runners
/
docker-gitea-act-runner
mirror of https://github.com/vegardit/docker-gitea-act-runner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build: improve build scripts

This commit is contained in:
sebthom 2025-07-22 14:55:35 +02:00
parent 8dc020d002
commit f66589a163
6 changed files with 55 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/workflows/build.yml vendored
View File

@ -6,28 +6,34 @@
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: Build name: Build
on: on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
schedule:
# https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows
- cron: '0 17 * * 3'
push: push:
branches-ignore: # build all branches except: branches-ignore: # build all branches except:
- 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR) - 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
tags-ignore: # don't build tags tags-ignore: # don't build tags
- '**' - '**'
paths-ignore: paths-ignore:
- '**/*.adoc'
- '**/*.md' - '**/*.md'
- '.act*'
- '.editorconfig' - '.editorconfig'
- '.git*' - '.git*'
- '.github/*.yml' - '.github/*.yml'
- '.github/ISSUE_TEMPLATE/*'
- '.github/workflows/stale.yml' - '.github/workflows/stale.yml'
pull_request: pull_request:
paths-ignore: paths-ignore:
- '**/*.adoc'
- '**/*.md' - '**/*.md'
- '.act*'
- '.editorconfig' - '.editorconfig'
- '.git*' - '.git*'
- '.github/ISSUE_TEMPLATE/*'
- '.github/*.yml' - '.github/*.yml'
- '.github/workflows/stale.yml' - '.github/workflows/stale.yml'
schedule:
# https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows
- cron: '0 17 * * 3'
workflow_dispatch: workflow_dispatch:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
inputs: inputs:
@ -36,21 +42,24 @@ on:
default: latest default: latest
description: Version of the Gitea Act Runner, see https://dl.gitea.com/act_runner/ description: Version of the Gitea Act Runner, see https://dl.gitea.com/act_runner/
defaults: defaults:
run: run:
shell: bash shell: bash
env: env:
DOCKER_REPO_NAME: gitea-act-runner DOCKER_REPO_NAME: gitea-act-runner
TRIVY_CACHE_DIR: ~/.trivy/cache TRIVY_CACHE_DIR: ~/.trivy/cache
jobs: jobs:
########################################################### ###########################################################
build: build:
########################################################### ###########################################################
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 30 timeout-minutes: 45
permissions: permissions:
packages: write packages: write
@ -82,7 +91,7 @@ jobs:
- name: "Show: GitHub context" - name: "Show: GitHub context"
env: env:
GITHUB_CONTEXT: ${{ toJSON(github) }} GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo $GITHUB_CONTEXT run: printf '%s' "$GITHUB_CONTEXT" | python -m json.tool
- name: "Show: environment variables" - name: "Show: environment variables"
@ -165,8 +174,10 @@ jobs:
DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }} DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }} DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }}
DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }} DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
set -eu
if [[ -n "${{ inputs.VERSION }}" ]]; then if [[ -n "${{ inputs.VERSION }}" ]]; then
export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}" export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}"
else else

39
.github/workflows/stale.yml vendored
View File

@ -1,4 +1,4 @@
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: Stale issues name: Stale issues
on: on:
@ -15,41 +15,6 @@ permissions:
jobs: jobs:
stale: stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Git checkout
uses: actions/checkout@v4 # https://github.com/actions/checkout
- name: Run stale action - name: Run stale action
uses: actions/stale@v9 # https://github.com/actions/stale uses: sebthom/gha-shared/.github/actions/stale@v1
with:
days-before-stale: 90
days-before-close: 14
stale-issue-message: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed in 14 days if no further activity occurs.
If the issue is still valid, please add a respective comment to prevent this
issue from being closed automatically. Thank you for your contributions.
stale-issue-label: stale
close-issue-label: wontfix
exempt-issue-labels: |
enhancement
pinned
security
- name: Run stale action (for enhancements)
uses: actions/stale@v9 # https://github.com/actions/stale
with:
days-before-stale: 360
days-before-close: 14
stale-issue-message: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed in 14 days if no further activity occurs.
If the issue is still valid, please add a respective comment to prevent this
issue from being closed automatically. Thank you for your contributions.
stale-issue-label: stale
close-issue-label: wontfix
only-labels: enhancement
exempt-issue-labels: |
pinned
security

2
.gitignore vendored
View File

@ -22,7 +22,7 @@ bin/
nb-configuration.xml nb-configuration.xml
# Visual Studio Code # Visual Studio Code
.vscode /.vscode
# OSX # OSX
.DS_Store .DS_Store

