Review fixes: parameterize DBAL base image, report seed errors, update pipeline docs

- DBAL Dockerfile: Add ARG BASE_REGISTRY=metabuilder so CI can override the FROM image path to ghcr.io/... (was hardcoded metabuilder/base-apt) - Setup route: Return HTTP 207 + success:false when seed errors occur instead of always returning 200/true - Pipeline: Update comments/diagram to reflect Gate 7 running after Gate 1 (not after Gate 6), add dbal + dbal-init to Trivy scan matrix https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
2026-04-24 13:54:57 +00:00 · 2026-03-11 21:10:20 +00:00
parent 659324c823
commit eb457faa9b
3 changed files with 20 additions and 15 deletions
--- a/.github/workflows/gated-pipeline.yml
+++ b/.github/workflows/gated-pipeline.yml
@@ -71,12 +71,12 @@ permissions:
 #
 # Sequential Gates (fan-out/fan-in):
 #   Gate 1: Code Quality (DBAL schemas, typecheck, lint, security)
-#   Gate 2: Testing (unit with coverage, E2E, DBAL daemon)
+#   Gate 7: Container Build & Push to GHCR (after Gate 1, before testing)
+#   Gate 2: Testing (unit with coverage, E2E with prod images, DBAL daemon)
 #   Gate 3: Build & Package
 #   Gate 4: Development Assistance (PR only)
 #   Gate 5: Staging Deployment (main branch push)
 #   Gate 6: Production Deployment (release or manual with approval)
-#   Gate 7: Container Build & Push (push/tag/dispatch, not PRs)
 # ════════════════════════════════════════════════════════════════════════════════

 jobs:
@@ -1304,7 +1304,7 @@ jobs:
            });

  # ============================================================================
-  # GATE 7: Container Build & Push (push/tag/dispatch only, not PRs)
+  # GATE 7: Container Build & Push to GHCR (after Gate 1, before testing)
  # ════════════════════════════════════════════════════════════════════════════
  # Tiered base images respecting the dependency DAG:
  #   Tier 1 (independent):  base-apt, base-node-deps, base-pip-deps
@@ -1626,6 +1626,8 @@ jobs:
          - postgres-dashboard
          - workflowui
          - exploded-diagrams
+          - dbal
+          - dbal-init
    steps:
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v4
@@ -1789,7 +1791,13 @@ jobs:
            summary += '  1.1 DBAL Schemas  1.2 TypeScript  1.3 Lint\n';
            summary += '  1.4 Security  1.5 File Size  1.6 Complexity  1.7 Stubs\n';
            summary += '      |\n';
-            summary += 'Gate 2: Testing (3 steps)\n';
+            summary += 'Gate 7: Containers (after Gate 1)\n';
+            summary += '  T1: base-apt, node-deps, pip-deps\n';
+            summary += '  T2: conan-deps, android-sdk\n';
+            summary += '  T3: devcontainer\n';
+            summary += '  Apps: 9 images (incl. dbal, dbal-init) -> GHCR\n';
+            summary += '      |\n';
+            summary += 'Gate 2: Testing (3 steps, pulls prod images)\n';
            summary += '  2.1 Unit Tests (+ coverage)  2.2 E2E  2.3 DBAL\n';
            summary += '      |\n';
            summary += 'Gate 3: Build (2 steps)\n';
@@ -1800,12 +1808,6 @@ jobs:
            summary += 'Gate 5: Staging (main push)\n';
            summary += '      |\n';
            summary += 'Gate 6: Production (release/manual)\n';
-            summary += '      |\n';
-            summary += 'Gate 7: Containers (push/tag/dispatch)\n';
-            summary += '  T1: base-apt, node-deps, pip-deps\n';
-            summary += '  T2: conan-deps, android-sdk\n';
-            summary += '  T3: devcontainer\n';
-            summary += '  Apps: 7 images -> Trivy scan -> Multi-arch manifests\n';
            summary += '```\n\n';

            console.log(summary);
--- a/dbal/production/build-config/Dockerfile
+++ b/dbal/production/build-config/Dockerfile
@@ -5,7 +5,8 @@
 ARG BUILD_TYPE=Release

 # ── Build stage ──────────────────────────────────────────────────────────────
-FROM metabuilder/base-apt:latest AS builder
+ARG BASE_REGISTRY=metabuilder
+FROM ${BASE_REGISTRY}/base-apt:latest AS builder

 ARG BUILD_TYPE

@@ -56,7 +57,8 @@ RUN cd /dbal/build \
    && strip dbal_daemon

 # ── Runtime stage ────────────────────────────────────────────────────────────
-FROM metabuilder/base-apt:latest
+ARG BASE_REGISTRY=metabuilder
+FROM ${BASE_REGISTRY}/base-apt:latest

 WORKDIR /app

--- a/frontends/workflowui/src/app/api/setup/route.ts
+++ b/frontends/workflowui/src/app/api/setup/route.ts
@@ -95,9 +95,10 @@ export async function POST() {

  console.warn(`[Seed] Complete: ${results.packages} packages, ${results.pages} pages, ${results.skipped} skipped, ${results.errors} errors`)

+  const status = results.errors > 0 ? 207 : 200
  return NextResponse.json({
-    success: true,
-    message: 'Database seeded successfully',
+    success: results.errors === 0,
+    message: results.errors > 0 ? `Seeded with ${results.errors} error(s)` : 'Database seeded successfully',
    results,
-  })
+  }, { status })
 }