[CI] Forgejo Actions based release process

Refs: https://codeberg.org/forgejo/website/pulls/230
(cherry picked from commit 87d56bf6c7)

[CI] Forgejo Actions based release process (squash)

base64 -w0 to avoid wrapping when the doer name is long as it creates
a broken config.json

(cherry picked from commit 9efdc27e49)

[CI] Forgejo Actions based release process (squash) generate .xz files and sources

Generate .xz files
Check .sha256
Generate the source tarbal

(cherry picked from commit 7afec520c4)

[CI] Forgejo Actions based release process (squash) release notes

(cherry picked from commit d8f4f4807b)

[CI] Forgejo Actions based release process (squash) publish and sign release

(cherry picked from commit a52778c747)
(cherry picked from commit cf2ec62740)

[CI] Forgejo Actions based release process (squash) version

use Actions environment variables in Makefile (#25319) (#25318)

uses Actions variable to determine the version. But Forgejo builds
happen in a container where they are not available. Do not use them.

Also verify the version of the binary is as expected for sanity check.

(cherry picked from commit 6decf111a1)
(cherry picked from commit 206d0b3886)

[CI] read STORED_VERSION_FILE if available

(cherry picked from commit af74085ebf)

[CI] backward compatible executable compilation

Add a new static-executable target to use in Dockerfiles and restore
the $(EXECUTABLE) target to what it was before to for backward
compatibility.

The release process now builds static executables instead of
dynamically linked ones which makes them more portable. It changes the
requirements at compile time and is not backward compatible. In
particular it may break packaging that rely on the target that
currently creates a dynamically linked executable.

(cherry picked from commit 84d02a174a)
(cherry picked from commit 854be47328)

[CI] Forgejo Actions based release process (squash) doc / ca / verbosity

- Document workflow
- Increase verbosity if VERBOSE=true
- Download the Certificate Authority if behind the VPN

(cherry picked from commit 168d5d5869)
(cherry picked from commit 8756c9a72a)
(cherry picked from commit 2dad7ef20f)

[CI] Forgejo Actions based release process (squash) add assets sources-tarbal

Refs: https://codeberg.org/forgejo/forgejo/issues/1115
(cherry picked from commit 5531d01f19)

[CI] Forgejo Actions based release process (squash) add assets sources-tarbal

bindata.go is a file, not a directory

Refs: https://codeberg.org/forgejo/forgejo/issues/1115
(cherry picked from commit bd88a44778)
(cherry picked from commit b408085138)

[CI] Forgejo Actions based release process (squash) public/assets moved

(cherry picked from commit d8c921d5a6)
(cherry picked from commit f29e50b1a09b1a22fc2dbdb77e9a1def1196175b)

[CI] Fix release notes link

- Use substitution to replace all dots with dashes.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1163

(cherry picked from commit 96783728f53a072915cace392aa269adfe9a5c73)
(cherry picked from commit c8d8bf8996)

[CI] pin go v1.20 for testing

Refs: https://codeberg.org/forgejo/forgejo/issues/1228
(cherry picked from commit fd4b5a013e)
(cherry picked from commit 00bb15f57f)

Conflicts:
	Dockerfile
	Dockerfile.rootless
	see https://codeberg.org/forgejo/forgejo/pulls/1303
(cherry picked from commit 6e2be54a6d)
(cherry picked from commit 346c418b4a)
(cherry picked from commit 49061f8422)
(cherry picked from commit 8229d59b7e)
(cherry picked from commit 70d45d9193)

[CI] Forgejo Actions based release process (squash) need node 18

(cherry picked from commit 722b1f4590)
(cherry picked from commit a91d786169)

[CI] Forgejo Actions based release process (squash) fix indentation

(cherry picked from commit fbdf9d6abb)
(cherry picked from commit 2deff90a13)
(cherry picked from commit 5710a27fda)

[CI] Forgejo Actions based release process (squash) FQIN for docker

Refs: https://codeberg.org/forgejo/forgejo/issues/1600
(cherry picked from commit f63d38deb6)

[CI] Forgejo Actions based release process (squash) use forgejo-curl.sh

(cherry picked from commit c0c3ef506f)
(cherry picked from commit 933ca7ec5d)

Conflicts:
	Dockerfile
	Dockerfile.rootless
	https://codeberg.org/forgejo/forgejo/pulls/1691
(cherry picked from commit 1068e48805)

[CI] Forgejo Actions based release process (squash) size optimization

(cherry picked from commit 3c653ff742)
(cherry picked from commit 398567fc0c)
(cherry picked from commit e585db9a97)
(cherry picked from commit 17e91c96e3)

