runners
/
docker-gitea-act-runner
mirror of https://github.com/vegardit/docker-gitea-act-runner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

create docker tag with exact runner version

This commit is contained in:
sebthom 2023-06-22 15:18:25 +02:00
parent dfc5a30aff
commit fccc482c5d
3 changed files with 117 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
.github/workflows/build.yml vendored
View File

@ -20,6 +20,11 @@ on:
- cron: '0 17 * * 3' - cron: '0 17 * * 3'
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
inputs:
VERSION:
type: string
default: latest
description: Version of the Gitea Act Runner, see https://dl.gitea.com/act_runner/
# https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/ # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
defaults: defaults:
@ -38,12 +43,13 @@ jobs:
matrix: matrix:
include: include:
- DOCKER_IMAGE_FLAVOR: dood - DOCKER_IMAGE_FLAVOR: dood
DOCKER_IMAGE_TAG: latest DOCKER_IMAGE_TAG_PREFIX: ""
- DOCKER_IMAGE_FLAVOR: dind - DOCKER_IMAGE_FLAVOR: dind
DOCKER_IMAGE_TAG: dind-latest DOCKER_IMAGE_TAG_PREFIX: dind-
- DOCKER_IMAGE_FLAVOR: dind-rootless - DOCKER_IMAGE_FLAVOR: dind-rootless
DOCKER_IMAGE_TAG: dind-rootless-latest DOCKER_IMAGE_TAG_PREFIX: dind-rootless-
fail-fast: true fail-fast: true
steps: steps:
- name: Show environment variables - name: Show environment variables
run: env | sort run: env | sort
@ -72,28 +78,36 @@ jobs:
- name: Install dos2unix - name: Install dos2unix
run: sudo apt-get install --no-install-recommends -y dos2unix run: sudo apt-get install --no-install-recommends -y dos2unix
- name: Install regclient
if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
uses: iarekylew00t/regctl-installer@v1
- name: Login to docker.io - name: Login to docker.io
if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
run: | uses: docker/login-action@v2
docker login docker.io -u "${{ secrets.DOCKER_HUB_USERNAME }}" -p "${{ secrets.DOCKER_HUB_TOKEN }}" with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Login to ghcr.io
if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ env.DOCKER_IMAGE_TAG }} - name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ env.DOCKER_IMAGE_TAG }}
env: env:
DOCKER_IMAGE_TAG: ${{ matrix.DOCKER_IMAGE_TAG }} DOCKER_IMAGE_TAG_PREFIX: ${{ matrix.DOCKER_IMAGE_TAG_PREFIX }}
DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }} DOCKER_IMAGE_FLAVOR: ${{ matrix.DOCKER_IMAGE_FLAVOR }}
DOCKER_PUSH: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} DOCKER_PUSH: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }}
TRIVY_GITHUB_TOKEN: ${{ github.token }} TRIVY_GITHUB_TOKEN: ${{ github.token }}
run: bash build-image.sh run: |
if [[ -n "${{ inputs.VERSION }}" ]]; then
- name: Publish Docker image to GH registry export GITEA_ACT_RUNNER_VERSION="${{ inputs.VERSION }}"
if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' && !env.ACT }} # https://github.com/nektos/act#skipping-steps fi
uses: truemark/skopeo-copy-action@v1 # https://github.com/truemark/skopeo-copy-action bash build-image.sh
with:
src-image: "docker://docker.io/${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.DOCKER_IMAGE_TAG }}"
dest-image: "docker://ghcr.io/${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.DOCKER_IMAGE_TAG }}"
dest-username: "${{ github.actor }}"
dest-password: "${{ github.token }}"
multi-arch: "all"
- name: Delete untagged images - name: Delete untagged images
uses: actions/github-script@v6 uses: actions/github-script@v6

