runners
/
docker-gitea-act-runner
mirror of https://github.com/vegardit/docker-gitea-act-runner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build: improve build scripts

This commit is contained in:
sebthom 2025-07-22 14:55:35 +02:00
parent 8dc020d002
commit f66589a163
6 changed files with 55 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/workflows/build.yml vendored
View File

@ -6,28 +6,34 @@
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: Build
on:
on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
schedule:
# https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows
- cron: '0 17 * * 3'
push:
branches-ignore: # build all branches except:
- 'dependabot/**' # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
tags-ignore: # don't build tags
- '**'
paths-ignore:
- '**/*.adoc'
- '**/*.md'
- '.act*'
- '.editorconfig'
- '.git*'
- '.github/*.yml'
- '.github/ISSUE_TEMPLATE/*'
- '.github/workflows/stale.yml'
pull_request:
paths-ignore:
- '**/*.adoc'
- '**/*.md'
- '.act*'
- '.editorconfig'
- '.git*'
- '.github/ISSUE_TEMPLATE/*'
- '.github/*.yml'
- '.github/workflows/stale.yml'
schedule:
# https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows
- cron: '0 17 * * 3'
workflow_dispatch:
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
inputs:
@ -36,21 +42,24 @@ on:
default: latest
description: Version of the Gitea Act Runner, see https://dl.gitea.com/act_runner/
defaults:
run:
shell: bash
env:
DOCKER_REPO_NAME: gitea-act-runner
TRIVY_CACHE_DIR: ~/.trivy/cache
jobs:
###########################################################
build:
###########################################################
runs-on: ubuntu-latest # https://github.com/actions/runner-images#available-images
timeout-minutes: 30
timeout-minutes: 45
permissions:
packages: write
@ -82,7 +91,7 @@ jobs:
- name: "Show: GitHub context"
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo $GITHUB_CONTEXT
run: printf '%s' "$GITHUB_CONTEXT" | python -m json.tool
- name: "Show: environment variables"
@ -165,8 +174,10 @@ jobs:
DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }}
DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -eu
if [[ -n "${{ inputs.VERSION }}" ]]; then
export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}"
else

41
.github/workflows/stale.yml vendored
View File

@ -1,4 +1,4 @@
# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
name: Stale issues
on:
@ -15,41 +15,6 @@ permissions:
jobs:
stale:
runs-on: ubuntu-latest
steps:
- name: Git checkout
uses: actions/checkout@v4 # https://github.com/actions/checkout
- name: Run stale action
uses: actions/stale@v9 # https://github.com/actions/stale
with:
days-before-stale: 90
days-before-close: 14
stale-issue-message: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed in 14 days if no further activity occurs.
If the issue is still valid, please add a respective comment to prevent this
issue from being closed automatically. Thank you for your contributions.
stale-issue-label: stale
close-issue-label: wontfix
exempt-issue-labels: |
enhancement
pinned
security
- name: Run stale action (for enhancements)
uses: actions/stale@v9 # https://github.com/actions/stale
with:
days-before-stale: 360
days-before-close: 14
stale-issue-message: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed in 14 days if no further activity occurs.
If the issue is still valid, please add a respective comment to prevent this
issue from being closed automatically. Thank you for your contributions.
stale-issue-label: stale
close-issue-label: wontfix
only-labels: enhancement
exempt-issue-labels: |
pinned
security
- name: Run stale action
uses: sebthom/gha-shared/.github/actions/stale@v1

2
.gitignore vendored
View File

@ -22,7 +22,7 @@ bin/
nb-configuration.xml
# Visual Studio Code
.vscode
/.vscode
# OSX
.DS_Store

