From fccc482c5d9e4cd6196d675cf1c7e546b5337864 Mon Sep 17 00:00:00 2001
From: sebthom <sebthom@users.noreply.github.com>
Date: Thu, 22 Jun 2023 15:18:25 +0200
Subject: [PATCH] create docker tag with exact runner version

---
 .github/workflows/build.yml | 48 ++++++++++++-------
 build-image.sh              | 92 +++++++++++++++++++++++++++----------
 image/Dockerfile            | 33 +++++++------
 3 files changed, 117 insertions(+), 56 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0e74c4d..593b5d3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,6 +20,11 @@ on:
     - cron: '0 17 * * 3'
   pull_request:
   workflow_dispatch:
+    inputs:
+      VERSION:
+        type: string
+        default: latest
+        description: Version of the Gitea Act Runner, see https://dl.gitea.com/act_runner/ 
     # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
 
 defaults:
@@ -38,12 +43,13 @@ jobs:
       matrix:
         include:
           - DOCKER_IMAGE_FLAVOR: dood
-            DOCKER_IMAGE_TAG: latest
+            DOCKER_IMAGE_TAG_PREFIX: ""
           - DOCKER_IMAGE_FLAVOR: dind
-            DOCKER_IMAGE_TAG: dind-latest
+            DOCKER_IMAGE_TAG_PREFIX: dind-
           - DOCKER_IMAGE_FLAVOR: dind-rootless
-            DOCKER_IMAGE_TAG: dind-rootless-latest
+            DOCKER_IMAGE_TAG_PREFIX: dind-rootless-
       fail-fast: true
+
     steps:
     - name: Show environment variables
       run: env | sort
@@ -72,28 +78,36 @@ jobs:
     - name: Install dos2unix
       run: sudo apt-get install --no-install-recommends -y dos2unix
 
+    - name: Install regclient
+      if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
+      uses: iarekylew00t/regctl-installer@v1
+
     - name: Login to docker.io
       if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
-      run: |
-        docker login docker.io -u "${{ secrets.DOCKER_HUB_USERNAME }}" -p "${{ secrets.DOCKER_HUB_TOKEN }}"
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKER_HUB_USERNAME }}
+        password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+    - name: Login to ghcr.io
+      if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
 
     - name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ env.DOCKER_IMAGE_TAG }}
       env:
-        DOCKER_IMAGE_TAG: ${{ matrix.DOCKER_IMAGE_TAG }}
+        DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }}
         DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }}
         DOCKER_PUSH: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }}
         TRIVY_GITHUB_TOKEN: ${{ github.token }}
-      run: bash build-image.sh
-
-    - name: Publish Docker image to GH registry
-      if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
-      uses: truemark/skopeo-copy-action@v1 # https://github.com/truemark/skopeo-copy-action
-      with:
-        src-image: "docker://docker.io/${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.DOCKER_IMAGE_TAG }}"
-        dest-image: "docker://ghcr.io/${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.DOCKER_IMAGE_TAG }}"
-        dest-username: "${{ github.actor }}"
-        dest-password: "${{ github.token }}"
-        multi-arch: "all"
+      run: |
+        if [[ -n "${{ inputs.VERSION }}" ]]; then
+           export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}"
+        fi
+        bash build-image.sh
 
     - name: Delete untagged images
       uses: actions/github-script@v6
diff --git a/build-image.sh b/build-image.sh
index 1994a03..ad17401 100644
--- a/build-image.sh
+++ b/build-image.sh
@@ -5,17 +5,44 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
 
+function curl() {
+  command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
+}
+
 shared_lib="$(dirname $0)/.shared"
-[ -e "$shared_lib" ] || curl -sSf https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s) | bash -s v1 "$shared_lib" || exit 1
+[ -e "$shared_lib" ] || curl https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s) | bash -s v1 "$shared_lib" || exit 1
 source "$shared_lib/lib/build-image-init.sh"
 
 
+#################################################
+# check prereqs
+#################################################
+
+if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
+  if ! hash regctl &>/dev/null; then
+    log ERROR "regctl (aka regclient) command line tool is misssing!"
+  fi
+fi
+
+
 #################################################
 # specify target docker registry/repo
 #################################################
-docker_registry=${DOCKER_REGISTRY:-docker.io}
+gitea_act_runner_version=${GITEA_ACT_RUNNER_VERSION:-latest}
 image_repo=${DOCKER_IMAGE_REPO:-vegardit/gitea-act-runner}
-image_name=$image_repo:${DOCKER_IMAGE_TAG:-latest}
+
+
+#################################################
+# resolve gitea act runner version
+#################################################
+case $gitea_act_runner_version in
+  latest) gitea_act_runner_effective_version=$(curl https://gitea.com/gitea/act_runner/releases.rss | grep -oP "releases/tag/v\K\d\.\d\.\d" | head -n 1)
+          ;;
+  *)      gitea_act_runner_effective_version=$gitea_act_runner_version
+          ;;
+esac
+image_name=$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_version
+image_name2=$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_effective_version
 
 
 #################################################
@@ -23,37 +50,50 @@ image_name=$image_repo:${DOCKER_IMAGE_TAG:-latest}
 #################################################
 log INFO "Building docker image [$image_name]..."
 if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then
-   project_root=$(cygpath -w "$project_root")
+  project_root=$(cygpath -w "$project_root")
 fi
 
