rework the build & publish process to mimic Forgejo

2023-08-25 14:25:36 +02:00 · 2023-08-25 14:25:36 +02:00 · fd6764ac8e
commit fd6764ac8e
parent 64137dcfb7
5 changed files with 152 additions and 196 deletions
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@ -5,13 +5,13 @@ on:
    paths:
      - go.mod
      - Dockerfile
-      - .forgejo/workflows/release.yml
-      - .forgejo/workflows/integration.yml
+      - .forgejo/workflows/build-release.yml
+      - .forgejo/workflows/build-release-integration.yml

 jobs:
  release-simulation:
    runs-on: self-hosted
-    if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-experimental' && github.repository_owner != 'forgejo-release'
+    if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-release'
    steps:
      - uses: actions/checkout@v3

@ -23,10 +23,18 @@ jobs:
          image-version: 1.19
          lxc-ip-prefix: 10.0.9

-      - name: publish the runner release
+      - name: publish
        run: |
          set -x

+          version=1.2.3
+          cat > /etc/docker/daemon.json <<EOF
+            {
+              "insecure-registries" : ["${{ steps.forgejo.outputs.host-port }}"]
+            }
+          EOF
+          systemctl restart docker
+
          dir=$(mktemp -d)
          trap "rm -fr $dir" EXIT

@ -37,23 +45,37 @@ jobs:
          # Create a new project with the runner and the release workflow only
          #
          rsync -a --exclude .git ./ $dir/
-          rm $(find $dir/.forgejo/workflows/*.yml | grep -v release.yml)
+          rm $(find $dir/.forgejo/workflows/*.yml | grep -v build-release.yml)
          forgejo-test-helper.sh push $dir $url root runner |& tee $dir/pushed
          eval $(grep '^sha=' < $dir/pushed)

          #
          # Push a tag to trigger the release workflow and wait for it to complete
          #
-          forgejo-test-helper.sh api POST $url repos/root/runner/tags ${{ steps.forgejo.outputs.token }} --data-raw '{"tag_name": "v1.2.3", "target": "'$sha'"}'
+          forgejo-test-helper.sh api POST $url repos/root/runner/tags ${{ steps.forgejo.outputs.token }} --data-raw '{"tag_name": "v'$version'", "target": "'$sha'"}'
          LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/runner $sha

          #
-          # Minimal sanity checks. e2e test is for the setup-forgejo action
-          # and the infrastructure playbook.
+          # uncomment to see the logs even when everything is reported to be working ok
          #
-          curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64 > forgejo-runner
-          chmod +x forgejo-runner
-          ./forgejo-runner --version | grep 1.2.3
-          curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64.sha256 > forgejo-runner.one
-          shasum -a 256 < forgejo-runner | cut -f1 -d ' ' > forgejo-runner.two
-          diff forgejo-runner.one forgejo-runner.two
+          #cat $FORGEJO_RUNNER_LOGS
+
+          #
+          # Minimal sanity checks. e2e test is for the setup-forgejo action
+          #
+          for arch in amd64 arm64 ; do
+            binary=forgejo-runner-$version-linux-$arch
+            for suffix in '' '.xz' ; do
+              curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix > $binary$suffix
+              if test "$suffix" = .xz ; then
+                 unxz --keep $binary$suffix
+              fi
+              chmod +x $binary
+              ./$binary --version | grep $version
+              curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix.sha256 > $binary$suffix.sha256
+              shasum -a 256 --check $binary$suffix.sha256
+              rm $binary$suffix
+            done
+          done
+
+          docker pull ${{ steps.forgejo.outputs.host-port }}/root/runner:$version
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@ -1,3 +1,13 @@
+# SPDX-License-Identifier: MIT
+#
+# https://code.forgejo.org/forgejo/runner
+#
+#  Build the runner binaries and OCI images
+#
+#  ROLE: forgejo-integration
+#  DOER: release-team
+#  TOKEN: <generated from codeberg.org/release-team>
+#
 name: Build release

 on:
@ -8,126 +18,86 @@ jobs:
  release:
    runs-on: self-hosted
    # root is used for testing, allow it
-    if: github.repository_owner == 'forgejo-integration' || github.repository_owner == 'root'
+    if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
    steps:
      - uses: actions/checkout@v3

-      - id: verbose
+      - name: Increase the verbosity when there are no secrets
+        id: verbose
        run: |
-          # if there are no secrets, be verbose
          if test -z "${{ secrets.TOKEN }}"; then
            value=true
          else
            value=false
          fi
          echo "value=$value" >> "$GITHUB_OUTPUT"
-          echo "shell=set -x" >> "$GITHUB_OUTPUT"

