[nomad-step-1] S1.4 — extend Woodpecker CI to nomad job validate nomad/jobs/*.hcl #843

New issue

Closed

opened 2026-04-16 09:52:46 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 09:52:46 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 1 — Forgejo as first Nomad job.

Goal

Extend the Woodpecker CI added in S0.5 to also validate jobspecs under nomad/jobs/. Currently S0.5 runs nomad config validate nomad/*.hcl which covers top-level configs (server.hcl, client.hcl, vault.hcl) but not jobspecs. Jobspecs need the separate nomad job validate command.

Scope

Extend .woodpecker/nomad-validate.yml (or the step added by S0.5) with:

for f in nomad/jobs/*.hcl; do nomad job validate "$f"; done — fails on any bad jobspec.
Skip condition: pipeline only runs when PR touches nomad/jobs/ (the existing nomad/ path filter from S0.5 already covers this, but confirm).
Update nomad/AGENTS.md to document the new validation step + what happens if a jobspec references an undeclared host_volume (Nomad validate catches this — good guardrail).

Acceptance criteria

Intentionally-broken jobspec (e.g. typo in a stanza name, or reference to non-existent host_volume) fails CI with a clear Nomad error message.
Fixing the jobspec → CI passes.
Existing S0.5 config validation unaffected.
shellcheck clean if any shell changes.

Non-goals

No runtime deployment check in CI (too heavy, rejected per P13).
No drift check between jobspec resources and nomad/client.hcl host_volume list (future work).

Labels / meta

[nomad-step-1] S1.4 — no dependencies (can land in parallel with S1.1–S1.3; S1.4 validates whatever jobspecs exist at PR time).

Part of the Nomad+Vault migration. **Step 1 — Forgejo as first Nomad job.** ## Goal Extend the Woodpecker CI added in S0.5 to also validate jobspecs under `nomad/jobs/`. Currently S0.5 runs `nomad config validate nomad/*.hcl` which covers top-level configs (`server.hcl`, `client.hcl`, `vault.hcl`) but **not** jobspecs. Jobspecs need the separate `nomad job validate` command. ## Scope Extend `.woodpecker/nomad-validate.yml` (or the step added by S0.5) with: - `for f in nomad/jobs/*.hcl; do nomad job validate "$f"; done` — fails on any bad jobspec. - Skip condition: pipeline only runs when PR touches `nomad/jobs/` (the existing `nomad/` path filter from S0.5 already covers this, but confirm). - Update `nomad/AGENTS.md` to document the new validation step + what happens if a jobspec references an undeclared host_volume (Nomad validate catches this — good guardrail). ## Acceptance criteria - Intentionally-broken jobspec (e.g. typo in a stanza name, or reference to non-existent host_volume) fails CI with a clear Nomad error message. - Fixing the jobspec → CI passes. - Existing S0.5 config validation unaffected. - `shellcheck` clean if any shell changes. ## Non-goals - No runtime deployment check in CI (too heavy, rejected per P13). - No drift check between jobspec resources and `nomad/client.hcl` host_volume list (future work). ## Labels / meta - `[nomad-step-1] S1.4` — no dependencies (can land in parallel with S1.1–S1.3; S1.4 validates whatever jobspecs exist at PR time).