rework the build & publish process to mimic Forgejo
This commit is contained in:
parent
64137dcfb7
commit
fd6764ac8e
5 changed files with 152 additions and 196 deletions
|
@ -5,13 +5,13 @@ on:
|
||||||
paths:
|
paths:
|
||||||
- go.mod
|
- go.mod
|
||||||
- Dockerfile
|
- Dockerfile
|
||||||
- .forgejo/workflows/release.yml
|
- .forgejo/workflows/build-release.yml
|
||||||
- .forgejo/workflows/integration.yml
|
- .forgejo/workflows/build-release-integration.yml
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
release-simulation:
|
release-simulation:
|
||||||
runs-on: self-hosted
|
runs-on: self-hosted
|
||||||
if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-experimental' && github.repository_owner != 'forgejo-release'
|
if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-release'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
@ -23,10 +23,18 @@ jobs:
|
||||||
image-version: 1.19
|
image-version: 1.19
|
||||||
lxc-ip-prefix: 10.0.9
|
lxc-ip-prefix: 10.0.9
|
||||||
|
|
||||||
- name: publish the runner release
|
- name: publish
|
||||||
run: |
|
run: |
|
||||||
set -x
|
set -x
|
||||||
|
|
||||||
|
version=1.2.3
|
||||||
|
cat > /etc/docker/daemon.json <<EOF
|
||||||
|
{
|
||||||
|
"insecure-registries" : ["${{ steps.forgejo.outputs.host-port }}"]
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
systemctl restart docker
|
||||||
|
|
||||||
dir=$(mktemp -d)
|
dir=$(mktemp -d)
|
||||||
trap "rm -fr $dir" EXIT
|
trap "rm -fr $dir" EXIT
|
||||||
|
|
||||||
|
@ -37,23 +45,37 @@ jobs:
|
||||||
# Create a new project with the runner and the release workflow only
|
# Create a new project with the runner and the release workflow only
|
||||||
#
|
#
|
||||||
rsync -a --exclude .git ./ $dir/
|
rsync -a --exclude .git ./ $dir/
|
||||||
rm $(find $dir/.forgejo/workflows/*.yml | grep -v release.yml)
|
rm $(find $dir/.forgejo/workflows/*.yml | grep -v build-release.yml)
|
||||||
forgejo-test-helper.sh push $dir $url root runner |& tee $dir/pushed
|
forgejo-test-helper.sh push $dir $url root runner |& tee $dir/pushed
|
||||||
eval $(grep '^sha=' < $dir/pushed)
|
eval $(grep '^sha=' < $dir/pushed)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Push a tag to trigger the release workflow and wait for it to complete
|
# Push a tag to trigger the release workflow and wait for it to complete
|
||||||
#
|
#
|
||||||
forgejo-test-helper.sh api POST $url repos/root/runner/tags ${{ steps.forgejo.outputs.token }} --data-raw '{"tag_name": "v1.2.3", "target": "'$sha'"}'
|
forgejo-test-helper.sh api POST $url repos/root/runner/tags ${{ steps.forgejo.outputs.token }} --data-raw '{"tag_name": "v'$version'", "target": "'$sha'"}'
