Changes:
- Use pdftract-test-glibc:1.78 image (has aws/b2 CLI preinstalled)
- Use b2-readonly secret instead of armor-secrets
- Update env var names to ARMOR_ACCESS_KEY_ID/ARMOR_SECRET_ACCESS_KEY
- Remove apt-get install step (tools already in image)
The cer-diff tool was already implemented in a previous commit.
This commit fixes the image and secret references per the bead spec.
References pdftract-2t9 acceptance criteria:
- regression-corpus step runs on every PR (✓ already in workflow)
- Uses pdftract-test-glibc:1.78 image (✓ fixed)
- Uses b2-readonly secret (✓ fixed)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Implement the per-target build steps inside pdftract-ci for all five
release target triples. Each target produces a stripped release binary
uploaded as an Argo artifact (named pdftract-<triple>).
Changes:
- Added workspace volumeClaimTemplate (10Gi) to share cloned repo
- Implemented build-matrix DAG with 5 target build tasks
- Added continueOn: failed to each build task for fault tolerance
- Implemented build-target template using ghcr.io/cross-rs images
- Configured cargo-cache volume mount with CARGO_HOME and TARGET_DIR
- Added SOURCE_DATE_EPOCH and --locked flag for reproducible builds
- Added binary stripping and artifact upload (pdftract-<target>{.exe})
Targets:
- x86_64-unknown-linux-musl
- aarch64-unknown-linux-musl
- x86_64-apple-darwin
- aarch64-apple-darwin
- x86_64-pc-windows-gnu
Acceptance criteria:
- PASS: All five build steps in build-matrix DAG
- PASS: Binaries upload as artifacts with correct pattern
- WARN: Build time <= 8 min (cannot verify without running pipeline)
- WARN: Stripped binary <= 4 MB (cannot verify without running pipeline)
- PASS: Failure isolation with continueOn: failed
Verification note: notes/pdftract-1bn.md
Refs: pdftract-1bn, Phase 0 lines 1001-1009, ADR-009
Implement the build-matrix DAG template in pdftract-ci WorkflowTemplate
with cross-compilation for all five release target triples using
ghcr.io/cross-rs Docker images.
Targets:
- x86_64-unknown-linux-musl
- aarch64-unknown-linux-musl
- x86_64-apple-darwin
- aarch64-apple-darwin
- x86_64-pc-windows-gnu
Each target:
- Builds in parallel via DAG task with continueOn.failed=true
- Uses target-specific cross Docker image
- Mounts shared cargo-cache PVC
- Builds with --features default,serve,decrypt
- Strips binary using target-appropriate strip command
- Uploads artifact as pdftract-{target}{.exe}
Acceptance criteria:
- PASS: All five build steps in build-matrix DAG
- PASS: All five binaries upload as artifacts
- PASS: Failure isolation with continueOn
- WARN: Build time <= 8 min (runtime verification required)
- WARN: Binary size <= 4 MB (runtime verification required)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>