From 64137dcfb73ecc8e39578bf61ef5ee086c27a1b5 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Wed, 23 Aug 2023 21:57:06 +0200 Subject: [PATCH 1/3] general purpose rootless container --- Dockerfile | 35 ++++++++++++++++++++++++++++------- Dockerfile.rootless | 24 ------------------------ 2 files changed, 28 insertions(+), 31 deletions(-) delete mode 100644 Dockerfile.rootless diff --git a/Dockerfile b/Dockerfile index bd931fa..ce36d7a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,37 @@ -FROM golang:1.21-alpine3.18 as builder +FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx + +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21-alpine3.18 as build-env + +# +# Transparently cross compile for the target platform +# +COPY --from=xx / / +ARG TARGETPLATFORM +RUN apk --no-cache add clang lld +RUN xx-apk --no-cache add gcc musl-dev +RUN xx-go --wrap + # Do not remove `git` here, it is required for getting runner version when executing `make build` -RUN apk add --no-cache make git +RUN apk add --no-cache build-base git COPY . /srv WORKDIR /srv RUN make clean && make build -FROM alpine:3.18 -RUN apk add --no-cache git bash tini +FROM docker.io/library/alpine:3.18 +LABEL maintainer="contact@forgejo.org" -COPY --from=builder /srv/forgejo-runner /bin/forgejo-runner -COPY scripts/run.sh /opt/act/run.sh +RUN apk add --no-cache git bash -ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"] +COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner + +ENV HOME=/data + +USER 1000:1000 + +WORKDIR /data + +VOLUME ["/data"] + +CMD ["/bin/forgejo-runner"] diff --git a/Dockerfile.rootless b/Dockerfile.rootless deleted file mode 100644 index a2cb0cf..0000000 --- a/Dockerfile.rootless +++ /dev/null @@ -1,24 +0,0 @@ -FROM golang:1.21-alpine3.18 as builder -# Do not remove `git` here, it is required for getting runner version when executing `make build` -RUN apk add --no-cache make git - -COPY . /opt/src/forgejo-runner -WORKDIR /opt/src/forgejo-runner - -RUN make clean && make build - -FROM docker:dind-rootless -USER root -RUN apk add --no-cache \ - git bash supervisor - -COPY --from=builder /opt/src/forgejo-runner/forgejo-runner /usr/local/bin/forgejo-runner -COPY /scripts/supervisord.conf /etc/supervisord.conf -COPY /scripts/run.sh /opt/act/run.sh -COPY /scripts/rootless.sh /opt/act/rootless.sh - -RUN mkdir /data \ - && chown rootless:rootless /data - -USER rootless -ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] From fd6764ac8ef56b3fb88207f142db5086f1ec1c83 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Fri, 25 Aug 2023 14:25:36 +0200 Subject: [PATCH 2/3] rework the build & publish process to mimic Forgejo --- ...tion.yml => build-release-integration.yml} | 50 ++++-- .forgejo/workflows/build-release.yml | 168 +++++++----------- .forgejo/workflows/publish-binary.yml | 40 ----- .../workflows/publish-container-image.yml | 43 ----- .forgejo/workflows/publish-release.yml | 47 +++++ 5 files changed, 152 insertions(+), 196 deletions(-) rename .forgejo/workflows/{integration.yml => build-release-integration.yml} (50%) delete mode 100644 .forgejo/workflows/publish-binary.yml delete mode 100644 .forgejo/workflows/publish-container-image.yml create mode 100644 .forgejo/workflows/publish-release.yml diff --git a/.forgejo/workflows/integration.yml b/.forgejo/workflows/build-release-integration.yml similarity index 50% rename from .forgejo/workflows/integration.yml rename to .forgejo/workflows/build-release-integration.yml index 895a4dc..94c74f8 100644 --- a/.forgejo/workflows/integration.yml +++ b/.forgejo/workflows/build-release-integration.yml @@ -5,13 +5,13 @@ on: paths: - go.mod - Dockerfile - - .forgejo/workflows/release.yml - - .forgejo/workflows/integration.yml + - .forgejo/workflows/build-release.yml + - .forgejo/workflows/build-release-integration.yml jobs: release-simulation: runs-on: self-hosted - if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-experimental' && github.repository_owner != 'forgejo-release' + if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-release' steps: - uses: actions/checkout@v3 @@ -23,10 +23,18 @@ jobs: image-version: 1.19 lxc-ip-prefix: 10.0.9 - - name: publish the runner release + - name: publish run: | set -x + version=1.2.3 + cat > /etc/docker/daemon.json < forgejo-runner - chmod +x forgejo-runner - ./forgejo-runner --version | grep 1.2.3 - curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64.sha256 > forgejo-runner.one - shasum -a 256 < forgejo-runner | cut -f1 -d ' ' > forgejo-runner.two - diff forgejo-runner.one forgejo-runner.two + #cat $FORGEJO_RUNNER_LOGS + + # + # Minimal sanity checks. e2e test is for the setup-forgejo action + # + for arch in amd64 arm64 ; do + binary=forgejo-runner-$version-linux-$arch + for suffix in '' '.xz' ; do + curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix > $binary$suffix + if test "$suffix" = .xz ; then + unxz --keep $binary$suffix + fi + chmod +x $binary + ./$binary --version | grep $version + curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix.sha256 > $binary$suffix.sha256 + shasum -a 256 --check $binary$suffix.sha256 + rm $binary$suffix + done + done + + docker pull ${{ steps.forgejo.outputs.host-port }}/root/runner:$version diff --git a/.forgejo/workflows/build-release.yml b/.forgejo/workflows/build-release.yml index 874f733..c09049f 100644 --- a/.forgejo/workflows/build-release.yml +++ b/.forgejo/workflows/build-release.yml @@ -1,6 +1,16 @@ +# SPDX-License-Identifier: MIT +# +# https://code.forgejo.org/forgejo/runner +# +# Build the runner binaries and OCI images +# +# ROLE: forgejo-integration +# DOER: release-team +# TOKEN: +# name: Build release -on: +on: push: tags: 'v*' @@ -8,126 +18,86 @@ jobs: release: runs-on: self-hosted # root is used for testing, allow it - if: github.repository_owner == 'forgejo-integration' || github.repository_owner == 'root' + if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root' steps: - uses: actions/checkout@v3 - - id: verbose + - name: Increase the verbosity when there are no secrets + id: verbose run: | - # if there are no secrets, be verbose if test -z "${{ secrets.TOKEN }}"; then value=true else value=false fi echo "value=$value" >> "$GITHUB_OUTPUT" - echo "shell=set -x" >> "$GITHUB_OUTPUT" - - - id: registry + + - name: Sanitize the name of the repository + id: repository run: | - ${{ steps.verbose.outputs.shell }} + repository="${{ github.repository }}" + echo "value=${repository##*/}" >> "$GITHUB_OUTPUT" + + - name: create test TOKEN + id: token + if: ${{ secrets.TOKEN == '' }} + run: | + apt-get -qq install -y jq url="${{ env.GITHUB_SERVER_URL }}" hostport=${url##http*://} hostport=${hostport%%/} - echo "host-port=${hostport}" >> "$GITHUB_OUTPUT" - if ! [[ $url =~ ^http:// ]] ; then - exit 0 - fi + doer=root + api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens + curl -sS -X DELETE $api/release + token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1) + echo "value=${token}" >> "$GITHUB_OUTPUT" + + - name: version from ref_name + id: tag-version + run: | + version="${{ github.ref_name }}" + version=${version##*v} + echo "value=$version" >> "$GITHUB_OUTPUT" + + - name: release notes + id: release-notes + run: | + anchor=${{ steps.tag-version.outputs.value }} + anchor=${anchor//./-} cat >> "$GITHUB_OUTPUT" <> "$GITHUB_OUTPUT" - echo "doer=${doer}" >> "$GITHUB_OUTPUT" - - name: allow docker pull/push to forgejo - if: ${{ steps.registry.outputs.insecure }} - run: |- - mkdir /etc/docker - cat > /etc/docker/daemon.json < ~/.docker/config.json - env: - CI_REGISTRY: "${{ env.GITHUB_SERVER_URL }}${{ env.GITHUB_REPOSITORY_OWNER }}" - - - id: build - run: | - ${{ steps.verbose.outputs.shell }} - tag="${{ github.ref_name }}" - tag=${tag##*v} - echo "tag=$tag" >> "$GITHUB_OUTPUT" - echo "image=${{ steps.registry.outputs.host-port }}/${{ github.repository }}:${tag}" >> "$GITHUB_OUTPUT" - - - uses: https://github.com/docker/build-push-action@v4 - # workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released - env: - ACTIONS_RUNTIME_TOKEN: '' - with: - context: . - push: true - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.build.outputs.image }} - - - run: | - ${{ steps.verbose.outputs.shell }} - mkdir -p release - for arch in amd64 arm64; do - docker create --platform linux/$arch --name runner ${{ steps.build.outputs.image }} - docker cp runner:/bin/forgejo-runner release/forgejo-runner-$arch - shasum -a 256 < release/forgejo-runner-$arch | cut -f1 -d ' ' > release/forgejo-runner-$arch.sha256 - docker rm runner - done - - - name: publish release (when TOKEN secret is NOT set) + - name: build without TOKEN if: ${{ secrets.TOKEN == '' }} - uses: https://code.forgejo.org/actions/forgejo-release@v1 + uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1 with: - direction: upload - release-dir: release - release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}" - token: ${{ steps.secrets.outputs.token }} + forgejo: "${{ env.GITHUB_SERVER_URL }}" + owner: "${{ env.GITHUB_REPOSITORY_OWNER }}" + repository: "${{ steps.repository.outputs.value }}" + doer: root + tag-version: "${{ steps.tag-version.outputs.value }}" + token: ${{ steps.token.outputs.value }} + platforms: linux/amd64,linux/arm64 + release-notes: "${{ steps.release-notes.outputs.value }}" + binary-name: forgejo-runner + binary-path: /bin/forgejo-runner verbose: ${{ steps.verbose.outputs.value }} - - name: publish release (when TOKEN secret is set) + - name: build with TOKEN if: ${{ secrets.TOKEN != '' }} - uses: https://code.forgejo.org/actions/forgejo-release@v1 + uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1 with: - direction: upload - release-dir: release - release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}" - token: ${{ secrets.TOKEN }} + forgejo: "${{ env.GITHUB_SERVER_URL }}" + owner: "${{ env.GITHUB_REPOSITORY_OWNER }}" + repository: "${{ steps.repository.outputs.value }}" + doer: "${{ secrets.DOER }}" + tag-version: "${{ steps.tag-version.outputs.value }}" + token: "${{ secrets.TOKEN }}" + platforms: linux/amd64,linux/arm64 + release-notes: "${{ steps.release-notes.outputs.value }}" + binary-name: forgejo-runner + binary-path: /bin/forgejo-runner verbose: ${{ steps.verbose.outputs.value }} diff --git a/.forgejo/workflows/publish-binary.yml b/.forgejo/workflows/publish-binary.yml deleted file mode 100644 index 68519d4..0000000 --- a/.forgejo/workflows/publish-binary.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Publish release - -on: - push: - tags: 'v*' - -jobs: - release: - runs-on: self-hosted - if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != '' - steps: - - - name: install the certificate authority - run: | - apt-get install -qq -y wget - wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt - update-ca-certificates --fresh - - - uses: actions/checkout@v3 - - - name: download release - uses: https://code.forgejo.org/actions/forgejo-release@v1 - with: - url: https://code.forgejo.org - repo: forgejo-integration/runner - direction: download - release-dir: release - download-retry: 60 - token: ${{ secrets.TOKEN }} - - - name: upload release - uses: https://code.forgejo.org/actions/forgejo-release@v1 - with: - url: https://code.forgejo.org - repo: forgejo/runner - direction: upload - release-dir: release - release-notes: "RELEASE-NOTES" - token: ${{ secrets.TOKEN }} - gpg-private-key: ${{ secrets.GPG }} diff --git a/.forgejo/workflows/publish-container-image.yml b/.forgejo/workflows/publish-container-image.yml deleted file mode 100644 index f556ab2..0000000 --- a/.forgejo/workflows/publish-container-image.yml +++ /dev/null @@ -1,43 +0,0 @@ -# SPDX-License-Identifier: MIT -name: copy container images from integration to the destination organization - -on: - push: - tags: 'v*' - -jobs: - builder: - runs-on: self-hosted - if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != '' - steps: - - - name: apt-get install docker.io - run: | - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y docker.io - - - name: login code.forgejo.org - uses: https://github.com/docker/login-action@v2 - with: - registry: code.forgejo.org - username: ${{ secrets.DOER }} - password: ${{ secrets.TOKEN }} - - - id: tag - run: | - tag="${{ github.ref_name }}" - tag=${tag##*v} - echo "tag=$tag" >> "$GITHUB_OUTPUT" - - - uses: https://code.forgejo.org/forgejo/forgejo-container-image@v1 - env: - VERIFY: 'false' - with: - url: https://code.forgejo.org - destination-owner: forgejo - owner: forgejo-integration - suffixes: ' ' - project: runner - tag: ${{ steps.tag.outputs.tag }} - doer: ${{ secrets.DOER }} - token: ${{ secrets.TOKEN }} - verbose: true diff --git a/.forgejo/workflows/publish-release.yml b/.forgejo/workflows/publish-release.yml new file mode 100644 index 0000000..1cb353d --- /dev/null +++ b/.forgejo/workflows/publish-release.yml @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: MIT +# +# https://forgejo.octopuce.forgejo.org/forgejo-release/runner +# +# Copies & sign a release from code.forgejo.org/forgejo-integration/runner to code.forgejo.org/forgejo/runner +# +# ROLE: forgejo-release +# FORGEJO: https://code.forgejo.org +# FROM_OWNER: forgejo-integration +# TO_OWNER: forgejo +# DOER: release-team +# TOKEN: +# GPG_PRIVATE_KEY: +# GPG_PASSPHRASE: +# +name: pubish + +on: + push: + tags: 'v*' + +jobs: + publish: + runs-on: self-hosted + if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != '' + steps: + - name: install the certificate authority + if: secrets.ROLE == 'forgejo-release' + run: | + apt-get install -qq -y wget + wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt + update-ca-certificates --fresh + + - uses: actions/checkout@v3 + + - name: copy & sign + uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v1 + with: + forgejo: ${{ secrets.FORGEJO }} + from-owner: ${{ secrets.FROM_OWNER }} + to-owner: ${{ secrets.TO_OWNER }} + ref-name: ${{ github.ref_name }} + doer: ${{ secrets.DOER }} + token: ${{ secrets.TOKEN }} + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }} + verbose: ${{ secrets.VERBOSE }} From c5f53958be34f9db49b39fadd166aea902792525 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Fri, 25 Aug 2023 15:32:05 +0200 Subject: [PATCH 3/3] update RELEASE notes --- RELEASE-NOTES.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index 9fbbca6..d8deccc 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -1,5 +1,10 @@ # Release Notes +## v3.0.0 + +* Publish a rootless OCI image with examples on how to use it +* Refactor the release process + ## v2.5.0 * Update [code.forgejo.org/forgejo/act v1.10.0](https://code.forgejo.org/forgejo/runner/pulls/71)