92
build-image.sh
View File

@ -5,17 +5,44 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner
function curl() {
command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
}
shared_lib="$(dirname $0)/.shared" shared_lib="$(dirname $0)/.shared"
[ -e "$shared_lib" ] || curl -sSf https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s) | bash -s v1 "$shared_lib" || exit 1 [ -e "$shared_lib" ] || curl https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s) | bash -s v1 "$shared_lib" || exit 1
source "$shared_lib/lib/build-image-init.sh" source "$shared_lib/lib/build-image-init.sh"
#################################################
# check prereqs
#################################################
if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
if ! hash regctl &>/dev/null; then
log ERROR "regctl (aka regclient) command line tool is misssing!"
fi
fi
################################################# #################################################
# specify target docker registry/repo # specify target docker registry/repo
################################################# #################################################
docker_registry=${DOCKER_REGISTRY:-docker.io} gitea_act_runner_version=${GITEA_ACT_RUNNER_VERSION:-latest}
image_repo=${DOCKER_IMAGE_REPO:-vegardit/gitea-act-runner} image_repo=${DOCKER_IMAGE_REPO:-vegardit/gitea-act-runner}
image_name=$image_repo:${DOCKER_IMAGE_TAG:-latest}
#################################################
# resolve gitea act runner version
#################################################
case $gitea_act_runner_version in
latest) gitea_act_runner_effective_version=$(curl https://gitea.com/gitea/act_runner/releases.rss | grep -oP "releases/tag/v\K\d\.\d\.\d" | head -n 1)
;;
*) gitea_act_runner_effective_version=$gitea_act_runner_version
;;
esac
image_name=$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_version
image_name2=$image_repo:${DOCKER_IMAGE_TAG_PREFIX:-}$gitea_act_runner_effective_version
################################################# #################################################
@ -23,37 +50,50 @@ image_name=$image_repo:${DOCKER_IMAGE_TAG:-latest}
################################################# #################################################
log INFO "Building docker image [$image_name]..." log INFO "Building docker image [$image_name]..."
if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then if [[ $OSTYPE == "cygwin" || $OSTYPE == "msys" ]]; then
project_root=$(cygpath -w "$project_root") project_root=$(cygpath -w "$project_root")
fi fi
# https://github.com/docker/buildx/#building-multi-platform-images # https://github.com/docker/buildx/#building-multi-platform-images
set -x
docker run --privileged --rm tonistiigi/binfmt --install all docker run --privileged --rm tonistiigi/binfmt --install all
export DOCKER_CLI_EXPERIMENTAL=enabled # prevents "docker: 'buildx' is not a docker command." export DOCKER_CLI_EXPERIMENTAL=enabled # prevents "docker: 'buildx' is not a docker command."
docker buildx create --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") docker buildx create --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use")
docker buildx build "$project_root" \ docker buildx build "$project_root" \
--file "image/Dockerfile" \ --file "image/Dockerfile" \
--progress=plain \ --progress=plain \
--pull \ --pull \
--build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \ --build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \
`# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \ `# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \
--build-arg BASE_LAYER_CACHE_KEY=$base_layer_cache_key \ --build-arg BASE_LAYER_CACHE_KEY=$base_layer_cache_key \
--build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
--build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \ --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \
--build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \ --build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \
--build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \ --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \
--build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \ --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \
--build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \ --build-arg GITEA_ACT_RUNNER_VERSION="$gitea_act_runner_effective_version" \
$(if [[ "${ACT:-}" == "true" ]]; then \ --build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \
echo -n "--output type=docker"; \ $(if [[ "${ACT:-}" == "true" ]]; then \
else \ echo -n "--output type=docker"; \
echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \ else \
fi) \ echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \
-t $image_name \ fi) \
$(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \ -t $image_name \
"$@" -t $image_name2 \
$(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \
"$@"
docker buildx stop docker buildx stop
set +x
#################################################
# push image to ghcr.io
#################################################
if [[ "${DOCKER_PUSH:-}" == "true" ]]; then if [[ "${DOCKER_PUSH:-}" == "true" ]]; then
set -x;
docker image pull $image_name docker image pull $image_name
regctl image copy $image_name ghcr.io/$image_name
regctl image copy $image_name2 ghcr.io/$image_name2
set +x
fi fi
@ -62,7 +102,9 @@ fi
################################################# #################################################
echo echo
log INFO "Testing docker image [$image_name]..." log INFO "Testing docker image [$image_name]..."
set -x
docker run --rm $image_name act_runner --version docker run --rm $image_name act_runner --version
set +x
echo echo
@ -70,5 +112,5 @@ echo
# perform security audit # perform security audit
################################################# #################################################
if [[ "${DOCKER_AUDIT_IMAGE:-1}" == 1 ]]; then if [[ "${DOCKER_AUDIT_IMAGE:-1}" == 1 ]]; then
bash "$shared_lib/cmd/audit-image.sh" $image_name bash "$shared_lib/cmd/audit-image.sh" $image_name
fi fi