|
||||||
LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/runner $sha
|
LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/runner $sha
|
||||||
|
|
||||||
#
|
#
|
||||||
# Minimal sanity checks. e2e test is for the setup-forgejo action
|
# uncomment to see the logs even when everything is reported to be working ok
|
||||||
# and the infrastructure playbook.
|
|
||||||
#
|
#
|
||||||
curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64 > forgejo-runner
|
#cat $FORGEJO_RUNNER_LOGS
|
||||||
chmod +x forgejo-runner
|
|
||||||
./forgejo-runner --version | grep 1.2.3
|
#
|
||||||
curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64.sha256 > forgejo-runner.one
|
# Minimal sanity checks. e2e test is for the setup-forgejo action
|
||||||
shasum -a 256 < forgejo-runner | cut -f1 -d ' ' > forgejo-runner.two
|
#
|
||||||
diff forgejo-runner.one forgejo-runner.two
|
for arch in amd64 arm64 ; do
|
||||||
|
binary=forgejo-runner-$version-linux-$arch
|
||||||
|
for suffix in '' '.xz' ; do
|
||||||
|
curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix > $binary$suffix
|
||||||
|
if test "$suffix" = .xz ; then
|
||||||
|
unxz --keep $binary$suffix
|
||||||
|
fi
|
||||||
|
chmod +x $binary
|
||||||
|
./$binary --version | grep $version
|
||||||
|
curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix.sha256 > $binary$suffix.sha256
|
||||||
|
shasum -a 256 --check $binary$suffix.sha256
|
||||||
|
rm $binary$suffix
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
docker pull ${{ steps.forgejo.outputs.host-port }}/root/runner:$version
|
|
@ -1,3 +1,13 @@
|
||||||
|
# SPDX-License-Identifier: MIT
|
||||||
|
#
|
||||||
|
# https://code.forgejo.org/forgejo/runner
|
||||||
|
#
|
||||||
|
# Build the runner binaries and OCI images
|
||||||
|
#
|
||||||
|
# ROLE: forgejo-integration
|
||||||
|
# DOER: release-team
|
||||||
|
# TOKEN: <generated from codeberg.org/release-team>
|
||||||
|
#
|
||||||
name: Build release
|
name: Build release
|
||||||
|
|
||||||
on:
|
on:
|
||||||
|
@ -8,126 +18,86 @@ jobs:
|
||||||
release:
|
release:
|
||||||
runs-on: self-hosted
|
runs-on: self-hosted
|
||||||
# root is used for testing, allow it
|
# root is used for testing, allow it
|
||||||
if: github.repository_owner == 'forgejo-integration' || github.repository_owner == 'root'
|
if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
- id: verbose
|
- name: Increase the verbosity when there are no secrets
|
||||||
|
id: verbose
|
||||||
run: |
|
run: |
|
||||||
# if there are no secrets, be verbose
|
|
||||||
if test -z "${{ secrets.TOKEN }}"; then
|
if test -z "${{ secrets.TOKEN }}"; then
|
||||||
value=true
|
value=true
|
||||||
else
|
else
|
||||||
value=false
|
value=false
|
||||||
fi
|
fi
|
||||||
echo "value=$value" >> "$GITHUB_OUTPUT"
|
echo "value=$value" >> "$GITHUB_OUTPUT"
|
||||||
echo "shell=set -x" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
- id: registry
|
- name: Sanitize the name of the repository
|
||||||
|
id: repository
|
||||||
run: |
|
run: |
|
||||||
${{ steps.verbose.outputs.shell }}
|
repository="${{ github.repository }}"
|
||||||
|
echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: create test TOKEN
|
||||||
|
id: token
|
||||||
|
if: ${{ secrets.TOKEN == '' }}
|
||||||
|
run: |
|
||||||
|
apt-get -qq install -y jq
|
||||||
url="${{ env.GITHUB_SERVER_URL }}"
|
url="${{ env.GITHUB_SERVER_URL }}"
|
||||||
hostport=${url##http*://}
|
hostport=${url##http*://}
|
||||||
hostport=${hostport%%/}
|
hostport=${hostport%%/}
|
||||||
echo "host-port=${hostport}" >> "$GITHUB_OUTPUT"
