ci: migrate to Gitea Actions + publish release bundle to package registry
Adds `.gitea/workflows/{ci,e2e,release}.yml` and removes the old
`.github/workflows/` counterparts. Gitea reads both paths, so keeping
them would double-run every job on every push.
- ci.yml / e2e.yml are 1:1 ports of the GitHub versions, just with
`runs-on: self-hosted` (Gitea has no hosted runners).
- release.yml is new: fires on push to main, runs `make release`, then
publishes `vetting-bundle.tar.gz` to the Gitea generic package
registry under two versions — `sha-<short-sha>` (immutable, pinnable)
and `latest` (rolling alias, DELETE+PUT on each run). Auth via a
REGISTRY_TOKEN secret + REGISTRY_URL variable configured on the Gitea
side.
The runner is being reconfigured to privileged so `mkosi` + `debootstrap`
can build the live image inside CI.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -12,7 +12,7 @@ permissions:
|
|||||||
jobs:
|
jobs:
|
||||||
lint-and-test:
|
lint-and-test:
|
||||||
name: Lint + build + test
|
name: Lint + build + test
|
||||||
runs-on: ubuntu-latest
|
runs-on: self-hosted
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
@@ -2,8 +2,9 @@ name: E2E (manual)
|
|||||||
|
|
||||||
# The E2E job builds the live image (mkosi, requires apt package
|
# The E2E job builds the live image (mkosi, requires apt package
|
||||||
# updates) and boots a QEMU VM against a running orchestrator. It's
|
# updates) and boots a QEMU VM against a running orchestrator. It's
|
||||||
# slow and needs a Linux runner with nested virtualization, so it runs
|
# slow and needs a Linux runner with nested virtualization + loop
|
||||||
# only on workflow_dispatch.
|
# devices, so it runs only on workflow_dispatch against the privileged
|
||||||
|
# self-hosted runner.
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
@@ -18,7 +19,7 @@ permissions:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
e2e:
|
e2e:
|
||||||
runs-on: ubuntu-latest
|
runs-on: self-hosted
|
||||||
timeout-minutes: 45
|
timeout-minutes: 45
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
@@ -0,0 +1,76 @@
|
|||||||
|
name: Release
|
||||||
|
|
||||||
|
# Builds the full release tarball (orchestrator + agent + live image +
|
||||||
|
# deploy scripts) and publishes it to the Gitea generic package
|
||||||
|
# registry under two versions:
|
||||||
|
# - sha-<short-sha> immutable, per-commit pin
|
||||||
|
# - latest rolling alias (DELETE+PUT on each run)
|
||||||
|
#
|
||||||
|
# The LXC installer (deploy/proxmox-install.sh) curls the "latest"
|
||||||
|
# version by default; operators can pin via VETTING_VERSION=sha-abc1234.
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
release:
|
||||||
|
runs-on: self-hosted
|
||||||
|
timeout-minutes: 45
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Set up Go
|
||||||
|
uses: actions/setup-go@v5
|
||||||
|
with:
|
||||||
|
go-version: "1.26.x"
|
||||||
|
cache: true
|
||||||
|
|
||||||
|
- name: Install live-image build dependencies
|
||||||
|
run: |
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get install -y --no-install-recommends \
|
||||||
|
mkosi debootstrap squashfs-tools dosfstools
|
||||||
|
|
||||||
|
- name: Install templ
|
||||||
|
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
|
||||||
|
|
||||||
|
- name: Build release bundle
|
||||||
|
run: make release
|
||||||
|
|
||||||
|
- name: Resolve bundle path + short sha
|
||||||
|
id: meta
|
||||||
|
run: |
|
||||||
|
short_sha=$(git rev-parse --short HEAD)
|
||||||
|
echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "bundle=bin/vetting-bundle-${short_sha}.tar.gz" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: Publish sha-pinned bundle
|
||||||
|
env:
|
||||||
|
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
|
||||||
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
|
OWNER: ${{ gitea.repository_owner }}
|
||||||
|
SHORT_SHA: ${{ steps.meta.outputs.short_sha }}
|
||||||
|
BUNDLE: ${{ steps.meta.outputs.bundle }}
|
||||||
|
run: |
|
||||||
|
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
|
||||||
|
--upload-file "${BUNDLE}" \
|
||||||
|
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/sha-${SHORT_SHA}/vetting-bundle.tar.gz"
|
||||||
|
|
||||||
|
- name: Replace latest alias
|
||||||
|
env:
|
||||||
|
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
|
||||||
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
|
OWNER: ${{ gitea.repository_owner }}
|
||||||
|
BUNDLE: ${{ steps.meta.outputs.bundle }}
|
||||||
|
run: |
|
||||||
|
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
|
||||||
|
-X DELETE \
|
||||||
|
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz" \
|
||||||
|
|| true
|
||||||
|
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
|
||||||
|
--upload-file "${BUNDLE}" \
|
||||||
|
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"
|
||||||
Reference in New Issue
Block a user