ci: migrate to Gitea Actions + publish release bundle to package registry

Adds `.gitea/workflows/{ci,e2e,release}.yml` and removes the old `.github/workflows/` counterparts. Gitea reads both paths, so keeping them would double-run every job on every push. - ci.yml / e2e.yml are 1:1 ports of the GitHub versions, just with `runs-on: self-hosted` (Gitea has no hosted runners). - release.yml is new: fires on push to main, runs `make release`, then publishes `vetting-bundle.tar.gz` to the Gitea generic package registry under two versions — `sha-<short-sha>` (immutable, pinnable) and `latest` (rolling alias, DELETE+PUT on each run). Auth via a REGISTRY_TOKEN secret + REGISTRY_URL variable configured on the Gitea side. The runner is being reconfigured to privileged so `mkosi` + `debootstrap` can build the live image inside CI. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 02:14:08 -04:00
parent 05bd88b016
commit 609ad2e383
3 changed files with 81 additions and 4 deletions
@@ -0,0 +1,60 @@
+name: E2E (manual)
+
+# The E2E job builds the live image (mkosi, requires apt package
+# updates) and boots a QEMU VM against a running orchestrator. It's
+# slow and needs a Linux runner with nested virtualization + loop
+# devices, so it runs only on workflow_dispatch against the privileged
+# self-hosted runner.
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: Git ref to test (default: main)
+        required: false
+        default: main
+
+permissions:
+  contents: read
+
+jobs:
+  e2e:
+    runs-on: self-hosted
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.x"
+          cache: true
+
+      - name: Install live-image build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends \
+            mkosi debootstrap squashfs-tools qemu-system-x86 qemu-utils \
+            dnsmasq iperf3 ipxe-qemu
+
+      - name: Install templ
+        run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
+
+      - name: Build orchestrator + agent
+        run: |
+          templ generate
+          make orchestrator-linux agent-linux
+
+      - name: Build live image
+        run: make live-image
+
+      - name: Run E2E suite
+        # The E2E test expects a registered host + queued run; in CI we
+        # don't have an operator, so it's skipped unless VETTING_E2E_RUN_ID
+        # is supplied. When someone stands up the orchestrator for a
+        # dispatch, they can set it via a workflow_dispatch secret.
+        env:
+          VETTING_E2E_RUN_ID: ${{ vars.VETTING_E2E_RUN_ID }}
+        run: sudo -E go test -tags=e2e -count=1 -v ./test/e2e/...