[CI] Forgejo Actions based release process (squash) gitea to forgejo

(cherry picked from commit 9c06a318b8)
(cherry picked from commit 95859da3b4)
(cherry picked from commit e3a5f6c1ed)
(cherry picked from commit 7b9b259c75)
(cherry picked from commit c4a152c8dc)
(cherry picked from commit b00bf599ef)
(cherry picked from commit a7836ee2ee)
(cherry picked from commit 3ea7dcbd5b)
(cherry picked from commit 454d705e83)
(cherry picked from commit 35e06c3009)
(cherry picked from commit 904468a38f)
(cherry picked from commit 890e86815a)
(cherry picked from commit bf9f94c63d)
(cherry picked from commit d025d061d1)
(cherry picked from commit 32f209a8e1)
(cherry picked from commit 38ef6802fc)
(cherry picked from commit 8a19bbd2a8)
(cherry picked from commit f352dee786)
(cherry picked from commit b53d9fc090)
(cherry picked from commit 3dae21f4c8)
(cherry picked from commit 8b59e016c7)
(cherry picked from commit 6f54ea6a0e)
(cherry picked from commit ed8d90de6b)
(cherry picked from commit 26ffd3fcac)
(cherry picked from commit 287b3bbfb5)
(cherry picked from commit ab81378d0c)
(cherry picked from commit f6bbe7e875)
(cherry picked from commit 8968f34edf)
(cherry picked from commit d3d914bba2)
(cherry picked from commit 4e4006a990)
(cherry picked from commit edb333569b)
(cherry picked from commit 6c1a4baa15)
(cherry picked from commit 51bda3bfc7)
(cherry picked from commit 6f5f318b8f)
(cherry picked from commit e128da2362)
(cherry picked from commit 3e6735ff23)
(cherry picked from commit 938c444125)
(cherry picked from commit 67f92dc9ab)
(cherry picked from commit ee31df71fb)
(cherry picked from commit 386f232191)
(cherry picked from commit 745785cd7f)
This commit is contained in:
Earl Warren 2023-06-14 13:32:20 +02:00
parent 2ff3080018
commit efa8564e76
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
14 changed files with 689 additions and 56 deletions

View file

@ -0,0 +1,154 @@
name: 'Build release'
author: 'Forgejo authors'
description: |
Build release
inputs:
forgejo:
description: 'URL of the Forgejo instance where the release is uploaded'
required: true
owner:
description: 'User or organization where the release is uploaded, relative to the Forgejo instance'
required: true
repository:
description: 'Repository where the release is uploaded, relative to the owner'
required: true
doer:
description: 'Name of the user authoring the release'
required: true
tag-version:
description: 'Version of the release derived from the tag withint the leading v'
required: true
suffix:
description: 'Suffix to add to the image tag'
token:
description: 'token'
required: true
dockerfile:
description: 'path to the dockerfile'
default: 'Dockerfile'
platforms:
description: 'Coma separated list of platforms'
default: 'linux/amd64,linux/arm64'
release-notes:
description: 'Full text of the release notes'
default: 'Release notes placeholder'
binary-name:
description: 'Name of the binary'
binary-path:
description: 'Path of the binary within the container to extract into binary-name'
verbose:
description: 'Increase the verbosity level'
default: 'false'
runs:
using: "composite"
steps:
- run: echo "${{ github.action_path }}" >> $GITHUB_PATH
shell: bash
- name: Install dependencies
run: |
apt-get install -y -qq xz-utils
- name: set -x if verbose is required
id: verbose
run: |
if ${{ inputs.verbose }} ; then
echo "shell=set -x" >> "$GITHUB_OUTPUT"
fi
- name: Create the insecure and buildx-config variables for the container registry
id: registry
run: |
${{ steps.verbose.outputs.shell }}
url="${{ inputs.forgejo }}"
hostport=${url##http*://}
hostport=${hostport%%/}
echo "host-port=${hostport}" >> "$GITHUB_OUTPUT"
if ! [[ $url =~ ^http:// ]] ; then
exit 0
fi
cat >> "$GITHUB_OUTPUT" <<EOF
insecure=true
buildx-config<<ENDVAR
[registry."${hostport}"]
http = true
ENDVAR
EOF
- name: Allow docker pull/push to forgejo
if: ${{ steps.registry.outputs.insecure }}
run: |-
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"insecure-registries" : ["${{ steps.registry.outputs.host-port }}"],
"bip": "172.26.0.1/16"
}
EOF
- name: Install docker
run: |
echo deb http://deb.debian.org/debian bullseye-backports main | tee /etc/apt/sources.list.d/backports.list && apt-get -qq update
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y -t bullseye-backports docker.io
- uses: https://github.com/docker/setup-buildx-action@v2
with:
config-inline: |
${{ steps.registry.outputs.buildx-config }}
- name: Login to the container registry
run: |
BASE64_AUTH=`echo -n "${{ inputs.doer }}:${{ inputs.token }}" | base64 -w0`
mkdir -p ~/.docker
echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
env:
CI_REGISTRY: "${{ steps.registry.outputs.host-port }}"
- name: Build the container image for each architecture
uses: https://github.com/docker/build-push-action@v4
# workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released
env:
ACTIONS_RUNTIME_TOKEN: ''
with:
context: .
push: true
file: ${{ inputs.dockerfile }}
platforms: ${{ inputs.platforms }}
tags: ${{ steps.registry.outputs.host-port }}/${{ inputs.owner }}/${{ inputs.repository }}:${{ inputs.tag-version }}${{ inputs.suffix }}
- name: Extract the binary from the container images into the release directory
if: inputs.binary-name != ''
run: |
${{ steps.verbose.outputs.shell }}
mkdir -p release
cd release
for platform in $(echo ${{ inputs.platforms }} | tr ',' ' '); do
arch=$(echo $platform | sed -e 's|linux/||g' -e 's|arm/v6|arm-6|g')
docker create --platform $platform --name forgejo-$arch ${{ steps.registry.outputs.host-port }}/${{ inputs.owner }}/${{ inputs.repository }}:${{ inputs.tag-version }}${{ inputs.suffix }}
binary="${{ inputs.binary-name }}-${{ inputs.tag-version }}-linux"
docker cp forgejo-$arch:${{ inputs.binary-path }} $binary-$arch
chmod +x $binary-$arch
# the displayed version has a + instead of the first -, deal with it
pattern=$(echo "${{ inputs.tag-version }}" | tr - .)
if ! ./$binary-$arch --version | grep "$pattern" ; then
echo "ERROR: expected version pattern $pattern not found in the output of $binary-$arch --version"
./$binary-$arch --version
exit 1
fi
xz --keep -9 $binary-$arch
shasum -a 256 $binary-$arch > $binary-$arch.sha256
shasum -a 256 $binary-$arch.xz > $binary-$arch.xz.sha256
docker rm forgejo-$arch
done
- name: publish release
if: inputs.binary-name != ''
uses: https://code.forgejo.org/actions/forgejo-release@v1
with:
direction: upload
release-dir: release
release-notes: "${{ inputs.release-notes }}"
token: ${{ inputs.token }}
verbose: ${{ steps.verbose.outputs.value }}

