Skip to content

Commit 0f65b62

Browse files
authored
Merge pull request #839 from Yacht-sh/WY-code/wiki-refresh
Add wiki snapshot for current develop operations
2 parents 37303b5 + 5c29ed3 commit 0f65b62

7 files changed

Lines changed: 241 additions & 0 deletions

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ The rewrite effort is being explored in [Yacht-sh/yacht-nuxt](https://github.com
2020
The installation docs currently live at [dev.yacht.sh](https://dev.yacht.sh).
2121

2222
Repo-local documentation now lives in [`docs/`](./docs/README.md).
23+
Operational wiki pages for the current `develop` branch live in [`wiki/`](./wiki/Home.md).
2324

2425
## Demo
2526

docs/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ This directory contains the repo-local documentation for the current Yacht imple
1313
- [CI/CD and Image Publishing](./ci-cd.md)
1414
- [Security Guide](./security.md)
1515

16+
The repo also keeps a lightweight operational wiki snapshot in [`../wiki/`](../wiki/Home.md) for current branch workflow, dependency compatibility, verification, and GHCR publishing notes.
17+
1618
## Scope
1719

1820
These docs describe the code that exists in this repository today, including:

wiki/Dependency-Compatibility.md

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# Dependency Compatibility
2+
3+
This page records the dependency decisions that currently keep `develop` working.
4+
5+
## Backend
6+
7+
Current noteworthy backend pins from [`../backend/requirements.txt`](../backend/requirements.txt):
8+
9+
- `fastapi==0.120.4`
10+
- `pydantic==1.10.22`
11+
- `aiostream==0.7.1`
12+
- `idna==3.11`
13+
- `makefun==1.16.0`
14+
- `pycparser==3.0`
15+
- `cryptography==46.0.6`
16+
17+
### Important Rule
18+
19+
`fastapi` is intentionally pinned to `0.120.4` because the current backend remains on Pydantic v1.
20+
21+
Do not bump FastAPI independently unless you are also doing the backend migration required for newer Pydantic expectations and verifying the entire API/auth stack.
22+
23+
## Frontend
24+
25+
Current noteworthy frontend versions from [`../frontend/package.json`](../frontend/package.json):
26+
27+
- `vue: ^2.7.16`
28+
- `vuetify: ^2.7.2`
29+
- `vue-chartjs: ^3.5.1`
30+
- `@mdi/font: ^7.4.47`
31+
- `sass: ^1.98.0`
32+
- `@vue/eslint-config-prettier: ^6.0.0`
33+
- `prettier: ^1.19.1`
34+
35+
### Important Rules
36+
37+
- keep `vue-chartjs` on the Vue 2 compatible line
38+
- keep `@vue/eslint-config-prettier` on the ESLint 6 compatible line
39+
- do not assume grouped frontend dependency PRs are safe to merge without verification, especially when they touch Vue, Vuetify, ESLint, or formatting tooling
40+
41+
## How To Handle Future Dependency PRs
42+
43+
1. Merge or cherry-pick the dependency PR into a topic branch off `develop`.
44+
2. Run the verification commands from the runbook.
45+
3. If the update is incompatible:
46+
- keep the merge history if desired
47+
- add a follow-up compatibility commit that restores the known-good version
48+
- document the reason here
49+
50+
This approach keeps the repo history honest while preserving a working branch.
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
# Development And Release Flow
2+
3+
## Branch Roles
4+
5+
- `master` is the default branch and production-oriented release line.
6+
- `develop` is the integration branch for ongoing dependency, workflow, and feature work.
7+
8+
## Expected Flow
9+
10+
1. Start feature or maintenance work from `develop`.
11+
2. Push that work on a topic branch.
12+
3. Open a PR into `develop`.
13+
4. After `develop` is verified, open or update the `develop -> master` PR.
14+
15+
## Protected Branch Notes
16+
17+
- `develop` is protected.
18+
- Do not assume you can force-push rebased history back to `develop`.
19+
- If you rebase locally for cleanup, you may still need to merge the current `origin/develop` tip back in before the final push can succeed as a normal fast-forward update.
20+
21+
## PR Integration Notes
22+
23+
When merging multiple dependency PRs into `develop`:
24+
25+
- merge the PR branches into `develop`
26+
- run verification immediately after the merge set
27+
- keep the merge history if it helps preserve the audit trail for which PRs were absorbed
28+
- make one follow-up compatibility commit if the merged dependency set needs corrective pins
29+
30+
## Current Release Notes Worth Remembering
31+
32+
- the main image publish workflow now targets `linux/amd64` and `linux/arm64`
33+
- `linux/arm/v7` was removed from the main image publish path because it required unsupported dependency build work for this branch

wiki/Home.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Yacht Wiki
2+
3+
This wiki folder captures the current operational state of the `develop` branch.
4+
5+
It is intentionally practical. These pages document the branch flow, CI checks, dependency compatibility rules, and image publishing prerequisites that are easy to lose during day-to-day work.
6+
7+
## Pages
8+
9+
- [Development And Release Flow](./Development-And-Release-Flow.md)
10+
- [Verification Runbook](./Verification-Runbook.md)
11+
- [Dependency Compatibility](./Dependency-Compatibility.md)
12+
- [Image Publishing And GHCR](./Image-Publishing-And-GHCR.md)
13+
14+
## Current Snapshot
15+
16+
- default branch: `master`
17+
- integration branch: `develop`
18+
- main application image platforms: `linux/amd64`, `linux/arm64`
19+
- frontend stack: Vue 2 + Vuetify 2
20+
- backend API stack: FastAPI with Pydantic v1 compatibility preserved
21+
22+
## Why This Exists
23+
24+
Recent work on `develop` merged a large set of dependency and workflow updates. Some of those updates were compatible as-is, and some required explicit pins to keep the codebase working. The pages in this folder record those decisions so future dependency and CI work starts from the current known-good state instead of rediscovering it.

