runners
/
docker-gitea-act-runner
mirror of https://github.com/vegardit/docker-gitea-act-runner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build: improve build config

This commit is contained in:
sebthom 2025-05-21 20:51:43 +02:00
parent 77aa1ef1b8
commit 518ee6962c
8 changed files with 147 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitattributes vendored
View File

@ -61,6 +61,7 @@
*.python text
*.sql text
**/Dockerfile text eol=lf
**/*.Dockerfile text eol=lf
# Archives

83
.github/workflows/build.yml vendored
View File

@ -3,7 +3,7 @@
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
#
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
name: Build
on:
@ -26,10 +26,10 @@ on:
- '.github/*.yml'
- '.github/workflows/stale.yml'
schedule:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
- cron: '0 17 * * 3'
workflow_dispatch:
# https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_dispatch
inputs:
VERSION:
type: string
@ -41,7 +41,7 @@ defaults:
shell: bash
env:
DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/gitea-act-runner
DOCKER_REPO_NAME: gitea-act-runner
TRIVY_CACHE_DIR: ~/.trivy/cache
jobs:
@ -49,6 +49,11 @@ jobs:
###########################################################
build:
###########################################################
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 30
permissions:
packages: write
strategy:
matrix:
@ -73,9 +78,6 @@ jobs:
GITEA_ACT_RUNNER_VERSION: nightly
fail-fast: true
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 30
steps:
- name: "Show: GitHub context"
env:
@ -91,11 +93,21 @@ jobs:
uses: actions/checkout@v4 # https://github.com/actions/checkout
- name: Run the sh-checker
uses: luizm/action-sh-checker@master # https://github.com/marketplace/actions/sh-checker
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHFMT_OPTS: --simplify --keep-padding
with:
sh_checker_comment: true
sh_checker_checkbashisms_enable: true
sh_checker_shfmt_disable: true
- name: Check Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: image/Dockerfile
ignore: DL3008,SC1091 # https://github.com/hadolint/hadolint/wiki/DL3008
- name: Cache trivy cache
@ -117,22 +129,19 @@ jobs:
- name: "Determine if docker images shall be published"
id: docker_push_actions
run: |
# ACT -> https://nektosact.com/usage/index.html#skipping-steps
set -x
if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then
echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV"
echo "DOCKER_PUSH_GHCR=true" >> $GITHUB_OUTPUT
if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then
echo "DOCKER_PUSH=true" >> "$GITHUB_ENV"
fi
fi
- name: Install regclient
if: ${{ env.DOCKER_PUSH_GHCR }}
uses: iarekylew00t/regctl-installer@v3
- name: Login to docker.io
if: ${{ env.DOCKER_PUSH }}
uses: docker/login-action@v3
@ -147,14 +156,16 @@ jobs:
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ env.DOCKER_IMAGE_TAG }}
- name: Build ${{ env.DOCKER_REPO_NAME }}:${{ env.DOCKER_IMAGE_TAG }}
env:
DOCKER_BASE_IMAGE: ghcr.io/dockerhub-mirror/debian:stable-slim
DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }}
DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }}
TRIVY_GITHUB_TOKEN: ${{ github.token }}
TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [[ -n "${{ inputs.VERSION }}" ]]; then
export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}"
@ -163,20 +174,32 @@ jobs:
fi
bash build-image.sh
outputs:
DOCKER_PUSH_GHCR: ${{ steps.docker_push_actions.outputs.DOCKER_PUSH_GHCR }}
###########################################################
delete-untagged-images:
###########################################################
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 5
needs: [build]
if: ${{ needs.build.outputs.DOCKER_PUSH_GHCR }}
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
packages: write
steps:
- name: Delete untagged images
uses: actions/github-script@v7
if: ${{ env.DOCKER_PUSH_GHCR }}
continue-on-error: true
uses: dataaxiom/ghcr-cleanup-action@v1
with:
github-token: ${{ secrets.GHA_DELETE_PACKAGES }}
script: |
const imageName = /[^/]*$/.exec(process.env.DOCKER_IMAGE_REPO)[0]
const basePath = `/orgs/${{ github.repository_owner }}/packages/container/${imageName}/versions`
for (version of (await github.request(`GET ${basePath}`, { per_page: 100 })).data) {
if (version.metadata.container.tags.length == 0) {
console.log(`deleting ${version.name}...`)
const delResponse = await github.request(`DELETE ${basePath}/${version.id}`)
console.log(`status: ${delResponse.status}`)
}
}
package: ${{ env.DOCKER_REPO_NAME }}
delete-untagged: true
delete-partial-images: true
delete-ghost-images: true
delete-orphaned-images: true
validate: true

2
.github/workflows/stale.yml vendored
View File

@ -1,4 +1,4 @@
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
name: Stale issues
on:

2
CODE_OF_CONDUCT.md
View File

@ -60,7 +60,7 @@ representative at an online or offline event.
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
https://vegardit.com/about/legal/.
https://vegardit.com/en/legal/.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the

