erangel1
edf3c9824e
feat: workspaces — collaborative repo namespaces Backend - internal/models/workspace.go — Workspace (handle, displayName, description, createdBy) + WorkspaceMember (workspaceId, userId, username, role: owner/admin/member) - internal/models/repo.go — added nullable workspace_id column; existing user repos unaffected - internal/models/migrations/011_workspaces.go — syncs both tables + adds column to repository - internal/api/handlers/workspace.go — ListWorkspaces, CreateWorkspace, GetWorkspace, UpdateWorkspace, DeleteWorkspace (blocks if repos remain), ListRepos, ListMembers, AddMember, UpdateMember, RemoveMember - internal/api/handlers/repos.go — lookupRepo resolves workspace handles; Create accepts workspace field; List includes workspace member repos; withOwnerName uses workspace handle for workspace-owned repos - internal/api/handlers/dashboard.go — recentRuns + repo list include workspace repos the user is a member of - internal/api/router.go — /workspaces, /workspaces/:handle/* routes Workspace rules enforced: - Handle globally unique across usernames + workspace handles (409 on collision) - Creator auto-assigned owner role - Delete blocked if repos exist - Last owner cannot be demoted/removed --- feat: secret management hierarchy (Global → Workspace → Repo → Env) Backend - internal/models/secret.go — Secret struct + EncryptSecret/DecryptSecret with AES-256-GCM (key = SHA-256 of SESSION_SECRET); values never serialised to JSON - internal/models/migrations/012_secrets.go — syncs secret table - internal/api/handlers/secret.go — List/Upsert/Delete for all four scopes; ResolveSecretsForRun builds merged env map for CI - internal/domain/ci/executor.go — JobContext.Secrets field; secrets injected as --env KEY=VALUE into docker run; buildJobContext calls resolveSecrets(Global < Workspace < Repo < Env) - internal/domain/ci/runner_manager.go — passes cfg.SessionSecret to buildJobContext - internal/api/router.go — /repos/:owner/:repo/secrets, /environments/:envName/secrets, /workspaces/:handle/secrets, /admin/secrets --- feat: workspace + secret management UI Frontend - types/api.ts — Workspace, WorkspaceWithMeta, WorkspaceMember, SecretListItem types - api/queries/workspaces.ts — full CRUD hooks + WorkspaceRepo type - api/queries/secrets.ts — repo/env/workspace secret hooks - pages/WorkspacesPage.tsx — list + create modal - pages/WorkspacePage.tsx — workspace dashboard with repo list - pages/WorkspaceSettingsPage.tsx — general settings, members CRUD, workspace secrets, danger zone - pages/RepoSecretsPage.tsx — repo secrets + per-environment secret sections with priority hierarchy callout - pages/CreateRepoPage.tsx — ?workspace= query param pre-fills owner selector; only admin/owner workspaces shown - components/layout/Sidebar.tsx — "Workspaces" global nav item + workspace quick-links; "Secrets" in RepoSubNav; new SecretsIcon, WorkspaceIcon - App.tsx — routes for /workspaces, /workspaces/:handle, /workspaces/:handle/settings, /repos/:owner/:repo/secrets
87 lines
2.1 KiB
Go
87 lines
2.1 KiB
Go
package ci
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"log"
|
|
|
|
"xorm.io/xorm"
|
|
|
|
"github.com/forgeo/forgebucket/internal/config"
|
|
"github.com/forgeo/forgebucket/internal/events"
|
|
)
|
|
|
|
// RunnerManager subscribes to job.queued events and dispatches them to the
|
|
// local Docker executor. A semaphore limits concurrent executions.
|
|
type RunnerManager struct {
|
|
db *xorm.Engine
|
|
bus events.EventBus
|
|
cfg *config.Config
|
|
sem chan struct{}
|
|
}
|
|
|
|
func NewRunnerManager(db *xorm.Engine, bus events.EventBus, cfg *config.Config, maxConcurrent int) *RunnerManager {
|
|
if maxConcurrent <= 0 {
|
|
maxConcurrent = 4
|
|
}
|
|
return &RunnerManager{
|
|
db: db,
|
|
bus: bus,
|
|
cfg: cfg,
|
|
sem: make(chan struct{}, maxConcurrent),
|
|
}
|
|
}
|
|
|
|
// Start subscribes to job.queued and dispatches executions until ctx is cancelled.
|
|
func (m *RunnerManager) Start(ctx context.Context) {
|
|
if !IsDockerAvailable() {
|
|
log.Printf("runner: Docker not available — CI execution disabled")
|
|
<-ctx.Done()
|
|
return
|
|
}
|
|
log.Printf("runner: started (max concurrent jobs: %d)", cap(m.sem))
|
|
|
|
wsDir := workspaceDir(m.cfg.ArtifactRoot)
|
|
|
|
unsub, err := m.bus.Subscribe(events.SubjectJobQueued, func(_ string, data []byte) {
|
|
var evt events.JobEvent
|
|
if err := json.Unmarshal(data, &evt); err != nil {
|
|
log.Printf("runner: bad job.queued payload: %v", err)
|
|
return
|
|
}
|
|
|
|
jc, ok := buildJobContext(m.db, evt.JobID, m.cfg.SessionSecret)
|
|
if !ok {
|
|
log.Printf("runner: could not build job context for job %d", evt.JobID)
|
|
return
|
|
}
|
|
|
|
// Acquire semaphore slot — blocks if at capacity.
|
|
select {
|
|
case m.sem <- struct{}{}:
|
|
case <-ctx.Done():
|
|
return
|
|
}
|
|
|
|
go func() {
|
|
defer func() { <-m.sem }()
|
|
// Sanitize the Docker image name before execution.
|
|
jc.Job.Image = sanitizeImage(jc.Job.Image)
|
|
ExecuteJob(ctx, m.db, m.bus, jc, wsDir)
|
|
}()
|
|
})
|
|
if err != nil {
|
|
log.Printf("runner: subscribe job.queued: %v", err)
|
|
<-ctx.Done()
|
|
return
|
|
}
|
|
defer unsub()
|
|
|
|
<-ctx.Done()
|
|
log.Printf("runner: stopping — draining %d active jobs", len(m.sem))
|
|
// Wait for all running jobs to finish by filling the semaphore.
|
|
for i := 0; i < cap(m.sem); i++ {
|
|
m.sem <- struct{}{}
|
|
}
|
|
}
|