danieldaum.net / spindle-docker
configuration for self hosting a spindle in docker
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: claude called me gay

daniel daum 4b435ac6 08573fea

+116 -1
+27
CHANGELOG.md
··· 1 + # Changelog 2 + 3 + All notable changes to this project will be documented in this file. 4 + 5 + The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), 6 + and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 + 8 + ## [Unreleased] 9 + 10 + ## [0.1.0] - 2026-04-02 11 + 12 + Initial release of the spindle-docker stack. 13 + 14 + ### Added 15 + - Docker Compose stack with OpenBao (vault), OpenBao proxy (AppRole sidecar), and Spindle (CI runner) 16 + - One-time vault bootstrap script (`init-openbao.sh`) with interactive AppRole Secret ID TTL prompt 17 + - `.env`-based configuration with documented variables and defaults; Compose loads it automatically 18 + - All images pinned to versioned SHA256 digests (OpenBao `2.5.2`, Go `1.23.12-alpine3.22`, Alpine `3.23.3`) 19 + - Spindle source pinned to `v1.13.0-alpha` with commit SHA verification at build time (`go mod verify` included) 20 + - OpenBao port bound to `127.0.0.1` only — not reachable from the network 21 + - `IPC_LOCK` capability on both OpenBao and OpenBao proxy to prevent secrets from swapping to disk 22 + - AppRole token file permissions hardened to `0600` 23 + - Pinned versions table in README 24 + - Early development warning in README 25 + 26 + [Unreleased]: https://tangled.org/daniel.gay/spindle-docker/compare/v0.1.0...HEAD 27 + [0.1.0]: https://tangled.org/daniel.gay/spindle-docker/releases/tag/v0.1.0
+14 -1
README.md
··· 98 98 - **openbao-proxy** — AppRole sidecar; auto-authenticates and exposes a token-authenticated proxy to spindle 99 99 - **spindle** — the CI runner; starts only after the proxy is healthy 100 100 101 + ## Pinned versions 102 + 103 + All images and source are pinned to specific versions and verified by digest or commit SHA to prevent unexpected changes on rebuild. 104 + 105 + | Component | Version | Where | 106 + |-----------|---------|--------| 107 + | OpenBao | `2.5.2` | `docker-compose.yml` | 108 + | Go (builder) | `1.23.12-alpine3.22` | `Dockerfile` | 109 + | Alpine (runtime) | `3.23.3` | `Dockerfile` | 110 + | Spindle source | `v1.13.0-alpha` (`3572988`) | `Dockerfile` | 111 + 112 + To upgrade any component, update the tag/version and its corresponding `@sha256:...` digest (or commit SHA for Spindle). All versions are currently alpha — there are no stable Spindle releases yet. 113 + 101 114 ## Notes 102 115 103 - - Port 8200 is exposed for local CLI access. Remove that port mapping in production. 116 + - Port 8200 is exposed for local CLI access only (`127.0.0.1`). Remove that port mapping entirely if you don't need it. 104 117 - TLS is disabled on both listeners. Put nginx or Caddy in front for production traffic. 105 118 - Spindle mounts the Docker socket, so pipeline containers run on the **host** daemon.
+75
RELEASING.md
··· 1 + # Releasing 2 + 3 + How to cut a new release and tag it on tangled.org. 4 + 5 + ## Before you release 6 + 7 + 1. **Update `CHANGELOG.md`** — move everything under `[Unreleased]` into a new versioned section: 8 + 9 + ```markdown 10 + ## [0.2.0] - YYYY-MM-DD 11 + ``` 12 + 13 + Update the comparison links at the bottom of the file. 14 + 15 + 2. **Commit the changelog:** 16 + 17 + ``` 18 + jj commit -m "chore: release v0.2.0" 19 + ``` 20 + 21 + 3. **Push to main:** 22 + 23 + ``` 24 + jj git push 25 + ``` 26 + 27 + ## Tagging 28 + 29 + jj only creates lightweight tags. For release notes to appear on tangled.org, use an **annotated** git tag instead: 30 + 31 + ```bash 32 + git tag -a v0.2.0 -m "Release v0.2.0 33 + 34 + <paste the changelog entry here>" 35 + ``` 36 + 37 + Then push the tag: 38 + 39 + ```bash 40 + jj git push --tag v0.2.0 41 + ``` 42 + 43 + The tag will appear on tangled.org under your repository's tags/releases page. 44 + 45 + ## Versioning 46 + 47 + This project uses [Semantic Versioning](https://semver.org/): 48 + 49 + - **Patch** (`0.1.x`) — bug fixes, dependency updates, documentation 50 + - **Minor** (`0.x.0`) — new features, config changes that are backwards compatible 51 + - **Major** (`x.0.0`) — breaking changes (e.g. incompatible config format, changed volume layout) 52 + 53 + ## Updating pinned versions 54 + 55 + When upgrading a dependency, update both the tag/version **and** the digest in the relevant file: 56 + 57 + | Dependency | File | What to update | 58 + |------------|------|----------------| 59 + | OpenBao | `docker-compose.yml` | image tag + `@sha256:...` | 60 + | Go builder | `Dockerfile` | `FROM golang:X.Y.Z-alpineA.B@sha256:...` | 61 + | Alpine runtime | `Dockerfile` | `FROM alpine:X.Y.Z@sha256:...` | 62 + | Spindle source | `Dockerfile` | `--branch vX.Y.Z` + commit SHA in the verify step | 63 + 64 + To find a new SHA256 digest: 65 + 66 + ```bash 67 + # Docker Hub images 68 + curl -s "https://hub.docker.com/v2/repositories/library/alpine/tags/3.23.3" | python3 -c "import sys,json; print(json.load(sys.stdin)['digest'])" 69 + 70 + # Quay.io images 71 + curl -s "https://quay.io/api/v1/repository/openbao/openbao/tag/?specificTag=2.5.2" | python3 -c "import sys,json; [print(t['manifest_digest']) for t in json.load(sys.stdin)['tags']]" 72 + 73 + # Spindle commit SHA 74 + git ls-remote https://tangled.org/tangled.org/core refs/tags/vX.Y.Z-alpha 75 + ```