josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: migrate to Gitea Actions + publish release bundle to package registry
CI / Lint + build + test (push) Has been cancelled
Details
Release / release (push) Has been cancelled
Details

Browse Source 
Adds `.gitea/workflows/{ci,e2e,release}.yml` and removes the old
`.github/workflows/` counterparts. Gitea reads both paths, so keeping
them would double-run every job on every push.

- ci.yml / e2e.yml are 1:1 ports of the GitHub versions, just with
  `runs-on: self-hosted` (Gitea has no hosted runners).
- release.yml is new: fires on push to main, runs `make release`, then
  publishes `vetting-bundle.tar.gz` to the Gitea generic package
  registry under two versions — `sha-<short-sha>` (immutable, pinnable)
  and `latest` (rolling alias, DELETE+PUT on each run). Auth via a
  REGISTRY_TOKEN secret + REGISTRY_URL variable configured on the Gitea
  side.

The runner is being reconfigured to privileged so `mkosi` + `debootstrap`
can build the live image inside CI.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-18 02:14:08 -04:00
parent 05bd88b016
commit 609ad2e383
3 changed files with 81 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci.yml
+45
View File
@@ -0,0 +1,45 @@
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
lint-and-test:
name: Lint + build + test
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.26.x"
cache: true
- name: Install templ
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
- name: Generate templ
run: templ generate
- name: Verify go.mod + go.sum are tidy
run: |
go mod tidy
git diff --exit-code go.mod go.sum
- name: Vet
run: go vet ./...
- name: Build (host)
run: |
go build ./...
GOOS=linux GOARCH=amd64 go build ./...
- name: Test
run: go test -race -count=1 ./...
.gitea/workflows/e2e.yml
+60
View File
@@ -0,0 +1,60 @@
name: E2E (manual)
# The E2E job builds the live image (mkosi, requires apt package
# updates) and boots a QEMU VM against a running orchestrator. It's
# slow and needs a Linux runner with nested virtualization + loop
# devices, so it runs only on workflow_dispatch against the privileged
# self-hosted runner.
on:
workflow_dispatch:
inputs:
ref:
description: Git ref to test (default: main)
required: false
default: main
permissions:
contents: read
jobs:
e2e:
runs-on: self-hosted
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.26.x"
cache: true
- name: Install live-image build dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
mkosi debootstrap squashfs-tools qemu-system-x86 qemu-utils \
dnsmasq iperf3 ipxe-qemu
- name: Install templ
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
- name: Build orchestrator + agent
run: |
templ generate
make orchestrator-linux agent-linux
- name: Build live image
run: make live-image
- name: Run E2E suite
# The E2E test expects a registered host + queued run; in CI we
# don't have an operator, so it's skipped unless VETTING_E2E_RUN_ID
# is supplied. When someone stands up the orchestrator for a
# dispatch, they can set it via a workflow_dispatch secret.
env:
VETTING_E2E_RUN_ID: ${{ vars.VETTING_E2E_RUN_ID }}
run: sudo -E go test -tags=e2e -count=1 -v ./test/e2e/...
.gitea/workflows/release.yml
+76
View File
@@ -0,0 +1,76 @@
name: Release
# Builds the full release tarball (orchestrator + agent + live image +
# deploy scripts) and publishes it to the Gitea generic package
# registry under two versions:
# - sha-<short-sha> immutable, per-commit pin
# - latest rolling alias (DELETE+PUT on each run)
#
# The LXC installer (deploy/proxmox-install.sh) curls the "latest"
# version by default; operators can pin via VETTING_VERSION=sha-abc1234.
on:
push:
branches: [main]
permissions:
contents: read
jobs:
release:
runs-on: self-hosted
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.26.x"
cache: true
- name: Install live-image build dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
mkosi debootstrap squashfs-tools dosfstools
- name: Install templ
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
- name: Build release bundle
run: make release
- name: Resolve bundle path + short sha
id: meta
run: |
short_sha=$(git rev-parse --short HEAD)
echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT"
echo "bundle=bin/vetting-bundle-${short_sha}.tar.gz" >> "$GITHUB_OUTPUT"
- name: Publish sha-pinned bundle
env:
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
OWNER: ${{ gitea.repository_owner }}
SHORT_SHA: ${{ steps.meta.outputs.short_sha }}
BUNDLE: ${{ steps.meta.outputs.bundle }}
run: |
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
--upload-file "${BUNDLE}" \
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/sha-${SHORT_SHA}/vetting-bundle.tar.gz"
- name: Replace latest alias
env:
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
OWNER: ${{ gitea.repository_owner }}
BUNDLE: ${{ steps.meta.outputs.bundle }}
run: |
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
-X DELETE \
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz" \
|| true
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
--upload-file "${BUNDLE}" \
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"