 # https://github.com/docker/buildx/#building-multi-platform-images
+set -x
 docker run --privileged --rm tonistiigi/binfmt --install all
 export DOCKER_CLI_EXPERIMENTAL=enabled # prevents "docker: 'buildx' is not a docker command."
 docker buildx create --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
 docker buildx build "$project_root" \
-   --file "image/Dockerfile" \
-   --progress=plain \
-   --pull \
-   --build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \
-   `# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \
-   --build-arg BASE_LAYER_CACHE_KEY=$base_layer_cache_key \
-   --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
-   --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \
-   --build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \
-   --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
-   --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
-   --build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \
-   $(if [[ "${ACT:-}" == "true" ]]; then \
-     echo -n "--output type=docker"; \
-   else \
-     echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \
-   fi) \
-   -t $image_name \
-   $(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \
-   "$@"
+  --file "image/Dockerfile" \
+  --progress=plain \
+  --pull \
+  --build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \
+  `# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \
+  --build-arg BASE_LAYER_CACHE_KEY=$base_layer_cache_key \
+  --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
+  --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \
+  --build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \
+  --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
+  --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
+  --build-arg GITEA_ACT_RUNNER_VERSION="$gitea_act_runner_effective_version" \
+  --build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \
+  $(if [[ "${ACT:-}" == "true" ]]; then \
+    echo -n "--output type=docker"; \
+  else \
+    echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \
+  fi) \
+  -t $image_name \
+  -t $image_name2 \
+  $(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \
+  "$@"
 docker buildx stop
+set +x
+
+
+#################################################
+# push image to ghcr.io
+#################################################
 if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
+  set -x;
   docker image pull $image_name
+  regctl image copy $image_name ghcr.io/$image_name
+  regctl image copy $image_name2 ghcr.io/$image_name2
+  set +x
 fi
 
 
@@ -62,7 +102,9 @@ fi
 #################################################
 echo
 log INFO "Testing docker image [$image_name]..."
+set -x
 docker run --rm $image_name act_runner --version
+set +x
 echo
 
 
@@ -70,5 +112,5 @@ echo
 # perform security audit
 #################################################
 if [[ "${DOCKER_AUDIT_IMAGE:-1}" == 1 ]]; then
-   bash "$shared_lib/cmd/audit-image.sh" $image_name
+  bash "$shared_lib/cmd/audit-image.sh" $image_name
 fi
diff --git a/image/Dockerfile b/image/Dockerfile
index 9307172..54e2b17 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -29,6 +29,7 @@ ARG BASE_LAYER_CACHE_KEY
 
 # dood|dind|dind-rootless
 ARG FLAVOR
+ARG GITEA_ACT_RUNNER_VERSION
 
 RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
 
@@ -36,14 +37,18 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
   /mnt/shared/cmd/debian-install-support-tools.sh
 
   function minimize() {
-     ls -l "$@"
-     echo "Stripping [$*]..."
-     command strip --strip-unneeded "$@"
-     ls -l "$@"
-     if [[ $UPX_COMPRESS == "true" ]]; then
-       echo "Compressing [$*]..."
-       /opt/upx/upx -9 "$@" || true
-     fi
+    ls -l "$@"
+    echo "Stripping [$*]..."
+    command strip --strip-unneeded "$@"
+    ls -l "$@"
+    if [[ $UPX_COMPRESS == "true" ]]; then
+      echo "Compressing [$*]..."
+      /opt/upx/upx -9 "$@" || true
+    fi
+  }
+
+  function curl() {
+    command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
   }
 
   echo "#################################################"
@@ -57,9 +62,9 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
     echo "#################################################"
     apt-get install --no-install-recommends -y xz-utils
     mkdir /opt/upx
-    upx_download_url=$(curl -fsSL "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4)
+    upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4)
     echo "Downloading [$upx_download_url]..."
-    curl -fsSL "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
+    curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
     /opt/upx/upx --version
   fi
 
@@ -74,9 +79,9 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
     amd64|arm64) ;;
     *) echo "Unsupported arch: $arch"; exit 1;;
   esac
-  act_runner_download_url=$(curl -fsSL "https://gitea.com/gitea/act_runner/releases" | grep -oP "https://gitea.com/gitea/act_runner/releases/download/.*-linux-${arch}" | head -1)
+  act_runner_download_url=https://gitea.com/gitea/act_runner/releases/download/v${GITEA_ACT_RUNNER_VERSION}/act_runner-${GITEA_ACT_RUNNER_VERSION}-linux-${arch}
   echo "Downloading [$act_runner_download_url]..."
-  curl -fsSL "$act_runner_download_url" -o /usr/local/bin/act_runner
+  curl "$act_runner_download_url" -o /usr/local/bin/act_runner
   chmod 755 /usr/local/bin/act_runner
   minimize /usr/local/bin/act_runner
   act_runner --version
@@ -97,7 +102,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
     # https://docs.docker.com/engine/install/debian/#install-using-the-repository
     apt-get install --no-install-recommends -y gnupg
     install -m 0755 -d /etc/apt/keyrings
-    curl -fsSL "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+    curl "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
     chmod a+r /etc/apt/keyrings/docker.gpg
     echo \
       "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
@@ -121,7 +126,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
     echo 'dockremap:165536:65536' | tee -a /etc/subuid
     echo 'dockremap:165536:65536' | tee -a /etc/subgid
 
-    curl -sSfL "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack
+    curl "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack
     chmod +x /usr/local/bin/dind-hack
 
     if [[ $FLAVOR == dind-rootless ]]; then