36
build-image.sh
View File

@ -84,20 +84,21 @@ echo "
" | sudo tee /etc/buildkitd.toml
builder_name="bx-$(date +%s)-$RANDOM"
run_step "Configure buildx builder" -- docker buildx create \
run_step "buildx builder: configure" -- docker buildx create \
--name "$builder_name" \
--bootstrap \
--config /etc/buildkitd.toml \
--driver-opt network=host `# required for buildx to access the temporary registry` \
--driver docker-container \
--driver-opt image=ghcr.io/dockerhub-mirror/moby__buildkit:latest
trap 'docker buildx rm --force "$builder_name"' EXIT
add_trap "docker buildx rm --force '$builder_name'" EXIT
run_step "buildx builder: inspect" -- docker buildx inspect "$builder_name" --bootstrap
#################################################
# build the image
#################################################
image_name=image_repo:${tags[0]}
image_name=$image_repo:${tags[0]}
build_opts=(
--file "image/Dockerfile"
@ -122,15 +123,18 @@ for key in "${!image_meta[@]}"; do
done
if [[ ${build_multi_arch:-} == "true" ]]; then
build_opts+=(--push)
build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
build_opts+=(--platform "$platforms")
build_opts+=(--tag "$LOCAL_REGISTRY/$image_name")
build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
build_opts+=(--output "type=registry,name=${LOCAL_REGISTRY}/${image_name},registry.http=true,registry.insecure=true")
else
build_opts+=(--output "type=docker,load=true")
build_opts+=(--tag "$image_name")
fi
if [[ -n ${GITHUB_TOKEN:-} ]]; then
build_opts+=(--secret "id=github_token,env=GITHUB_TOKEN")
fi
if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then
project_root=$(cygpath -w "$project_root")
fi
@ -143,10 +147,16 @@ run_step "Building docker image [$image_name]..." -- \
# load image into local docker daemon for testing
#################################################
if [[ ${build_multi_arch:-} == "true" ]]; then
run_step "Load image into local daemon for testing" @@ "
docker pull '$LOCAL_REGISTRY/$image_name';
docker tag '$LOCAL_REGISTRY/$image_name' '$image_name'
"
# cannot use "regctl image copy ... " which does not support loading into docker daemon https://github.com/regclient/regclient/issues/568
# cannot use "docker pull '$LOCAL_REGISTRY/$image_name'" which does not support ad-hoc pulling from unsecure registries - must be allowed in docker daemon config
run_step "Load image into local daemon for testing" -- \
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
--network host `# required to access the temporary registry` \
quay.io/skopeo/stable:latest \
copy --src-tls-verify=false \
"docker://$LOCAL_REGISTRY/$image_name" \
"docker-daemon:$image_name"
fi
@ -178,16 +188,18 @@ function regctl() {
--network host `# required to access the temporary registry` \
ghcr.io/regclient/regctl:latest \
--host "reg=$LOCAL_REGISTRY,tls=disabled" \
--verbosity debug \
"${@}"
}
if [[ ${DOCKER_PUSH:-} == "true" ]]; then
for tag in "${tags[@]}"; do
regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag"
# cannot use "skopeo copy ... " which does not support SBOMs https://github.com/containers/skopeo/issues/2393
regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag"
done
fi
if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then
for tag in "${tags[@]}"; do
regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag"
regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag"
done
fi

10
image/Dockerfile
View File

@ -34,7 +34,7 @@ ARG GITEA_ACT_RUNNER_VERSION
# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions
# hadolint ignore=DL3008
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
RUN --mount=type=secret,id=github_token,required=false --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-os-updates.sh
/mnt/shared/cmd/debian-install-support-tools.sh
@ -70,13 +70,19 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo "Downloading UPX..."
echo "#################################################"
apt-get install --no-install-recommends -y xz-utils
if [[ -f /run/secrets/github_token ]]; then
auth=(-H "Authorization: Bearer $(cat /run/secrets/github_token)")
fi
mkdir /opt/upx
# https://api.github.com/repos/upx/upx/releases/latest -> points to 5.0.1 which crashes with "3972 Segmentation fault (core dumped) docker --version"
# https://api.github.com/repos/upx/upx/releases/154915740 -> points to 4.2.4
upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/154915740" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4)
upx_download_url=$(curl "${auth[@]:-}" "https://api.github.com/repos/upx/upx/releases/154915740" | grep browser_download_url | grep "${upx_arch}_linux.tar.xz" | cut "-d\"" -f4)
echo "Downloading [$upx_download_url]..."
curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
/opt/upx/upx --version
apt-get remove -y xz-utils
fi
minimize /usr/bin/tini-static