View file

@ -0,0 +1,110 @@
name: 'Publish release'
author: 'Forgejo authors'
description: |
Publish release
inputs:
forgejo:
description: 'URL of the Forgejo instance where the release is uploaded (e.g. https://codeberg.org)'
required: true
from-owner:
description: 'the owner from which a release is to be copied (e.g forgejo-integration)'
required: true
to-owner:
description: 'the owner to which a release is to be copied (e.g. forgejo-experimental). It has be an organization in which doer has the required permissions. Or be the same as the doer'
required: true
repo:
description: 'the repository from which a release is to be copied relative to from-owner and to-owner'
default: 'forgejo'
ref-name:
description: 'ref_name of the tag of the release to be copied (e.g. github.ref_name)'
required: true
doer:
description: 'Name of the user authoring the release (e.g. release-team). The user must be authorized to create packages in to-owner and releases in to-owner/repo'
required: true
token:
description: 'application token created on forgejo by the doer, with a scope allowing it to create packages in to-owner and releases in to-owner/repo'
required: true
gpg-private-key:
description: 'GPG Private Key to sign the release artifacts'
gpg-passphrase:
description: 'Passphrase of the GPG Private Key'
verbose:
description: 'Increase the verbosity level'
default: 'false'
runs:
using: "composite"
steps:
- id: hostport
run: |
url="${{ inputs.forgejo }}"
hostport=${url##http*://}
hostport=${hostport%%/}
echo "value=$hostport" >> "$GITHUB_OUTPUT"
- id: tag-version
run: |
version="${{ inputs.ref-name }}"
version=${version##*v}
echo "value=$version" >> "$GITHUB_OUTPUT"
- name: Create the release notes
id: release-notes
run: |
anchor=${{ steps.tag-version.outputs.value }}
anchor=${anchor//./-}
cat >> "$GITHUB_OUTPUT" <<EOF
value<<ENDVAR
See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#$anchor
ENDVAR
EOF
- name: apt-get install docker.io
run: |
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y docker.io
- name: download release
uses: https://code.forgejo.org/actions/forgejo-release@v1
with:
url: ${{ inputs.forgejo }}
repo: ${{ inputs.from-owner }}/${{ inputs.repo }}
direction: download
release-dir: release
download-retry: 60
token: ${{ inputs.token }}
verbose: ${{ inputs.verbose }}
- name: upload release
uses: https://code.forgejo.org/actions/forgejo-release@v1
with:
url: ${{ inputs.forgejo }}
repo: ${{ inputs.to-owner }}/${{ inputs.repo }}
direction: upload
release-dir: release
release-notes: ${{ steps.release-notes.outputs.value }}
token: ${{ inputs.token }}
gpg-private-key: ${{ inputs.gpg-private-key }}
gpg-passphrase: ${{ inputs.gpg-passphrase }}
verbose: ${{ inputs.verbose }}
- name: login to the registry
uses: https://github.com/docker/login-action@v2
with:
registry: ${{ steps.hostport.outputs.value }}
username: ${{ inputs.doer }}
password: ${{ inputs.token }}
- uses: https://code.forgejo.org/forgejo/forgejo-container-image@v1
env:
VERIFY: 'false'
with:
url: https://${{ steps.hostport.outputs.value }}
destination-owner: ${{ inputs.to-owner }}
owner: ${{ inputs.from-owner }}
suffixes: '-rootless'
project: ${{ inputs.repo }}
tag: ${{ steps.tag-version.outputs.value }}
doer: ${{ inputs.doer }}
token: ${{ inputs.token }}
verbose: ${{ inputs.verbose }}

