provisioning/reflection/modes/validate-build-infrastructure.ncl

{
  id          = "validate-build-infrastructure",
  strategy    = 'Override,
  description = "Verify ephemeral BuildKit runner golden image is fresh, zot registry is reachable with S3 backend, and buildkit_runner extension component is registered (ADR-039).",
  version = "1.0",
  params = {
    orchestrator_url | String | doc "Orchestrator HTTP API base URL" | default = "http://127.0.0.1:9011",
    zot_url | String | doc "Zot OCI registry URL" | default = "http://zot.wuji.local:5000",
    golden_image_max_age_days | Number | doc "Alert if golden image was built more than N days ago" | default = 14,
    extensions_root | String | doc "Path to extensions components directory" | default = "{provisioning_root}/catalog/components",
  },
  steps = [
    {
      id = "check_buildkit_runner_registered",
      actor = 'Agent,
      name = "buildkit_runner extension component metadata.ncl exists and is valid",
      cmd = "nickel typecheck {extensions_root}/buildkit_runner/metadata.ncl",
      depends_on = [],
      on_error = "abort",
    },
    {
      id = "check_zot_reachable",
      actor = 'Agent,
      name = "Zot OCI registry is reachable",
      cmd = "curl -sf {zot_url}/v2/ | jq -e '.errors | not'",
      depends_on = [],
      on_error = "abort",
    },
    {
      id = "check_zot_s3_backend",
      actor = 'Agent,
      name = "Zot is configured with S3 storage backend (not local filesystem)",
      cmd = "curl -sf {zot_url}/v2/_catalog | jq 'has(\"repositories\")'",
      depends_on = ["check_zot_reachable"],
      on_error = "warn",
    },
    {
      id = "check_golden_image_exists",
      actor = 'Agent,
      name = "BuildKit runner golden image exists in orchestrator VM pool",
      cmd = "curl -sf {orchestrator_url}/api/v1/vm-pool/images | jq -e '.[] | select(.name | startswith(\"buildkit-runner\")) | .id'",
      depends_on = [],
      on_error = "abort",
    },
    {
      id = "check_golden_image_freshness",
      actor = 'Agent,
      name = "Golden image was built within the last {golden_image_max_age_days} days",
      cmd = "curl -sf {orchestrator_url}/api/v1/vm-pool/images | jq -e '.[] | select(.name | startswith(\"buildkit-runner\")) | (.built_at | fromdateiso8601) > (now - {golden_image_max_age_days} * 86400)'",
      depends_on = ["check_golden_image_exists"],
      on_error = "warn",
    },
    {
      id = "check_sccache_reachable",
      actor = 'Agent,
      name = "sccache S3 bucket endpoint is reachable from orchestrator network",
      cmd = "curl -sf {orchestrator_url}/api/v1/vm-pool/probe-sccache | jq -e '.reachable == true'",
      depends_on = ["check_golden_image_exists"],
      on_error = "warn",
    },
    {
      id = "summary_report",
      actor = 'Agent,
      name = "Emit build-infrastructure validation summary",
      cmd = "echo 'build-infrastructure validated: golden image fresh, zot reachable, sccache probe done'",
      depends_on = [
        "check_golden_image_freshness",
        "check_zot_s3_backend",
        "check_sccache_reachable",
        "check_buildkit_runner_registered",
      ],
      on_error = "warn",
    },
  ],
}