commit 5639702912af79e8664c776f0e5ff7c6d01abc0c Author: Luke Tainton Date: Wed Jan 14 19:41:55 2026 +0000 Initial diff --git a/.gitea/CODEOWNERS b/.gitea/CODEOWNERS new file mode 100644 index 0000000..e286c1e --- /dev/null +++ b/.gitea/CODEOWNERS @@ -0,0 +1 @@ +* @luke diff --git a/.gitea/workflows-disabled/ci.yml b/.gitea/workflows-disabled/ci.yml new file mode 100644 index 0000000..5c8f102 --- /dev/null +++ b/.gitea/workflows-disabled/ci.yml @@ -0,0 +1,95 @@ +name: CI +on: + pull_request: + types: + - opened + - edited + - synchronize + - reopened + +jobs: + ci: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v6.0.1 + with: + fetch-depth: 0 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.3.0 + with: + dockerfile: Dockerfile + output-file: hadolint.out + format: sonarqube + no-fail: true + + - name: Setup Python + uses: actions/setup-python@v6 + with: + python-version: "3.14" + + - name: uv cache + uses: actions/cache@v5 + with: + path: /tmp/.uv-cache + key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + uv-${{ runner.os }} + + - name: Install dependencies + run: uv sync + + # - name: Lint + # run: | + # uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/ + # cat lintreport.txt + + - name: Lint + run: | + uv run pylint --fail-under=8 --recursive=yes --output-format=parseable app/ tests/ + + - name: Unit Test + run: | + uv run coverage run -m pytest -v --junitxml=testresults.xml + uv run coverage xml + sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml + + - name: Minimize uv cache + run: uv cache prune --ci + + - name: Set up environment for Snyk + run: | + uv pip freeze > requirements.txt + mv pyproject.toml pyproject.toml.bak + mv uv.lock uv.lock.bak + + - name: Snyk SAST Scan + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # command: snyk + args: snyk code test #--all-projects --exclude=.archive + + # - name: SonarQube Scan + # uses: SonarSource/sonarqube-scan-action@v5.2.0 + # env: + # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + + # - name: Snyk Vulnerability Scan + # uses: snyk/actions/python@master + # continue-on-error: true # Sometimes vulns aren't immediately fixable + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # command: snyk + # args: test --all-projects + + - name: Reverse set up environment for Snyk + run: | + rm -f requirements.txt + mv pyproject.toml.bak pyproject.toml + mv uv.lock.bak uv.lock diff --git a/.gitea/workflows-disabled/release.yml b/.gitea/workflows-disabled/release.yml new file mode 100644 index 0000000..b828aee --- /dev/null +++ b/.gitea/workflows-disabled/release.yml @@ -0,0 +1,118 @@ +name: Release +on: + workflow_dispatch: + schedule: + - cron: '0 9 * * 0' + +jobs: + # test: + # name: Test + # uses: https://git.tainton.uk/${{ gitea.repository }}/.gitea/workflows/ci.yml@main + + tag: + name: Tag release + uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/release-with-tag.yaml@main + + create_release: + name: Create Release + needs: tag + uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release-preexisting-tag.yaml@main + with: + tag: ${{ needs.tag.outputs.tag_name }} + body: ${{ needs.tag.outputs.changelog }} + secrets: + ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }} + + # get_release_id: + # name: Get Release ID + # runs-on: ubuntu-latest + # needs: create_release + # outputs: + # releaseid: ${{ steps.getid.outputs.releaseid }} + # steps: + # - name: Get Release ID + # id: getid + # run: | + # rid=$(curl -s -X 'GET' \ + # -H 'accept: application/json' \ + # '${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/releases/latest' | jq -r '.id') + # echo "releaseid=$rid" >> "$GITEA_OUTPUT" + # echo "$rid" + + create_docker: + name: Publish Docker Images + runs-on: ubuntu-latest + needs: [tag, create_release] + steps: + - name: Update Docker configuration + continue-on-error: true + run: | + mkdir -p /etc/default + mkdir -p /etc/docker + touch -a /etc/default/docker + touch -a /etc/docker/daemon.json + echo "DOCKER_OPTS=\"--insecure-registry ${{ vars.PACKAGES_REGISTRY_URL }}\"" >> /etc/default/docker + echo "{\"insecure-registries\": [\"${{ vars.PACKAGES_REGISTRY_URL }}\"]}" > /etc/docker/daemon.json + + - name: Get repo name + id: split + run: echo "repo=${REPO##*/}" >> "$GITEA_OUTPUT" + env: + REPO: ${{ gitea.repository }} + + - name: Check out repository + uses: actions/checkout@v6.0.1 + with: + fetch-depth: 0 + ref: ${{ needs.tag.outputs.tag_name }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Gitea Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ vars.PACKAGES_REGISTRY_URL }} + username: ${{ vars.ACTIONS_USERNAME }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ vars.