feat(ci): migrate to Gitea

2026-01-05 13:11:17 +00:00
parent 1b2ecc1f11
commit fe8810502a
9 changed files with 172 additions and 42 deletions
--- a/.gitea/CODEOWNERS
+++ b/.gitea/CODEOWNERS
@@ -0,0 +1 @@
+*   @luke
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,51 @@
+name: CI
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: tty
+          no-fail: true
+      
+      - name: Print Hadolint Results
+        if: ${{ always() }}
+        run: cat hadolint.out
+
+      # - name: SonarQube Scan
+      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
+      #   env:
+      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+      # - name: Snyk SAST Scan
+      #   uses: snyk/actions/python@master
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #   with:
+      #     # command: snyk
+      #     args: snyk code test --all-projects --exclude=.archive
+
+      - name: Snyk Vulnerability Scan
+        uses: snyk/actions/python@master
+        continue-on-error: true # Sometimes vulns aren't immediately fixable
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: test --all-projects
--- a/.gitea/workflows/conventional_commit.yml
+++ b/.gitea/workflows/conventional_commit.yml
@@ -0,0 +1,16 @@
+name: Validate PR Title
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: https://git.tainton.uk/actions/conventional-commits-check-action@v1.3.0
+        with:
+          commit-message: ${{ gitea.event.pull_request.title }}
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,102 @@
+name: Release
+on:
+  workflow_dispatch:
+  # push:
+  #   branches:
+  #     - main
+  schedule:
+    - cron: '0 9 * * 0'
+
+jobs:
+
+  tag:
+    name: Tag release
+    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/release-with-tag.yaml@main
+
+  create_release:
+    name: Create Release
+    needs: tag
+    uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release-preexisting-tag.yaml@main
+    with:
+      tag: ${{ needs.tag.outputs.tag_name }}
+      body: ${{ needs.tag.outputs.changelog }}
+    secrets:
+      ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }}
+
+  create_docker:
+    name: Publish Docker Images
+    runs-on: ubuntu-latest
+    needs: [tag, create_release]
+    steps:
+      - name: Update Docker configuration
+        continue-on-error: true
+        run: |
+          mkdir -p /etc/default
+          mkdir -p /etc/docker
+          touch -a /etc/default/docker
+          touch -a /etc/docker/daemon.json
+          echo "DOCKER_OPTS=\"--insecure-registry ${{ vars.PACKAGES_REGISTRY_URL }}\"" >> /etc/default/docker
+          echo "{\"insecure-registries\": [\"${{ vars.PACKAGES_REGISTRY_URL }}\"]}" > /etc/docker/daemon.json
+
+      - name: Get repo name
+        id: split
+        run: echo "repo=${REPO##*/}" >> "$GITEA_OUTPUT"
+        env:
+          REPO: ${{ gitea.repository }}
+
+      - name: Check out repository
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+          ref: ${{ needs.tag.outputs.tag_name }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.PACKAGES_REGISTRY_URL }}
+          username: ${{ vars.ACTIONS_USERNAME }}
+          password: ${{ secrets.ACTIONS_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          tags: type=semver,pattern=v{{version}},value=${{ needs.tag.outputs.tag_name }}
+          images: |
+            ghcr.io/${{ vars.GHCR_USERNAME }}/${{ steps.split.outputs.repo }}
+            ${{ vars.PACKAGES_REGISTRY_URL }}/${{ gitea.repository }}
+
+      - name: Print metadata
+        run: |
+          printf "Annotations:\n${{ steps.meta.outputs.annotations }}"
+          echo ""
+          printf "Labels:\n${{ steps.meta.outputs.labels }}"
+          echo ""
+          printf "Tags:\n${{ steps.meta.outputs.tags }}"
+
+      - name: Build images
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          annotations: ${{ steps.meta.outputs.annotations }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Push images
+        run: |
+          strtags="${{ steps.meta.outputs.tags }}"
+          readarray -t lines <<<"$strtags"
+          for element in "${lines[@]}"; do docker push "$element"; done
+          unset strtags lines
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,37 +0,0 @@
-name: Build Docker Image
-on:
-  workflow_dispatch:
-  push:
-    branches: [master]
-
-jobs:
-  analyse:
-    name: SonarQube
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - uses: sonarsource/sonarqube-scan-action@master
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
-  build:
-    name: GitHub Container Registry
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set outputs
-        id: vars
-        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-      - name: Check outputs
-        run: echo ${{ steps.vars.outputs.sha_short }}
-      - name: Login to GitHub Container Registry
-        run: echo ${{ secrets.GHCR_ACCESS_TOKEN }} | docker login ghcr.io -u luketainton --password-stdin
-      - name: Build image for GitHub Package Registry
-        run: docker build . --file Dockerfile --tag ghcr.io/luketainton/docker-radius:${{ steps.vars.outputs.sha_short }} --tag ghcr.io/luketainton/docker-radius:latest
-      - name: Push image to GitHub Package Registry
-        run: |
-          docker push ghcr.io/luketainton/docker-radius:latest
-          docker push ghcr.io/luketainton/docker-radius:${{ steps.vars.outputs.sha_short }}
--- a/1
+++ b/1
@@ -1 +0,0 @@
-*   @luketainton
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 FROM alpine:3.22.1 as build
 LABEL maintainer="Luke Tainton <luke@tainton.uk>"
-LABEL org.opencontainers.image.source="https://github.com/luketainton/docker-radius"
+LABEL org.opencontainers.image.source="https://git.tainton.uk/repos/docker-radius"

 FROM build as webproc
 ENV WEBPROCVERSION 0.4.0
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,6 @@
-version: "3"
 services:
  app:
-    image: "ghcr.io/luketainton/docker-radius:latest"
+    image: "git.tainton.uk/repos/docker-radius:latest"
    restart: "unless-stopped"
    volumes:
      - "./clients.conf:/etc/raddb/clients.conf"
--- a/sonar-project.properties
+++ b/sonar-project.properties
@@ -1 +0,0 @@
-sonar.projectKey=luketainton_docker-radius_e37b9305-5bf9-4f67-97d9-85eee00bb9d0
				`@@ -1 +0,0 @@`
				`sonar.projectKey=luketainton_docker-radius_e37b9305-5bf9-4f67-97d9-85eee00bb9d0`