2
README.md
View File

@ -13,7 +13,7 @@
## <a name="what-is-it"></a>What is it?
`debian:stable-slim` based Docker image containing [Gitea](https://gitea.com)'s [act_runner](https://gitea.com/gitea/act_runner/)
Multi-arch Docker image based on `debian:stable-slim` containing [Gitea](https://gitea.com)'s [act_runner](https://gitea.com/gitea/act_runner/)
#### Why not using Alpine Linux?
- musl-libc - Alpine's Greatest Weakness https://www.linkedin.com/pulse/musl-libc-alpines-greatest-weakness-rogan-lynch

81
build-image.sh
View File

@ -16,20 +16,10 @@ source "$shared_lib/lib/build-image-init.sh"
#################################################
# check prereqs
#################################################
if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
if ! hash regctl &>/dev/null; then
log ERROR "regctl (aka regclient) command line tool is misssing!"
fi
fi
#################################################
# specify target docker registry/repo
# specify target image repo/tag
#################################################
gitea_act_runner_version=${GITEA_ACT_RUNNER_VERSION:-latest}
base_image_name=${DOCKER_BASE_IMAGE:-debian:stable-slim}
image_repo=${DOCKER_IMAGE_REPO:-vegardit/gitea-act-runner}
@ -37,13 +27,24 @@ image_repo=${DOCKER_IMAGE_REPO:-vegardit/gitea-act-runner}
# resolve gitea act runner version
#################################################
case $gitea_act_runner_version in
latest) gitea_act_runner_effective_version=$(curl https://gitea.com/gitea/act_runner/releases.rss | grep -oP "releases/tag/v\K\d\.\d\.\d\d?" | head -n 1)
;;
*) gitea_act_runner_effective_version=$gitea_act_runner_version
;;
latest) gitea_act_runner_effective_version=$(curl https://gitea.com/gitea/act_runner/releases.rss | grep -oP "releases/tag/v\K\d\.\d\.\d\d?" | head -n 1) ;;
*) gitea_act_runner_effective_version=$gitea_act_runner_version ;;
esac
image_name=$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_version
image_name2=$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_effective_version
#################################################
# calculate tags
#################################################
declare -a tags=()
tags+=("$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_version")
tags+=("$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_effective_version")
tag_args=()
for t in "${tags[@]}"; do
tag_args+=( --tag "$t" )
done
image_name=${tags[0]}
#################################################
@ -58,10 +59,12 @@ fi
set -x
docker --version
docker run --privileged --rm tonistiigi/binfmt --install all
export DOCKER_BUILD_KIT=1
export DOCKER_BUILDKIT=1
export DOCKER_CLI_EXPERIMENTAL=1 # prevents "docker: 'buildx' is not a docker command."
# Register QEMU emulators for all architectures so Docker can run and build multi-arch images
docker run --privileged --rm ghcr.io/dockerhub-mirror/tonistiigi__binfmt --install all
# https://docs.docker.com/build/buildkit/configure/#resource-limiting
echo "
[worker.oci]
@ -70,6 +73,7 @@ echo "
docker buildx version # ensures buildx is enabled
docker buildx create --config /etc/buildkitd.toml --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
trap 'docker buildx stop' EXIT
# shellcheck disable=SC2154,SC2046 # base_layer_cache_key is referenced but not assigned / Quote this to prevent word splitting
docker buildx build "$project_root" \
--file "image/Dockerfile" \
@ -78,6 +82,7 @@ docker buildx build "$project_root" \
--build-arg INSTALL_SUPPORT_TOOLS="${INSTALL_SUPPORT_TOOLS:-0}" \
`# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \
--build-arg BASE_LAYER_CACHE_KEY="$base_layer_cache_key" \
--build-arg BASE_IMAGE="$base_image_name" \
--build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
--build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \
--build-arg GIT_COMMIT_DATE="$(date -d "@$(git log -1 --format='%at')" --utc +'%Y-%m-%d %H:%M:%S UTC')" \
@ -85,30 +90,20 @@ docker buildx build "$project_root" \
--build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
--build-arg GITEA_ACT_RUNNER_VERSION="$gitea_act_runner_effective_version" \
--build-arg FLAVOR="$DOCKER_IMAGE_FLAVOR" \
$(if [[ "${ACT:-}" == "true" || "${DOCKER_PUSH:-}" != "true" ]]; then \
$(if [[ ${ACT:-} == "true" || ${DOCKER_PUSH:-} != "true" ]]; then \
echo -n "--load --output type=docker"; \
else \
echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \
fi) \
-t "$image_name" \
-t "$image_name2" \
$(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \
"${tag_args[@]}" \
$(if [[ ${DOCKER_PUSH:-} == "true" ]]; then echo -n "--push"; fi) \
"$@"
docker buildx stop
set +x
if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
if [[ ${DOCKER_PUSH:-} == "true" ]]; then
docker image pull "$image_name"
fi
#################################################
# push image to ghcr.io
#################################################
if [[ "${DOCKER_PUSH_GHCR:-}" == "true" ]]; then
(set -x; regctl image copy "$image_name" "ghcr.io/$image_name")
(set -x; regctl image copy "$image_name2" "ghcr.io/$image_name2")
fi
#################################################
# test image
@ -123,6 +118,22 @@ echo
# perform security audit
#################################################
# TODO see https://gitea.com/gitea/act_runner/issues/513
if [[ "${DOCKER_AUDIT_IMAGE:-1}" == 1 && "$GITEA_ACT_RUNNER_VERSION" == "nightly" ]]; then
if [[ ${DOCKER_AUDIT_IMAGE:-1} == "1" && $GITEA_ACT_RUNNER_VERSION == "nightly" ]]; then
bash "$shared_lib/cmd/audit-image.sh" "$image_name"
fi
#################################################
# push image to ghcr.io
#################################################
if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then
for tag in "${tags[@]}"; do
set -x
docker run --rm \
-u "$(id -u):$(id -g)" -e HOME -v "$HOME:$HOME" \
-v /etc/docker/certs.d:/etc/docker/certs.d:ro \
ghcr.io/regclient/regctl:latest \
image copy "$tag" "ghcr.io/$tag"
set +x
done
fi