wiki/Image-Publishing-And-GHCR.md

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
# Image Publishing And GHCR
2+
3+
## Current Workflow
4+
5+
The image publish workflow is defined in [`../.github/workflows/build.yml`](../.github/workflows/build.yml).
6+
7+
Main points:
8+
9+
- runs on pushes to `master` and `develop`
10+
- verifies frontend, backend, and agent before publishing
11+
- publishes the main Yacht image for:
12+
- `linux/amd64`
13+
- `linux/arm64`
14+
- publishes the agent image separately
15+
16+
## Current Tag Behavior
17+
18+
On `master`:
19+
20+
- main image channel tag: `latest`
21+
- version tag: UTC timestamp
22+
23+
On `develop`:
24+
25+
- main image channel tag: `dev-latest`
26+
- version tag: `dev-<timestamp>`
27+
28+
## GHCR Login Behavior
29+
30+
The workflow logs into GHCR with:
31+
32+
- `GHCR_USERNAME` / `GHCR_TOKEN` if they are configured
33+
- otherwise `github.actor` / `GITHUB_TOKEN`
34+
35+
## Known GHCR Failure Mode
36+
37+
If the build succeeds but push fails with a blob `HEAD` request returning `403 Forbidden`, the problem is usually package permission scope, not Docker build content.
38+
39+
Typical causes:
40+
41+
- the existing `ghcr.io/yacht-sh/yacht` package is not linked to the `Yacht-sh/Yacht` repository
42+
- the repository has not been granted package access
43+
- the fallback `GITHUB_TOKEN` does not have the effective package permissions needed for that existing package namespace
44+
- a PAT is being used without the required `read:packages` and `write:packages` scopes
45+
46+
## What To Check In GitHub
47+
48+
1. Open the `ghcr.io/yacht-sh/yacht` package settings.
49+
2. Ensure the `Yacht-sh/Yacht` repository has access to the package.
50+
3. If using a PAT, ensure it has:
51+
- `read:packages`
52+
- `write:packages`
53+
4. If the org uses SSO, authorize the token for the org.
54+
55+
## Platform Notes
56+
57+
The main image publish path no longer targets `linux/arm/v7`.
58+
59+
Reason:
60+
61+
- that path required unsupported dependency build work for the current branch
62+
- `linux/amd64` and `linux/arm64` are the current maintained publish targets

wiki/Verification-Runbook.md

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
# Verification Runbook
2+
3+
This page records the checks that match the current repository workflows and the local commands that were used to verify the current `develop` branch.
4+
5+
## CI Workflow Summary
6+
7+
The main build workflow is [`../.github/workflows/build.yml`](../.github/workflows/build.yml).
8+
9+
It currently runs:
10+
11+
- frontend install, lint, audit, and production build
12+
- backend dependency install, `pip check`, `compileall`, Bandit, and `pip-audit`
13+
- agent dependency install, `compileall`, Bandit, and `pip-audit`
14+
- image publishing after verification succeeds
15+
16+
## Frontend Local Verification
17+
18+
Use Docker to avoid host Node drift:
19+
20+
```bash
21+
docker run --rm -v "$PWD/frontend:/app" -w /app node:20-bookworm-slim \
22+
bash -lc 'npm ci --legacy-peer-deps --no-audit --no-fund && npm run lint && npm run build'
23+
```
24+
25+
Expected result:
26+
27+
- `npm run lint` may emit warnings
28+
- the command should still exit successfully
29+
- `npm run build` should complete and produce `frontend/dist`
30+
31+
## Backend Local Verification
32+
33+
Fast local checks:
34+
35+
```bash
36+
python3 -m compileall backend
37+
bandit -q -r backend/api
38+
```
39+
40+
Containerized dependency audit with native build packages:
41+
42+
```bash
43+
docker run --rm -v "$PWD/backend:/app" -w /app python:3.11-slim \
44+
bash -lc 'apt-get update >/tmp/apt.log && \
45+
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
46+
build-essential pkg-config libffi-dev libssl-dev libpq-dev \
47+
default-libmysqlclient-dev libjpeg-dev zlib1g-dev libyaml-dev >/tmp/apt-install.log && \
48+
python -m pip install --no-cache-dir pip-audit >/tmp/pip-audit-install.log && \
49+
pip-audit -r requirements.txt --progress-spinner=off'
50+
```
51+
52+
Expected result:
53+
54+
- `No known vulnerabilities found`
55+
56+
## Agent Local Verification
57+
58+
The CI workflow verifies the agent separately. Follow the same pattern as the backend:
59+
60+
- install `agent/requirements.txt`
61+
- run `python -m compileall agent`
62+
- run `bandit -q -r agent`
63+
- run `pip-audit -r agent/requirements.txt --progress-spinner=off`
64+
65+
## When Verification Fails
66+
67+
- fix the dependency or workflow problem first
68+
- do not document a change as current behavior until the branch verifies cleanly
69+
- if a dependency bump is incompatible with the current codebase, pin it back to the last known-good version and document why in the compatibility page

0 commit comments

Comments
 (0)