-      - id: registry
+      - name: Sanitize the name of the repository
+        id: repository
        run: |
-          ${{ steps.verbose.outputs.shell }}
+          repository="${{ github.repository }}"
+          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
+
+      - name: create test TOKEN
+        id: token
+        if: ${{ secrets.TOKEN == '' }}
+        run: |
+          apt-get -qq install -y jq
          url="${{ env.GITHUB_SERVER_URL }}"
          hostport=${url##http*://}
          hostport=${hostport%%/}
-          echo "host-port=${hostport}" >> "$GITHUB_OUTPUT"
-          if ! [[ $url =~ ^http:// ]] ; then
-             exit 0
-          fi
+          doer=root
+          api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens
+          curl -sS -X DELETE $api/release
+          token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
+          echo "value=${token}" >> "$GITHUB_OUTPUT"
+
+      - name: version from ref_name
+        id: tag-version
+        run: |
+          version="${{ github.ref_name }}"
+          version=${version##*v}
+          echo "value=$version" >> "$GITHUB_OUTPUT"
+
+      - name: release notes
+        id: release-notes
+        run: |
+          anchor=${{ steps.tag-version.outputs.value }}
+          anchor=${anchor//./-}
          cat >> "$GITHUB_OUTPUT" <<EOF
-          insecure=true
-          buildx-config<<ENDVAR
-          [registry."${hostport}"]
-            http = true
+          value<<ENDVAR
+          See https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#$anchor
          ENDVAR
          EOF

-      - id: secrets
-        run: |
-          token="${{ secrets.TOKEN }}"
-          doer="${{ secrets.DOER }}"
-          if test -z "$token"; then
-             apt-get -qq install -y jq
-             doer=root
-             api=http://$doer:admin1234@${{ steps.registry.outputs.host-port }}/api/v1/users/$doer/tokens
-             curl -sS -X DELETE $api/release
-             token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
-          fi
-          echo "token=${token}" >> "$GITHUB_OUTPUT"
-          echo "doer=${doer}" >> "$GITHUB_OUTPUT"
-
-      - name: allow docker pull/push to forgejo
-        if: ${{ steps.registry.outputs.insecure }}
-        run: |-
-          mkdir /etc/docker
-          cat > /etc/docker/daemon.json <<EOF
-            {
-              "insecure-registries" : ["${{ steps.registry.outputs.host-port }}"],
-              "bip": "172.26.0.1/16"
-            }
-          EOF
-
-      - run: |
-          echo deb http://deb.debian.org/debian bullseye-backports main | tee /etc/apt/sources.list.d/backports.list && apt-get -qq update
-          DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y -t bullseye-backports docker.io
-          
-      - uses: https://github.com/docker/setup-buildx-action@v2
-        with:
-          config-inline: |
-           ${{ steps.registry.outputs.buildx-config }}
-
-      - run: |
-          token="${{ steps.secrets.outputs.token }}" ; test -z "$token" && token="${{ secrets.TOKEN }}"
-          doer="${{ steps.secrets.outputs.doer }}" ; test -z "$doer" && doer="${{ secrets.DOER }}"
-          BASE64_AUTH=`echo -n "$doer:$token" | base64`
-          mkdir -p ~/.docker
-          echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
-        env:
-          CI_REGISTRY: "${{ env.GITHUB_SERVER_URL }}${{ env.GITHUB_REPOSITORY_OWNER }}"
-
-      - id: build
-        run: |
-          ${{ steps.verbose.outputs.shell }}
-          tag="${{ github.ref_name }}"
-          tag=${tag##*v}
-          echo "tag=$tag" >> "$GITHUB_OUTPUT"
-          echo "image=${{ steps.registry.outputs.host-port }}/${{ github.repository }}:${tag}" >> "$GITHUB_OUTPUT"
-          
-      - uses: https://github.com/docker/build-push-action@v4
-        # workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released
-        env:
-          ACTIONS_RUNTIME_TOKEN: ''
-        with:
-          context: .
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.build.outputs.image }}
-
-      - run: |
-          ${{ steps.verbose.outputs.shell }}
-          mkdir -p release
-          for arch in amd64 arm64; do
-            docker create --platform linux/$arch --name runner ${{ steps.build.outputs.image }}
-            docker cp runner:/bin/forgejo-runner release/forgejo-runner-$arch
-            shasum -a 256 < release/forgejo-runner-$arch | cut -f1 -d ' ' > release/forgejo-runner-$arch.sha256
-            docker rm runner
-          done
-
-      - name: publish release (when TOKEN secret is NOT set)
+      - name: build without TOKEN
        if: ${{ secrets.TOKEN == '' }}
-        uses: https://code.forgejo.org/actions/forgejo-release@v1
+        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1
        with:
-          direction: upload
-          release-dir: release
-          release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}"
-          token: ${{ steps.secrets.outputs.token }}
+          forgejo: "${{ env.GITHUB_SERVER_URL }}"
+          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
+          repository: "${{ steps.repository.outputs.value }}"
+          doer: root
+          tag-version: "${{ steps.tag-version.outputs.value }}"
+          token: ${{ steps.token.outputs.value }}
+          platforms: linux/amd64,linux/arm64
+          release-notes: "${{ steps.release-notes.outputs.value }}"
+          binary-name: forgejo-runner
+          binary-path: /bin/forgejo-runner
          verbose: ${{ steps.verbose.outputs.value }}