32
image/Dockerfile
View File

@ -1,4 +1,4 @@
#syntax=docker/dockerfile:1.4
#syntax=docker/dockerfile:1
# see https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#user-content-syntax
# see https://docs.docker.com/build/dockerfile/frontend/
# see https://docs.docker.com/engine/reference/builder/#syntax
@ -7,13 +7,18 @@
# SPDX-FileContributor: Sebastian Thomschke
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
#
# https://hub.docker.com/_/debian?tab=tags&name=stable-slim
FROM debian:stable-slim
# https://hub.docker.com/_/debian/tags?name=stable-slim
ARG BASE_IMAGE=debian:stable-slim
# https://github.com/hadolint/hadolint/wiki/DL3006 Always tag the version of an image explicitly
# hadolint ignore=DL3006
FROM ${BASE_IMAGE}
LABEL maintainer="Vegard IT GmbH (vegardit.com)"
# https://github.com/hadolint/hadolint/wiki/DL3002 Last USER should not be root
# hadolint ignore=DL3002
USER root
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
@ -31,8 +36,9 @@ ARG BASE_LAYER_CACHE_KEY
ARG FLAVOR
ARG GITEA_ACT_RUNNER_VERSION
# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions
# hadolint ignore=DL3008
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-os-updates.sh
/mnt/shared/cmd/debian-install-support-tools.sh
@ -52,7 +58,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
}
arch=$(dpkg --print-architecture)
case $arch in
case "$arch" in
armhf) upx_arch=arm; gitea_arch=arm-7 ;;
amd64|arm64) upx_arch=$arch; gitea_arch=$arch ;;
*) echo "Unsupported arch: $arch"; exit 1;;
@ -69,7 +75,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo "#################################################"
apt-get install --no-install-recommends -y xz-utils
mkdir /opt/upx
upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep ${upx_arch}_linux.tar.xz | cut "-d\"" -f4)
upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4)
echo "Downloading [$upx_download_url]..."
curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
/opt/upx/upx --version
@ -81,9 +87,9 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo "Downloading Gitea act runner..."
echo "#################################################"
if [[ $GITEA_ACT_RUNNER_VERSION == "nightly" ]]; then
act_runner_download_url=https://dl.gitea.com/act_runner/nightly/act_runner-${GITEA_ACT_RUNNER_VERSION}-linux-${gitea_arch}
act_runner_download_url="https://dl.gitea.com/act_runner/nightly/act_runner-${GITEA_ACT_RUNNER_VERSION}-linux-${gitea_arch}"
else
act_runner_download_url=https://gitea.com/gitea/act_runner/releases/download/v${GITEA_ACT_RUNNER_VERSION}/act_runner-${GITEA_ACT_RUNNER_VERSION}-linux-${gitea_arch}
act_runner_download_url="https://gitea.com/gitea/act_runner/releases/download/v${GITEA_ACT_RUNNER_VERSION}/act_runner-${GITEA_ACT_RUNNER_VERSION}-linux-${gitea_arch}"
fi
echo "Downloading [$act_runner_download_url]..."
curl "$act_runner_download_url" -o /usr/local/bin/act_runner
@ -111,9 +117,11 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
install -m 0755 -d /etc/apt/keyrings
curl "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
"$(source /etc/os-release && echo "$VERSION_CODENAME")" stable" > /etc/apt/sources.list.d/docker.list
ARCH="$(dpkg --print-architecture)"
# shellcheck disable=SC1091 # Not following: File not included in mock
OS_CODENAME="$(source /etc/os-release && echo "$VERSION_CODENAME")"
echo "deb [arch=$ARCH signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OS_CODENAME stable" > /etc/apt/sources.list.d/docker.list
apt-get update
(set -x; apt-get install --no-install-recommends -y docker-ce containerd.io fuse-overlayfs)
apt-get remove -y gnupg

1
image/run_runner.sh
View File

@ -4,7 +4,6 @@
# SPDX-FileContributor: Sebastian Thomschke
# SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
#
# shellcheck disable=SC1091 # Not following: /opt/bash-init.sh was not specified as input
source /opt/bash-init.sh