From 609ad2e38389d8ba0c70e809a16f69a25647c6c6 Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 18 Apr 2026 02:14:08 -0400
Subject: [PATCH] ci: migrate to Gitea Actions + publish release bundle to
 package registry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds `.gitea/workflows/{ci,e2e,release}.yml` and removes the old
`.github/workflows/` counterparts. Gitea reads both paths, so keeping
them would double-run every job on every push.

- ci.yml / e2e.yml are 1:1 ports of the GitHub versions, just with
  `runs-on: self-hosted` (Gitea has no hosted runners).
- release.yml is new: fires on push to main, runs `make release`, then
  publishes `vetting-bundle.tar.gz` to the Gitea generic package
  registry under two versions — `sha-<short-sha>` (immutable, pinnable)
  and `latest` (rolling alias, DELETE+PUT on each run). Auth via a
  REGISTRY_TOKEN secret + REGISTRY_URL variable configured on the Gitea
  side.

The runner is being reconfigured to privileged so `mkosi` + `debootstrap`
can build the live image inside CI.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 {.github => .gitea}/workflows/ci.yml  |  2 +-
 {.github => .gitea}/workflows/e2e.yml |  7 +--
 .gitea/workflows/release.yml          | 76 +++++++++++++++++++++++++++
 3 files changed, 81 insertions(+), 4 deletions(-)
 rename {.github => .gitea}/workflows/ci.yml (96%)
 rename {.github => .gitea}/workflows/e2e.yml (89%)
 create mode 100644 .gitea/workflows/release.yml

diff --git a/.github/workflows/ci.yml b/.gitea/workflows/ci.yml
similarity index 96%
rename from .github/workflows/ci.yml
rename to .gitea/workflows/ci.yml
index fc164cc..9a704bb 100644
--- a/.github/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -12,7 +12,7 @@ permissions:
 jobs:
   lint-and-test:
     name: Lint + build + test
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/e2e.yml b/.gitea/workflows/e2e.yml
similarity index 89%
rename from .github/workflows/e2e.yml
rename to .gitea/workflows/e2e.yml
index 0e93158..4a09df3 100644
--- a/.github/workflows/e2e.yml
+++ b/.gitea/workflows/e2e.yml
@@ -2,8 +2,9 @@ name: E2E (manual)
 
 # The E2E job builds the live image (mkosi, requires apt package
 # updates) and boots a QEMU VM against a running orchestrator. It's
-# slow and needs a Linux runner with nested virtualization, so it runs
-# only on workflow_dispatch.
+# slow and needs a Linux runner with nested virtualization + loop
+# devices, so it runs only on workflow_dispatch against the privileged
+# self-hosted runner.
 
 on:
   workflow_dispatch:
@@ -18,7 +19,7 @@ permissions:
 
 jobs:
   e2e:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@v4
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
new file mode 100644
index 0000000..ca1c12c
--- /dev/null
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,76 @@
+name: Release
+
+# Builds the full release tarball (orchestrator + agent + live image +
+# deploy scripts) and publishes it to the Gitea generic package
+# registry under two versions:
+#   - sha-<short-sha>  immutable, per-commit pin
+#   - latest           rolling alias (DELETE+PUT on each run)
+#
+# The LXC installer (deploy/proxmox-install.sh) curls the "latest"
+# version by default; operators can pin via VETTING_VERSION=sha-abc1234.
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    runs-on: self-hosted
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.x"
+          cache: true
+
+      - name: Install live-image build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            mkosi debootstrap squashfs-tools dosfstools
+
+      - name: Install templ
+        run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
+
+      - name: Build release bundle
+        run: make release
+
+      - name: Resolve bundle path + short sha
+        id: meta
+        run: |
+          short_sha=$(git rev-parse --short HEAD)
+          echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT"
+          echo "bundle=bin/vetting-bundle-${short_sha}.tar.gz" >> "$GITHUB_OUTPUT"
+
+      - name: Publish sha-pinned bundle
+        env:
+          REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          OWNER:          ${{ gitea.repository_owner }}
+          SHORT_SHA:      ${{ steps.meta.outputs.short_sha }}
+          BUNDLE:         ${{ steps.meta.outputs.bundle }}
+        run: |
+          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
+            --upload-file "${BUNDLE}" \
+            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/sha-${SHORT_SHA}/vetting-bundle.tar.gz"
+
+      - name: Replace latest alias
+        env:
+          REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          OWNER:          ${{ gitea.repository_owner }}
+          BUNDLE:         ${{ steps.meta.outputs.bundle }}
+        run: |
+          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
+            -X DELETE \
+            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz" \
+            || true
+          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
+            --upload-file "${BUNDLE}" \
+            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"