Spec: phpboyscout/cicd v0.14.0 — components use dev-tools¶
- Repository:
gitlab.com/phpboyscout/cicd - Released as:
v0.14.0(minor — image-default + behaviour change). - Depends on:
phpboyscout/images/dev-tools:v0.1.0(published). - Driver: the go-/rust- components install their toolchain tools at
job runtime today — a network fetch + compile on nearly every
pipeline job.
dev-toolsbakes them; this spec rewires the components to use it and deletes the installs.
Decisions¶
D1 — Image defaults → dev-tools:v0.1.0¶
Change the image-input defaults (consumers can still override):
| Component | input | old default | new default |
|---|---|---|---|
go-lint |
image |
golangci/golangci-lint:v2.12.2 |
…/dev-tools:v0.1.0 |
go-test |
image |
golang:1.26.4-bookworm |
…/dev-tools:v0.1.0 |
go-security |
govulncheck_image |
golang:1.26.4-bookworm |
…/dev-tools:v0.1.0 |
goreleaser |
image |
goreleaser/goreleaser:v2.16.0 |
…/dev-tools:v0.1.0 |
rust-lint |
image |
rust:1.83-bookworm |
…/dev-tools:v0.1.0 |
rust-test |
image |
rust:1.83-bookworm |
…/dev-tools:v0.1.0 |
rust-security |
rust_image |
rust:1.83-bookworm |
…/dev-tools:v0.1.0 |
rust-docs |
image |
rust:1.83-bookworm |
…/dev-tools:v0.1.0 |
(… = registry.gitlab.com/phpboyscout/images.) Pinned exact; Renovate
bumps as new dev-tools tags ship.
D2 — Delete the runtime tool installs¶
Remove the expensive installs the image now bakes:
- go-security govulncheck: drop go install golang.org/x/vuln/cmd/govulncheck@latest; the script calls govulncheck directly (now on PATH at /usr/local/go-bin).
- rust-test test-linux / test-integration / coverage: drop cargo install cargo-binstall + cargo binstall cargo-nextest (+ cargo binstall cargo-llvm-cov in coverage). Scripts call cargo nextest / cargo llvm-cov directly.
- rust-security cargo-deny / cargo-audit: drop the binstall bootstrap; call cargo deny / cargo audit directly.
D3 — What stays (deliberately)¶
rustup component add clippy|rustfmt|llvm-tools-previewstays. dev-tools bakes these for its toolchain (1.83), but a consumer'srust-toolchain.toml(e.g. rust-tool-base pins 1.96.0) makes rustup install a different toolchain at runtime, which then needs its own components.rustup component addis a fast, local no-op when already present and a correctness safeguard when the toolchain is overridden. (The cargo binary tools — nextest, deny, etc. — are toolchain-independent, so baking them works regardless.)- Cross-OS jobs untouched.
rust-testtest-macos/test-windowsrun on saas-macos / saas-windows runners and bootstrap rust + tools there; dev-tools is a linux image, so these keep their existing install logic. - Security scanners untouched.
trivy,gitleaks,osv-scanner,analyze(semgrep) run from their own pinned upstream images — not a runtime install, so not baked into dev-tools.
D4 — Vestigial version inputs¶
rust-security cargo_deny_version / cargo_audit_version and
rust-test binstall_version no longer drive anything (the image pins
those versions). Keep the inputs (ignored) for non-breaking compatibility
and document them as deprecated — the dev-tools image now owns those
versions. Revisit removal in a later major.
D5 — Consumer follow-ups (separate MRs)¶
go-tool-base/keyrx: drop now-redundantimage/govulncheck_image/gotoolchainoverrides → pick up dev-tools.rust-tool-base: drop theapt-get install libdbus-1-dev pkg-configfrom itsextra_before_script(dev-tools bakes them); keep the/etc/machine-idseeding.- All Go/Rust consumers re-pin to cicd v0.14.0 (Renovate).
D6 — Goreleaser note¶
With goreleaser on dev-tools, goreleaser uses the image's Go 1.26.4,
so GOTOOLCHAIN/gotoolchain becomes a non-issue for the common case
(the v0.11.3 auto default still applies and is harmless).
D7 — Versioning¶
Image-default + script change → feat(cicd): → v0.14.0 (minor).
Self-tests for the go-/rust- components now pull dev-tools (≈3 GB,
cached on the runner via pull_policy: if-not-present).