|
doer=root
|
||||||
if ! [[ $url =~ ^http:// ]] ; then
|
api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens
|
||||||
exit 0
|
curl -sS -X DELETE $api/release
|
||||||
fi
|
token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
|
||||||
|
echo "value=${token}" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: version from ref_name
|
||||||
|
id: tag-version
|
||||||
|
run: |
|
||||||
|
version="${{ github.ref_name }}"
|
||||||
|
version=${version##*v}
|
||||||
|
echo "value=$version" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: release notes
|
||||||
|
id: release-notes
|
||||||
|
run: |
|
||||||
|
anchor=${{ steps.tag-version.outputs.value }}
|
||||||
|
anchor=${anchor//./-}
|
||||||
cat >> "$GITHUB_OUTPUT" <<EOF
|
cat >> "$GITHUB_OUTPUT" <<EOF
|
||||||
insecure=true
|
value<<ENDVAR
|
||||||
buildx-config<<ENDVAR
|
See https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#$anchor
|
||||||
[registry."${hostport}"]
|
|
||||||
http = true
|
|
||||||
ENDVAR
|
ENDVAR
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
- id: secrets
|
- name: build without TOKEN
|
||||||
run: |
|
|
||||||
token="${{ secrets.TOKEN }}"
|
|
||||||
doer="${{ secrets.DOER }}"
|
|
||||||
if test -z "$token"; then
|
|
||||||
apt-get -qq install -y jq
|
|
||||||
doer=root
|
|
||||||
api=http://$doer:admin1234@${{ steps.registry.outputs.host-port }}/api/v1/users/$doer/tokens
|
|
||||||
curl -sS -X DELETE $api/release
|
|
||||||
token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
|
|
||||||
fi
|
|
||||||
echo "token=${token}" >> "$GITHUB_OUTPUT"
|
|
||||||
echo "doer=${doer}" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
- name: allow docker pull/push to forgejo
|
|
||||||
if: ${{ steps.registry.outputs.insecure }}
|
|
||||||
run: |-
|
|
||||||
mkdir /etc/docker
|
|
||||||
cat > /etc/docker/daemon.json <<EOF
|
|
||||||
{
|
|
||||||
"insecure-registries" : ["${{ steps.registry.outputs.host-port }}"],
|
|
||||||
"bip": "172.26.0.1/16"
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
- run: |
|
|
||||||
echo deb http://deb.debian.org/debian bullseye-backports main | tee /etc/apt/sources.list.d/backports.list && apt-get -qq update
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y -t bullseye-backports docker.io
|
|
||||||
|
|
||||||
- uses: https://github.com/docker/setup-buildx-action@v2
|
|
||||||
with:
|
|
||||||
config-inline: |
|
|
||||||
${{ steps.registry.outputs.buildx-config }}
|
|
||||||
|
|
||||||
- run: |
|
|
||||||
token="${{ steps.secrets.outputs.token }}" ; test -z "$token" && token="${{ secrets.TOKEN }}"
|
|
||||||
doer="${{ steps.secrets.outputs.doer }}" ; test -z "$doer" && doer="${{ secrets.DOER }}"
|
|
||||||
BASE64_AUTH=`echo -n "$doer:$token" | base64`
|
|
||||||
mkdir -p ~/.docker
|
|
||||||
echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
|
|
||||||
env:
|
|
||||||
CI_REGISTRY: "${{ env.GITHUB_SERVER_URL }}${{ env.GITHUB_REPOSITORY_OWNER }}"
|
|
||||||
|
|
||||||
- id: build
|
|
||||||
run: |
|
|
||||||
${{ steps.verbose.outputs.shell }}
|
|
||||||
tag="${{ github.ref_name }}"
|
|
||||||
tag=${tag##*v}
|
|
||||||
echo "tag=$tag" >> "$GITHUB_OUTPUT"
|
|
||||||
echo "image=${{ steps.registry.outputs.host-port }}/${{ github.repository }}:${tag}" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
- uses: https://github.com/docker/build-push-action@v4
|
|
||||||
# workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released
|
|
||||||
env:
|
|
||||||
ACTIONS_RUNTIME_TOKEN: ''
|
|
||||||
with:
|
|
||||||
context: .