33
image/Dockerfile
View File

@ -29,6 +29,7 @@ ARG BASE_LAYER_CACHE_KEY
# dood|dind|dind-rootless # dood|dind|dind-rootless
ARG FLAVOR ARG FLAVOR
ARG GITEA_ACT_RUNNER_VERSION
RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
@ -36,14 +37,18 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
/mnt/shared/cmd/debian-install-support-tools.sh /mnt/shared/cmd/debian-install-support-tools.sh
function minimize() { function minimize() {
ls -l "$@" ls -l "$@"
echo "Stripping [$*]..." echo "Stripping [$*]..."
command strip --strip-unneeded "$@" command strip --strip-unneeded "$@"
ls -l "$@" ls -l "$@"
if [[ $UPX_COMPRESS == "true" ]]; then if [[ $UPX_COMPRESS == "true" ]]; then
echo "Compressing [$*]..." echo "Compressing [$*]..."
/opt/upx/upx -9 "$@" || true /opt/upx/upx -9 "$@" || true
fi fi
}
function curl() {
command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@"
} }
echo "#################################################" echo "#################################################"
@ -57,9 +62,9 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo "#################################################" echo "#################################################"
apt-get install --no-install-recommends -y xz-utils apt-get install --no-install-recommends -y xz-utils
mkdir /opt/upx mkdir /opt/upx
upx_download_url=$(curl -fsSL "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4) upx_download_url=$(curl "https://api.github.com/repos/upx/upx/releases/latest" | grep browser_download_url | grep amd64_linux.tar.xz | cut "-d\"" -f4)
echo "Downloading [$upx_download_url]..." echo "Downloading [$upx_download_url]..."
curl -fsSL "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1 curl "$upx_download_url" | tar Jxv -C /opt/upx --strip-components=1
/opt/upx/upx --version /opt/upx/upx --version
fi fi
@ -74,9 +79,9 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
amd64|arm64) ;; amd64|arm64) ;;
*) echo "Unsupported arch: $arch"; exit 1;; *) echo "Unsupported arch: $arch"; exit 1;;
esac esac
act_runner_download_url=$(curl -fsSL "https://gitea.com/gitea/act_runner/releases" | grep -oP "https://gitea.com/gitea/act_runner/releases/download/.*-linux-${arch}" | head -1) act_runner_download_url=https://gitea.com/gitea/act_runner/releases/download/v${GITEA_ACT_RUNNER_VERSION}/act_runner-${GITEA_ACT_RUNNER_VERSION}-linux-${arch}
echo "Downloading [$act_runner_download_url]..." echo "Downloading [$act_runner_download_url]..."
curl -fsSL "$act_runner_download_url" -o /usr/local/bin/act_runner curl "$act_runner_download_url" -o /usr/local/bin/act_runner
chmod 755 /usr/local/bin/act_runner chmod 755 /usr/local/bin/act_runner
minimize /usr/local/bin/act_runner minimize /usr/local/bin/act_runner
act_runner --version act_runner --version
@ -97,7 +102,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
# https://docs.docker.com/engine/install/debian/#install-using-the-repository # https://docs.docker.com/engine/install/debian/#install-using-the-repository
apt-get install --no-install-recommends -y gnupg apt-get install --no-install-recommends -y gnupg
install -m 0755 -d /etc/apt/keyrings install -m 0755 -d /etc/apt/keyrings
curl -fsSL "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg curl "https://download.docker.com/linux/debian/gpg" | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg chmod a+r /etc/apt/keyrings/docker.gpg
echo \ echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
@ -121,7 +126,7 @@ RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
echo 'dockremap:165536:65536' | tee -a /etc/subuid echo 'dockremap:165536:65536' | tee -a /etc/subuid
echo 'dockremap:165536:65536' | tee -a /etc/subgid echo 'dockremap:165536:65536' | tee -a /etc/subgid
curl -sSfL "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack curl "https://raw.githubusercontent.com/moby/moby/v24.0.2/hack/dind" -o /usr/local/bin/dind-hack
chmod +x /usr/local/bin/dind-hack chmod +x /usr/local/bin/dind-hack
if [[ $FLAVOR == dind-rootless ]]; then if [[ $FLAVOR == dind-rootless ]]; then