--- a/.woodpecker/nomad-validate.yml
+++ b/.woodpecker/nomad-validate.yml
@ -0,0 +1,88 @@
+# =============================================================================
+# .woodpecker/nomad-validate.yml — Static validation for Nomad+Vault artifacts
+#
+# Part of the Nomad+Vault migration (S0.5, issue #825). Locks in the
+# "no-ad-hoc-steps" principle: every HCL/shell artifact under nomad/ or
+# lib/init/nomad/, plus the `disinto init` dispatcher, gets checked
+# before it can land.
+#
+# Triggers on PRs (and pushes) that touch any of:
+#   nomad/**              — HCL configs (server, client, vault)
+#   lib/init/nomad/**     — cluster-up / install / systemd / vault-init
+#   bin/disinto           — `disinto init --backend=nomad` dispatcher
+#   tests/disinto-init-nomad.bats — the bats suite itself
+#   .woodpecker/nomad-validate.yml — the pipeline definition
+#
+# Steps (all fail-closed — any error blocks merge):
+#   1. nomad-config-validate  — `nomad config validate` on server + client HCL
+#   2. vault-operator-diagnose — `vault operator diagnose` syntax check on vault.hcl
+#   3. shellcheck-nomad        — shellcheck the cluster-up + install scripts + disinto
+#   4. bats-init-nomad         — `disinto init --backend=nomad --dry-run` smoke tests
+#
+# Pinned image versions match lib/init/nomad/install.sh (nomad 1.9.5 /
+# vault 1.18.5). Bump there AND here together — drift = CI passing on
+# syntax the runtime would reject.
+# =============================================================================
+
+when:
+  - event: [push, pull_request]
+    path:
+      - "nomad/**"
+      - "lib/init/nomad/**"
+      - "bin/disinto"
+      - "tests/disinto-init-nomad.bats"
+      - ".woodpecker/nomad-validate.yml"
+
+# Authenticated clone — same pattern as .woodpecker/ci.yml. Forgejo is
+# configured with REQUIRE_SIGN_IN, so anonymous git clones fail (exit 128).
+# FORGE_TOKEN is injected globally via WOODPECKER_ENVIRONMENT.
+clone:
+  git:
+    image: alpine/git
+    commands:
+      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
+      - git clone --depth 1 "$AUTH_URL" .
+      - git fetch --depth 1 origin "$CI_COMMIT_REF"
+      - git checkout FETCH_HEAD
+
+steps:
+  # ── 1. Nomad HCL syntax check ────────────────────────────────────────────
+  # `nomad config validate` parses server.hcl + client.hcl and fails on any
+  # HCL/semantic error (unknown block, invalid port range, bad driver cfg).
+  # vault.hcl is excluded — it's a Vault config, not Nomad, so it goes
+  # through the vault-operator-diagnose step instead.
+  - name: nomad-config-validate
+    image: hashicorp/nomad:1.9.5
+    commands:
+      - nomad config validate nomad/server.hcl nomad/client.hcl
+
+  # ── 2. Vault HCL syntax check ────────────────────────────────────────────
+  # `vault operator diagnose` loads the config and runs a suite of checks.
+  # -skip=storage and -skip=listener disable the runtime-only checks (the
+  # /var/lib/vault/data dir and 127.0.0.1:8200 bind aren't available inside
+  # a vanilla CI container); the parse + mlock/seal-shape checks still run,
+  # so any syntax or schema error in vault.hcl surfaces here.
+  - name: vault-operator-diagnose
+    image: hashicorp/vault:1.18.5
+    commands:
+      - vault operator diagnose -config=nomad/vault.hcl -skip=storage -skip=listener
+
+  # ── 3. Shellcheck ────────────────────────────────────────────────────────
+  # Covers the new lib/init/nomad/*.sh scripts plus bin/disinto (which owns
+  # the backend dispatcher). bin/disinto has no .sh extension so the
+  # repo-wide shellcheck in .woodpecker/ci.yml skips it — this step is the
+  # one place it gets checked.
+  - name: shellcheck-nomad
+    image: koalaman/shellcheck-alpine:stable
+    commands:
+      - shellcheck --severity=warning lib/init/nomad/*.sh bin/disinto
+
+  # ── 4. bats: `disinto init --backend=nomad --dry-run` ────────────────────
+  # Smoke-tests the CLI dispatcher: both --backend=nomad variants exit 0
+  # with the expected step list, and --backend=docker stays on the docker
+  # path (regression guard). Pure dry-run — no sudo, no network.
+  - name: bats-init-nomad
+    image: alpine:3.19
+    commands:
+      - apk add --no-cache bash bats
+      - bats tests/disinto-init-nomad.bats