diff --git a/.dockerignore b/.dockerignore index 9673dc6..c5e561f 100644 --- a/.dockerignore +++ b/.dockerignore @@ -9,4 +9,4 @@ .shared/.* .shared/*.md .shared/*.txt -image/Dockerfile \ No newline at end of file +image/Dockerfile diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 83e0db4..14b7f05 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,28 +6,34 @@ # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions name: Build -on: +on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + schedule: + # https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows + - cron: '0 17 * * 3' push: branches-ignore: # build all branches except: - 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR) tags-ignore: # don't build tags - '**' paths-ignore: + - '**/*.adoc' - '**/*.md' + - '.act*' - '.editorconfig' - '.git*' - '.github/*.yml' + - '.github/ISSUE_TEMPLATE/*' - '.github/workflows/stale.yml' pull_request: paths-ignore: + - '**/*.adoc' - '**/*.md' + - '.act*' - '.editorconfig' - '.git*' + - '.github/ISSUE_TEMPLATE/*' - '.github/*.yml' - '.github/workflows/stale.yml' - schedule: - # https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows - - cron: '0 17 * * 3' workflow_dispatch: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch inputs: @@ -36,21 +42,24 @@ on: default: latest description: Version of the Gitea Act Runner, see https://dl.gitea.com/act_runner/ + defaults: run: shell: bash + env: DOCKER_REPO_NAME: gitea-act-runner TRIVY_CACHE_DIR: ~/.trivy/cache + jobs: ########################################################### build: ########################################################### runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images - timeout-minutes: 30 + timeout-minutes: 45 permissions: packages: write @@ -82,7 +91,7 @@ jobs: - name: "Show: GitHub context" env: GITHUB_CONTEXT: ${{ toJSON(github) }} - run: echo $GITHUB_CONTEXT + run: printf '%s' "$GITHUB_CONTEXT" | python -m json.tool - name: "Show: environment variables" @@ -165,8 +174,10 @@ jobs: DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }} DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }} DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + set -eu if [[ -n "${{ inputs.VERSION }}" ]]; then export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}" else @@ -189,7 +200,7 @@ jobs: concurrency: group: ${{ github.workflow }} cancel-in-progress: false - + permissions: packages: write diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9a497bb..46e620c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,4 +1,4 @@ -# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions +# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions name: Stale issues on: @@ -15,41 +15,6 @@ permissions: jobs: stale: runs-on: ubuntu-latest - steps: - - name: Git checkout - uses: actions/checkout@v4 # https://github.com/actions/checkout - - - name: Run stale action - uses: actions/stale@v9 # https://github.com/actions/stale - with: - days-before-stale: 90 - days-before-close: 14 - stale-issue-message: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed in 14 days if no further activity occurs. - If the issue is still valid, please add a respective comment to prevent this - issue from being closed automatically. Thank you for your contributions. - stale-issue-label: stale - close-issue-label: wontfix - exempt-issue-labels: | - enhancement - pinned - security - - - name: Run stale action (for enhancements) - uses: actions/stale@v9 # https://github.com/actions/stale - with: - days-before-stale: 360 - days-before-close: 14 - stale-issue-message: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed in 14 days if no further activity occurs. - If the issue is still valid, please add a respective comment to prevent this - issue from being closed automatically. Thank you for your contributions. - stale-issue-label: stale - close-issue-label: wontfix - only-labels: enhancement - exempt-issue-labels: | - pinned - security + - name: Run stale action + uses: sebthom/gha-shared/.github/actions/stale@v1 diff --git a/.gitignore b/.gitignore index e527061..bbc5bc3 100644 --- a/.gitignore +++ b/.gitignore @@ -22,7 +22,7 @@ bin/ nb-configuration.xml # Visual Studio Code -.vscode +/.vscode # OSX .DS_Store diff --git a/build-image.sh b/build-image.sh index ac7f019..65d5d80 100644 --- a/build-image.sh +++ b/build-image.sh @@ -84,20 +84,21 @@ echo " " | sudo tee /etc/buildkitd.toml builder_name="bx-$(date +%s)-$RANDOM" -run_step "Configure buildx builder" -- docker buildx create \ +run_step "buildx builder: configure" -- docker buildx create \ --name "$builder_name" \ --bootstrap \ --config /etc/buildkitd.toml \ --driver-opt network=host `# required for buildx to access the temporary registry` \ --driver docker-container \ --driver-opt image=ghcr.io/dockerhub-mirror/moby__buildkit:latest -trap 'docker buildx rm --force "$builder_name"' EXIT +add_trap "docker buildx rm --force '$builder_name'" EXIT +run_step "buildx builder: inspect" -- docker buildx inspect "$builder_name" --bootstrap ################################################# # build the image ################################################# -image_name=image_repo:${tags[0]} +image_name=$image_repo:${tags[0]} build_opts=( --file "image/Dockerfile" @@ -122,15 +123,18 @@ for key in "${!image_meta[@]}"; do done if [[ ${build_multi_arch:-} == "true" ]]; then - build_opts+=(--push) - build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations build_opts+=(--platform "$platforms") - build_opts+=(--tag "$LOCAL_REGISTRY/$image_name") + build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations + build_opts+=(--output "type=registry,name=${LOCAL_REGISTRY}/${image_name},registry.http=true,registry.insecure=true") else build_opts+=(--output "type=docker,load=true") build_opts+=(--tag "$image_name") fi +if [[ -n ${GITHUB_TOKEN:-} ]]; then + build_opts+=(--secret "id=github_token,env=GITHUB_TOKEN") +fi + if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then project_root=$(cygpath -w "$project_root") fi @@ -143,10 +147,16 @@ run_step "Building docker image [$image_name]..." -- \ # load image into local docker daemon for testing ################################################# if [[ ${build_multi_arch:-} == "true" ]]; then - run_step "Load image into local daemon for testing" @@ " - docker pull '$LOCAL_REGISTRY/$image_name'; - docker tag '$LOCAL_REGISTRY/$image_name' '$image_name' - " + # cannot use "regctl image copy ... " which does not support loading into docker daemon https://github.com/regclient/regclient/issues/568 + # cannot use "docker pull '$LOCAL_REGISTRY/$image_name'" which does not support ad-hoc pulling from unsecure registries - must be allowed in docker daemon config + run_step "Load image into local daemon for testing" -- \ + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + --network host `# required to access the temporary registry` \ + quay.io/skopeo/stable:latest \ + copy --src-tls-verify=false \ + "docker://$LOCAL_REGISTRY/$image_name" \ + "docker-daemon:$image_name" fi @@ -178,16 +188,18 @@ function regctl() { --network host `# required to access the temporary registry` \ ghcr.io/regclient/regctl:latest \ --host "reg=$LOCAL_REGISTRY,tls=disabled" \ + --verbosity debug \ "${@}" } if [[ ${DOCKER_PUSH:-} == "true" ]]; then for tag in "${tags[@]}"; do - regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag" + # cannot use "skopeo copy ... " which does not support SBOMs https://github.com/containers/skopeo/issues/2393 + regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag" done fi if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then for tag in "${tags[@]}"; do - regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag" + regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag" done fi diff --git a/image/Dockerfile b/image/Dockerfile index 760e2c8..c6b1619 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -34,7 +34,7 @@ ARG GITEA_ACT_RUNNER_VERSION # https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions # hadolint ignore=DL3008 -RUN --mount=type=bind,source=.shared,target=/mnt/shared < points to 5.0.1 which crashes with "3972 Segmentation fault (core dumped) docker --version" # https://api.github.com/repos/upx/upx/releases/154915740 -> points to 4.2.4 - upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/154915740" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4) + upx_download_url=$(curl "${auth[@]:-}" "https://api.github.com/repos/upx/upx/releases/154915740" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4) + echo "Downloading [$upx_download_url]..." curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1 /opt/upx/upx --version + + apt-get remove -y xz-utils fi minimize /usr/bin/tini-static