-      - name: publish release (when TOKEN secret is set)
+      - name: build with TOKEN
        if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/actions/forgejo-release@v1
+        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1
        with:
-          direction: upload
-          release-dir: release
-          release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}"
-          token: ${{ secrets.TOKEN }}
+          forgejo: "${{ env.GITHUB_SERVER_URL }}"
+          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
+          repository: "${{ steps.repository.outputs.value }}"
+          doer: "${{ secrets.DOER }}"
+          tag-version: "${{ steps.tag-version.outputs.value }}"
+          token: "${{ secrets.TOKEN }}"
+          platforms: linux/amd64,linux/arm64
+          release-notes: "${{ steps.release-notes.outputs.value }}"
+          binary-name: forgejo-runner
+          binary-path: /bin/forgejo-runner
          verbose: ${{ steps.verbose.outputs.value }}
--- a/.forgejo/workflows/publish-binary.yml
+++ b/.forgejo/workflows/publish-binary.yml
@ -1,40 +0,0 @@
-name: Publish release
-
-on: 
-  push:
-    tags: 'v*'
-
-jobs:
-  release:
-    runs-on: self-hosted
-    if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != ''
-    steps:
-
-      - name: install the certificate authority
-        run: |
-          apt-get install -qq -y wget
-          wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
-          update-ca-certificates --fresh
-
-      - uses: actions/checkout@v3
-
-      - name: download release
-        uses: https://code.forgejo.org/actions/forgejo-release@v1
-        with:
-          url: https://code.forgejo.org
-          repo: forgejo-integration/runner
-          direction: download
-          release-dir: release
-          download-retry: 60
-          token: ${{ secrets.TOKEN }}
-
-      - name: upload release
-        uses: https://code.forgejo.org/actions/forgejo-release@v1
-        with:
-          url: https://code.forgejo.org
-          repo: forgejo/runner
-          direction: upload
-          release-dir: release
-          release-notes: "RELEASE-NOTES"
-          token: ${{ secrets.TOKEN }}
-          gpg-private-key: ${{ secrets.GPG }}
--- a/.forgejo/workflows/publish-container-image.yml
+++ b/.forgejo/workflows/publish-container-image.yml
@ -1,43 +0,0 @@
-# SPDX-License-Identifier: MIT
-name: copy container images from integration to the destination organization
-
-on: 
-  push:
-    tags: 'v*'
-
-jobs:
-  builder:
-    runs-on: self-hosted
-    if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != ''
-    steps:
-
-    - name: apt-get install docker.io
-      run: |
-        DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y docker.io
-
-    - name: login code.forgejo.org
-      uses: https://github.com/docker/login-action@v2
-      with:
-          registry: code.forgejo.org
-          username: ${{ secrets.DOER }}
-          password: ${{ secrets.TOKEN }}
-
-    - id: tag
-      run: |
-        tag="${{ github.ref_name }}"
-        tag=${tag##*v}
-        echo "tag=$tag" >> "$GITHUB_OUTPUT"
-
-    - uses: https://code.forgejo.org/forgejo/forgejo-container-image@v1
-      env:
-        VERIFY: 'false'
-      with:
-        url: https://code.forgejo.org
-        destination-owner: forgejo
-        owner: forgejo-integration
-        suffixes: ' '
-        project: runner
-        tag: ${{ steps.tag.outputs.tag }}
-        doer: ${{ secrets.DOER }}
-        token: ${{ secrets.TOKEN }}
-        verbose: true
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -0,0 +1,47 @@
+# SPDX-License-Identifier: MIT
+#
+# https://forgejo.octopuce.forgejo.org/forgejo-release/runner
+#
+#  Copies & sign a release from code.forgejo.org/forgejo-integration/runner to code.forgejo.org/forgejo/runner
+#
+#  ROLE: forgejo-release
+#  FORGEJO: https://code.forgejo.org
+#  FROM_OWNER: forgejo-integration
+#  TO_OWNER: forgejo
+#  DOER: release-team
+#  TOKEN: <generated from codeberg.org/release-team>
+#  GPG_PRIVATE_KEY: <XYZ>
+#  GPG_PASSPHRASE: <ABC>
+#
+name: pubish
+
+on:
+  push:
+    tags: 'v*'
+
+jobs:
+  publish:
+    runs-on: self-hosted
+    if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != ''
+    steps:
+      - name: install the certificate authority
+        if: secrets.ROLE == 'forgejo-release'
+        run: |
+          apt-get install -qq -y wget
+          wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
+          update-ca-certificates --fresh
+
+      - uses: actions/checkout@v3
+
+      - name: copy & sign
+        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v1
+        with:
+          forgejo: ${{ secrets.FORGEJO }}
+          from-owner: ${{ secrets.FROM_OWNER }}
+          to-owner: ${{ secrets.TO_OWNER }}
+          ref-name: ${{ github.ref_name }}
+          doer: ${{ secrets.DOER }}
+          token: ${{ secrets.TOKEN }}
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          verbose: ${{ secrets.VERBOSE }}