36
build-image.sh
View File

@ -84,20 +84,21 @@ echo "
" | sudo tee /etc/buildkitd.toml " | sudo tee /etc/buildkitd.toml
builder_name="bx-$(date +%s)-$RANDOM" builder_name="bx-$(date +%s)-$RANDOM"
run_step "Configure buildx builder" -- docker buildx create \ run_step "buildx builder: configure" -- docker buildx create \
--name "$builder_name" \ --name "$builder_name" \
--bootstrap \ --bootstrap \
--config /etc/buildkitd.toml \ --config /etc/buildkitd.toml \
--driver-opt network=host `# required for buildx to access the temporary registry` \ --driver-opt network=host `# required for buildx to access the temporary registry` \
--driver docker-container \ --driver docker-container \
--driver-opt image=ghcr.io/dockerhub-mirror/moby__buildkit:latest --driver-opt image=ghcr.io/dockerhub-mirror/moby__buildkit:latest
trap 'docker buildx rm --force "$builder_name"' EXIT add_trap "docker buildx rm --force '$builder_name'" EXIT
run_step "buildx builder: inspect" -- docker buildx inspect "$builder_name" --bootstrap
################################################# #################################################
# build the image # build the image
################################################# #################################################
image_name=image_repo:${tags[0]} image_name=$image_repo:${tags[0]}
build_opts=( build_opts=(
--file "image/Dockerfile" --file "image/Dockerfile"
@ -122,15 +123,18 @@ for key in "${!image_meta[@]}"; do
done done
if [[ ${build_multi_arch:-} == "true" ]]; then if [[ ${build_multi_arch:-} == "true" ]]; then
build_opts+=(--push)
build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
build_opts+=(--platform "$platforms") build_opts+=(--platform "$platforms")
build_opts+=(--tag "$LOCAL_REGISTRY/$image_name") build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
build_opts+=(--output "type=registry,name=${LOCAL_REGISTRY}/${image_name},registry.http=true,registry.insecure=true")
else else
build_opts+=(--output "type=docker,load=true") build_opts+=(--output "type=docker,load=true")
build_opts+=(--tag "$image_name") build_opts+=(--tag "$image_name")
fi fi
if [[ -n ${GITHUB_TOKEN:-} ]]; then
build_opts+=(--secret "id=github_token,env=GITHUB_TOKEN")
fi
if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then
project_root=$(cygpath -w "$project_root") project_root=$(cygpath -w "$project_root")
fi fi
@ -143,10 +147,16 @@ run_step "Building docker image [$image_name]..." -- \
# load image into local docker daemon for testing # load image into local docker daemon for testing
################################################# #################################################
if [[ ${build_multi_arch:-} == "true" ]]; then if [[ ${build_multi_arch:-} == "true" ]]; then
run_step "Load image into local daemon for testing" @@ " # cannot use "regctl image copy ... " which does not support loading into docker daemon https://github.com/regclient/regclient/issues/568
docker pull '$LOCAL_REGISTRY/$image_name'; # cannot use "docker pull '$LOCAL_REGISTRY/$image_name'" which does not support ad-hoc pulling from unsecure registries - must be allowed in docker daemon config
docker tag '$LOCAL_REGISTRY/$image_name' '$image_name' run_step "Load image into local daemon for testing" -- \
" docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
--network host `# required to access the temporary registry` \
quay.io/skopeo/stable:latest \
copy --src-tls-verify=false \
"docker://$LOCAL_REGISTRY/$image_name" \
"docker-daemon:$image_name"
fi fi
@ -178,16 +188,18 @@ function regctl() {
--network host `# required to access the temporary registry` \ --network host `# required to access the temporary registry` \
ghcr.io/regclient/regctl:latest \ ghcr.io/regclient/regctl:latest \
--host "reg=$LOCAL_REGISTRY,tls=disabled" \ --host "reg=$LOCAL_REGISTRY,tls=disabled" \
--verbosity debug \
"${@}" "${@}"
} }
if [[ ${DOCKER_PUSH:-} == "true" ]]; then if [[ ${DOCKER_PUSH:-} == "true" ]]; then
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag" # cannot use "skopeo copy ... " which does not support SBOMs https://github.com/containers/skopeo/issues/2393
regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag"
done done
fi fi
if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then
for tag in "${tags[@]}"; do for tag in "${tags[@]}"; do
regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag" regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag"
done done
fi fi

10
image/Dockerfile
View File

@ -34,7 +34,7 @@ ARG GITEA_ACT_RUNNER_VERSION
# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions # https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions
# hadolint ignore=DL3008 # hadolint ignore=DL3008
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF RUN --mount=type=secret,id=github_token,required=false --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-os-updates.sh /mnt/shared/cmd/debian-install-os-updates.sh
/mnt/shared/cmd/debian-install-support-tools.sh /mnt/shared/cmd/debian-install-support-tools.sh
@ -70,13 +70,19 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo "Downloading UPX..." echo "Downloading UPX..."
echo "#################################################" echo "#################################################"
apt-get install --no-install-recommends -y xz-utils apt-get install --no-install-recommends -y xz-utils
if [[ -f /run/secrets/github_token ]]; then
auth=(-H "Authorization: Bearer $(cat /run/secrets/github_token)")
fi
mkdir /opt/upx mkdir /opt/upx
# https://api.github.com/repos/upx/upx/releases/latest -> points to 5.0.1 which crashes with "3972 Segmentation fault (core dumped) docker --version" # https://api.github.com/repos/upx/upx/releases/latest -> points to 5.0.1 which crashes with "3972 Segmentation fault (core dumped) docker --version"
# https://api.github.com/repos/upx/upx/releases/154915740 -> points to 4.2.4 # https://api.github.com/repos/upx/upx/releases/154915740 -> points to 4.2.4
upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/154915740" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4) upx_download_url=$(curl "${auth[@]:-}" "https://api.github.com/repos/upx/upx/releases/154915740" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4)
echo "Downloading [$upx_download_url]..." echo "Downloading [$upx_download_url]..."
curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1 curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
/opt/upx/upx --version /opt/upx/upx --version
apt-get remove -y xz-utils
fi fi
minimize /usr/bin/tini-static minimize /usr/bin/tini-static