|
|
||||||
push: true
|
|
||||||
platforms: linux/amd64,linux/arm64
|
|
||||||
tags: ${{ steps.build.outputs.image }}
|
|
||||||
|
|
||||||
- run: |
|
|
||||||
${{ steps.verbose.outputs.shell }}
|
|
||||||
mkdir -p release
|
|
||||||
for arch in amd64 arm64; do
|
|
||||||
docker create --platform linux/$arch --name runner ${{ steps.build.outputs.image }}
|
|
||||||
docker cp runner:/bin/forgejo-runner release/forgejo-runner-$arch
|
|
||||||
shasum -a 256 < release/forgejo-runner-$arch | cut -f1 -d ' ' > release/forgejo-runner-$arch.sha256
|
|
||||||
docker rm runner
|
|
||||||
done
|
|
||||||
|
|
||||||
- name: publish release (when TOKEN secret is NOT set)
|
|
||||||
if: ${{ secrets.TOKEN == '' }}
|
if: ${{ secrets.TOKEN == '' }}
|
||||||
uses: https://code.forgejo.org/actions/forgejo-release@v1
|
uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1
|
||||||
with:
|
with:
|
||||||
direction: upload
|
forgejo: "${{ env.GITHUB_SERVER_URL }}"
|
||||||
release-dir: release
|
owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
|
||||||
release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}"
|
repository: "${{ steps.repository.outputs.value }}"
|
||||||
token: ${{ steps.secrets.outputs.token }}
|
doer: root
|
||||||
|
tag-version: "${{ steps.tag-version.outputs.value }}"
|
||||||
|
token: ${{ steps.token.outputs.value }}
|
||||||
|
platforms: linux/amd64,linux/arm64
|
||||||
|
release-notes: "${{ steps.release-notes.outputs.value }}"
|
||||||
|
binary-name: forgejo-runner
|
||||||
|
binary-path: /bin/forgejo-runner
|
||||||
verbose: ${{ steps.verbose.outputs.value }}
|
verbose: ${{ steps.verbose.outputs.value }}
|
||||||
|
|
||||||
- name: publish release (when TOKEN secret is set)
|
- name: build with TOKEN
|
||||||
if: ${{ secrets.TOKEN != '' }}
|
if: ${{ secrets.TOKEN != '' }}
|
||||||
uses: https://code.forgejo.org/actions/forgejo-release@v1
|
uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1
|
||||||
with:
|
with:
|
||||||
direction: upload
|
forgejo: "${{ env.GITHUB_SERVER_URL }}"
|
||||||
release-dir: release
|
owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
|
||||||
release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}"
|
repository: "${{ steps.repository.outputs.value }}"
|
||||||
token: ${{ secrets.TOKEN }}
|
doer: "${{ secrets.DOER }}"
|
||||||
|
tag-version: "${{ steps.tag-version.outputs.value }}"
|
||||||
|
token: "${{ secrets.TOKEN }}"
|
||||||
|
platforms: linux/amd64,linux/arm64
|
||||||
|
release-notes: "${{ steps.release-notes.outputs.value }}"
|
||||||
|
binary-name: forgejo-runner
|
||||||
|
binary-path: /bin/forgejo-runner
|
||||||
verbose: ${{ steps.verbose.outputs.value }}
|
verbose: ${{ steps.verbose.outputs.value }}
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
name: Publish release
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
tags: 'v*'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
release:
|
|
||||||
runs-on: self-hosted
|
|
||||||
if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != ''
|
|
||||||
steps:
|
|
||||||
|
|
||||||
- name: install the certificate authority
|
|
||||||
run: |
|
|
||||||
apt-get install -qq -y wget
|
|
||||||
wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
|
|
||||||
update-ca-certificates --fresh
|
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: download release
|
|
||||||
uses: https://code.forgejo.org/actions/forgejo-release@v1
|
|
||||||
with:
|
|
||||||
url: https://code.forgejo.org
|
|
||||||
repo: forgejo-integration/runner
|
|
||||||
direction: download
|
|
||||||
release-dir: release
|
|
||||||
download-retry: 60
|
|
||||||
token: ${{ secrets.TOKEN }}
|
|
||||||
|
|
||||||
- name: upload release
|
|