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + tags: type=semver,pattern=v{{version}},value=${{ needs.tag.outputs.tag_name }} + images: | + ghcr.io/${{ vars.GHCR_USERNAME }}/${{ steps.split.outputs.repo }} + ${{ vars.PACKAGES_REGISTRY_URL }}/${{ gitea.repository }} + + - name: Print metadata + run: | + printf "Annotations:\n${{ steps.meta.outputs.annotations }}" + echo "" + printf "Labels:\n${{ steps.meta.outputs.labels }}" + echo "" + printf "Tags:\n${{ steps.meta.outputs.tags }}" + + - name: Build images + uses: docker/build-push-action@v6 + with: + context: . + push: false + load: true + annotations: ${{ steps.meta.outputs.annotations }} + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + + - name: Push images + run: | + strtags="${{ steps.meta.outputs.tags }}" + readarray -t lines <<<"$strtags" + for element in "${lines[@]}"; do docker push "$element"; done + unset strtags lines diff --git a/.gitea/workflows-disabled/security.yml b/.gitea/workflows-disabled/security.yml new file mode 100644 index 0000000..b671e5d --- /dev/null +++ b/.gitea/workflows-disabled/security.yml @@ -0,0 +1,36 @@ +name: Security + +on: + workflow_dispatch: + push: + branches: + - main + schedule: + - cron: "@daily" + +jobs: + # sonarqube: + # name: SonarQube + # runs-on: ubuntu-latest + # steps: + # - name: Checkout repo + # uses: actions/checkout@v4.2.2 + + # - name: SonarQube Scan + # uses: SonarSource/sonarqube-scan-action@v5.2.0 + # env: + # SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }} + # SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + + snyk: + name: Snyk + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v6.0.1 + + - name: Snyk + uses: snyk/actions/python@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.gitea/workflows/pr-title-semantic.yml b/.gitea/workflows/pr-title-semantic.yml new file mode 100644 index 0000000..1ed14b2 --- /dev/null +++ b/.gitea/workflows/pr-title-semantic.yml @@ -0,0 +1,18 @@ +name: "Enforce Conventional Commit PR Title" + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + - reopened + +jobs: + validate: + name: Validate PR Title + runs-on: ubuntu-latest + steps: + - uses: https://git.tainton.uk/actions/conventional-commits-check-action@v1.3.0 + with: + commit-message: ${{ gitea.event.pull_request.title }} diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml new file mode 100644 index 0000000..044dd73 --- /dev/null +++ b/.gitea/workflows/release.yml @@ -0,0 +1,123 @@ +name: Release +on: + workflow_dispatch: + # schedule: + # - cron: '0 9 * * 0' + +jobs: + # test: + # name: Test + # uses: https://git.tainton.uk/${{ gitea.repository }}/.gitea/workflows/ci.yml@main + + # tag: + # name: Tag release + # uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/release-with-tag.yaml@main + + # create_release: + # name: Create Release + # needs: tag + # uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release-preexisting-tag.yaml@main + # with: + # tag: ${{ needs.tag.outputs.tag_name }} + # body: ${{ needs.tag.outputs.changelog }} + # secrets: + # ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }} + + # get_release_id: + # name: Get Release ID + # runs-on: ubuntu-latest + # needs: create_release + # outputs: + # releaseid: ${{ steps.getid.outputs.releaseid }} + # steps: + # - name: Get Release ID + # id: getid + # run: | + # rid=$(curl -s -X 'GET' \ + # -H 'accept: application/json' \ + # '${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/releases/latest' | jq -r '.id') + # echo "releaseid=$rid" >> "$GITEA_OUTPUT" + # echo "$rid" + + create_docker: + name: Publish Docker Images + runs-on: ubuntu-latest + # needs: [tag, create_release] + needs: [split] + steps: + - name: Update Docker configuration + continue-on-error: true + run: | + mkdir -p /etc/default + mkdir -p /etc/docker + touch -a /etc/default/docker + touch -a /etc/docker/daemon.json + echo "DOCKER_OPTS=\"--insecure-registry ${{ vars.PACKAGES_REGISTRY_URL }}\"" >> /etc/default/docker + echo "{\"insecure-registries\": [\"${{ vars.PACKAGES_REGISTRY_URL }}\"]}" > /etc/docker/daemon.json + + - name: Get repo information + id: split + run: | + echo "repo=${REPO##*/}" >> "$GITEA_OUTPUT" + echo "sha_short=$(git rev-parse --short "$COMMIT_SHA")" >> "$GITEA_OUTPUT" + echo "branch=$(echo ${HEAD_REF#refs/heads/})" >> "$GITEA_OUTPUT" + env: + REPO: ${{ gitea.repository }} + COMMIT_SHA: ${{ gitea.sha }} + HEAD_REF: ${{ gitea.head_ref }} + + - name: Check out repository + uses: actions/checkout@v6.0.1 + with: + fetch-depth: 0 + ref: ${{ steps.split.outputs.branch }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to Gitea Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ vars.PACKAGES_REGISTRY_URL }} + username: ${{ vars.ACTIONS_USERNAME }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ vars.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + tags: type=sha + images: | + ${{ vars.PACKAGES_REGISTRY_URL }}/${{ gitea.repository }} + + - name: Print metadata + run: | + printf "Annotations:\n${{ steps.meta.outputs.annotations }}" + echo "" + printf "Labels:\n${{ steps.meta.outputs.labels }}" + echo "" + printf "Tags:\n${{ steps.meta.outputs.tags }}" + + - name: Build images + uses: docker/build-push-action@v6 + with: + context: . + push: false + load: true + annotations: ${{ steps.meta.outputs.annotations }} + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ steps.meta.outputs.tags }} + + - name: Push images + run: | + strtags="${{ steps.meta.outputs.tags }}" + readarray -t lines <<<"$strtags" + for element in "${lines[@]}"; do docker push "$element"; done + unset strtags lines diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..b39d586 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,18 @@ +FROM --platform=amd64 debian:13.3 + +LABEL maintainer="Luke Tainton " + +USER root + +RUN useradd -r -s /bin/bash -m velocitycmdb + +RUN velocitycmdb + +# Install as service account +RUN pip install velocitycmdb + +# Data will be stored in /home/velocitycmdb/.velocitycmdb/ + +ENTRYPOINT [ "velocitycmdb", "init" ] + +EXPOSE 8086