From 659324c823581e1abcd1e6086814be186274cbe9 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 11 Mar 2026 21:03:24 +0000
Subject: [PATCH] fix(ci): build all container images to GHCR before E2E tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move Gate 7 container builds (base images T1→T2→T3 + app images) to
run right after Gate 1 instead of after Gate 3. Gate 2 (E2E) now
depends on container-build-apps completing, so the smoke stack pulls
prod images from GHCR — no special E2E images, same images used
everywhere.

- container-base-tier1 needs gate-1-complete (was gate-3-complete)
- container-build-apps runs on all events including PRs
- All images push: true unconditionally (E2E needs them in GHCR)
- E2E just logs into GHCR, smoke compose pulls via image: directives
- Added dbal + dbal-init to Gate 7 app matrix

https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
---
 .github/workflows/gated-pipeline.yml | 33 +++++++++++++++++++---------
 deployment/docker-compose.smoke.yml  |  1 +
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/gated-pipeline.yml b/.github/workflows/gated-pipeline.yml
index 7be65a4fb..7e16eb6f0 100644
--- a/.github/workflows/gated-pipeline.yml
+++ b/.github/workflows/gated-pipeline.yml
@@ -654,13 +654,13 @@ jobs:
           path: gate-artifacts/
 
   # ============================================================================
-  # GATE 2: Testing Gates
+  # GATE 2: Testing Gates (runs after container images are published to GHCR)
   # ============================================================================
 
   gate-2-start:
     name: "Gate 2: Testing - Starting"
     runs-on: ubuntu-latest
-    needs: gate-1-complete
+    needs: [gate-1-complete, container-build-apps]
     steps:
       - name: Gate 2 checkpoint
         run: |
@@ -759,6 +759,13 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v6
 
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v4
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Setup npm with Nexus
         uses: ./.github/actions/setup-npm
         with:
@@ -777,7 +784,7 @@ jobs:
           else
             echo "::warning::No playwright.config.ts found — E2E tests not configured"
           fi
-        timeout-minutes: 10
+        timeout-minutes: 15
 
       - name: Upload test results
         if: always()
@@ -1311,8 +1318,8 @@ jobs:
   container-base-tier1:
     name: "Gate 7 T1: ${{ matrix.image }}"
     runs-on: ubuntu-latest
-    needs: gate-3-complete
-    if: github.event_name != 'pull_request' && github.event_name != 'issues' && github.event_name != 'issue_comment'
+    needs: gate-1-complete
+    if: github.event_name != 'issues' && github.event_name != 'issue_comment'
     strategy:
       fail-fast: false
       matrix:
@@ -1363,7 +1370,7 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           platforms: ${{ matrix.platforms }}
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.image }}
@@ -1431,7 +1438,7 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           platforms: ${{ matrix.platforms }}
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.image }}
@@ -1490,7 +1497,7 @@ jobs:
           context: .
           file: ./deployment/base-images/Dockerfile.devcontainer
           platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=devcontainer
@@ -1512,7 +1519,7 @@ jobs:
     name: "Gate 7 App: ${{ matrix.image }}"
     runs-on: ubuntu-latest
     needs: [container-base-tier1]
-    if: github.event_name != 'pull_request' && github.event_name != 'issues' && github.event_name != 'issue_comment' && !failure()
+    if: github.event_name != 'issues' && github.event_name != 'issue_comment' && !failure()
     strategy:
       fail-fast: false
       matrix:
@@ -1538,6 +1545,12 @@ jobs:
           - image: exploded-diagrams
             context: .
             dockerfile: ./frontends/exploded-diagrams/Dockerfile
+          - image: dbal
+            context: ./dbal
+            dockerfile: ./dbal/production/build-config/Dockerfile
+          - image: dbal-init
+            context: .
+            dockerfile: ./deployment/config/dbal/Dockerfile.init
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -1571,7 +1584,7 @@ jobs:
         with:
           context: ${{ matrix.context }}
           file: ${{ matrix.dockerfile }}
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.image }}
diff --git a/deployment/docker-compose.smoke.yml b/deployment/docker-compose.smoke.yml
index 4c3a86eda..4b3bfe058 100644
--- a/deployment/docker-compose.smoke.yml
+++ b/deployment/docker-compose.smoke.yml
@@ -52,6 +52,7 @@ services:
       - smoke
 
   dbal-init:
+    image: ${DBAL_INIT_IMAGE:-ghcr.io/johndoe6345789/metabuilder/dbal-init:latest}
     build:
       context: ..
       dockerfile: deployment/config/dbal/Dockerfile.init