||||||
uses: https://code.forgejo.org/actions/forgejo-release@v1
|
|
||||||
with:
|
|
||||||
url: https://code.forgejo.org
|
|
||||||
repo: forgejo/runner
|
|
||||||
direction: upload
|
|
||||||
release-dir: release
|
|
||||||
release-notes: "RELEASE-NOTES"
|
|
||||||
token: ${{ secrets.TOKEN }}
|
|
||||||
gpg-private-key: ${{ secrets.GPG }}
|
|
|
@ -1,43 +0,0 @@
|
||||||
# SPDX-License-Identifier: MIT
|
|
||||||
name: copy container images from integration to the destination organization
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
tags: 'v*'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
builder:
|
|
||||||
runs-on: self-hosted
|
|
||||||
if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != ''
|
|
||||||
steps:
|
|
||||||
|
|
||||||
- name: apt-get install docker.io
|
|
||||||
run: |
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y docker.io
|
|
||||||
|
|
||||||
- name: login code.forgejo.org
|
|
||||||
uses: https://github.com/docker/login-action@v2
|
|
||||||
with:
|
|
||||||
registry: code.forgejo.org
|
|
||||||
username: ${{ secrets.DOER }}
|
|
||||||
password: ${{ secrets.TOKEN }}
|
|
||||||
|
|
||||||
- id: tag
|
|
||||||
run: |
|
|
||||||
tag="${{ github.ref_name }}"
|
|
||||||
tag=${tag##*v}
|
|
||||||
echo "tag=$tag" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
- uses: https://code.forgejo.org/forgejo/forgejo-container-image@v1
|
|
||||||
env:
|
|
||||||
VERIFY: 'false'
|
|
||||||
with:
|
|
||||||
url: https://code.forgejo.org
|
|
||||||
destination-owner: forgejo
|
|
||||||
owner: forgejo-integration
|
|
||||||
suffixes: ' '
|
|
||||||
project: runner
|
|
||||||
tag: ${{ steps.tag.outputs.tag }}
|
|
||||||
doer: ${{ secrets.DOER }}
|
|
||||||
token: ${{ secrets.TOKEN }}
|
|
||||||
verbose: true
|
|
47
.forgejo/workflows/publish-release.yml
Normal file
47
.forgejo/workflows/publish-release.yml
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
# SPDX-License-Identifier: MIT
|
||||||
|
#
|
||||||
|
# https://forgejo.octopuce.forgejo.org/forgejo-release/runner
|
||||||
|
#
|
||||||
|
# Copies & sign a release from code.forgejo.org/forgejo-integration/runner to code.forgejo.org/forgejo/runner
|
||||||
|
#
|
||||||
|
# ROLE: forgejo-release
|
||||||
|
# FORGEJO: https://code.forgejo.org
|
||||||
|
# FROM_OWNER: forgejo-integration
|
||||||
|
# TO_OWNER: forgejo
|
||||||
|
# DOER: release-team
|
||||||
|
# TOKEN: <generated from codeberg.org/release-team>
|
||||||
|
# GPG_PRIVATE_KEY: <XYZ>
|
||||||
|
# GPG_PASSPHRASE: <ABC>
|
||||||
|
#
|
||||||
|
name: pubish
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
tags: 'v*'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
publish:
|
||||||
|
runs-on: self-hosted
|
||||||
|
if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != ''
|
||||||
|
steps:
|
||||||
|
- name: install the certificate authority
|
||||||
|
if: secrets.ROLE == 'forgejo-release'
|
||||||
|
run: |
|
||||||
|
apt-get install -qq -y wget
|
||||||
|
wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
|
||||||
|
update-ca-certificates --fresh
|
||||||
|
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
|
||||||
|
- name: copy & sign
|
||||||
|
uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v1
|
||||||
|
with:
|
||||||
|
forgejo: ${{ secrets.FORGEJO }}
|
||||||
|
from-owner: ${{ secrets.FROM_OWNER }}
|
||||||
|
to-owner: ${{ secrets.TO_OWNER }}
|
||||||
|
ref-name: ${{ github.ref_name }}
|
||||||
|
doer: ${{ secrets.DOER }}
|
||||||
|
token: ${{ secrets.TOKEN }}
|
||||||
|
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||||
|
gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
|
||||||
|
verbose: ${{ secrets.VERBOSE }}
|
Loading…
Reference in a new issue