View file

@ -0,0 +1,3 @@
FROM public.ecr.aws/docker/library/alpine:3.18
RUN mkdir -p /app/gitea
RUN ( echo '#!/bin/sh' ; echo "echo forgejo v1.2.3" ) > /app/gitea/gitea ; chmod +x /app/gitea/gitea

View file

@ -0,0 +1,5 @@
VERSION ?= $(shell cat VERSION 2>/dev/null)
sources-tarbal:
mkdir -p dist/release
echo $(VERSION) > VERSION
sources=forgejo-src-$(VERSION).tar.gz ; tar --transform 's|^./|forgejo-src-$(VERSION)/|' -czf dist/release/forgejo-src-$(VERSION).tar.gz . ; cd dist/release ; shasum -a 256 $$sources > $$sources.sha256

View file

@ -0,0 +1,99 @@
name: Integration tests for the release process
on:
push:
paths:
- Makefile
- Dockerfile
- Dockerfile.rootless
- docker/**
- .forgejo/actions/build-release/action.yml
- .forgejo/workflows/build-release.yml
- .forgejo/workflows/build-release-integration.yml
jobs:
release-simulation:
runs-on: self-hosted
if: secrets.ROLE != 'forgejo-integration' && secrets.ROLE != 'forgejo-experimental' && secrets.ROLE != 'forgejo-release'
steps:
- uses: actions/checkout@v3
- id: forgejo
uses: https://code.forgejo.org/actions/setup-forgejo@v1
with:
user: root
password: admin1234
image-version: 1.19
lxc-ip-prefix: 10.0.9
- name: publish the forgejo release
run: |
set -x
version=1.2.3
cat > /etc/docker/daemon.json <<EOF
{
"insecure-registries" : ["${{ steps.forgejo.outputs.host-port }}"]
}
EOF
systemctl restart docker
apt-get install -qq -y xz-utils
dir=$(mktemp -d)
trap "rm -fr $dir" EXIT
url=http://root:admin1234@${{ steps.forgejo.outputs.host-port }}
export FORGEJO_RUNNER_LOGS="${{ steps.forgejo.outputs.runner-logs }}"
#
# Create a new project with a fake forgejo and the release workflow only
#
cp -a .forgejo/testdata/build-release/* $dir
mkdir -p $dir/.forgejo/workflows
cp .forgejo/workflows/build-release.yml $dir/.forgejo/workflows
cp -a .forgejo/actions $dir/.forgejo/actions
cp $dir/Dockerfile $dir/Dockerfile.rootless
forgejo-test-helper.sh push $dir $url root forgejo
sha=$(forgejo-test-helper.sh branch_tip $url root/forgejo main)
#
# Push a tag to trigger the release workflow and wait for it to complete
#
forgejo-curl.sh api_json --data-raw '{"tag_name": "v'$version'", "target": "'$sha'"}' $url/api/v1/repos/root/forgejo/tags
LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/forgejo $sha
#
# uncomment to see the logs even when everything is reported to be working ok
#
#cat $FORGEJO_RUNNER_LOGS
#
# Minimal sanity checks. e2e test is for the setup-forgejo
# action and the infrastructure playbook. Since the binary
# is a script shell it does not test the sanity of the cross
# build, only the sanity of the naming of the binaries.
#
for arch in amd64 arm64 arm-6 ; do
binary=forgejo-$version-linux-$arch
for suffix in '' '.xz' ; do
curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$binary$suffix > $binary$suffix
if test "$suffix" = .xz ; then
unxz --keep $binary$suffix
fi
chmod +x $binary
./$binary --version | grep $version
curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$binary$suffix.sha256 > $binary$suffix.sha256
shasum -a 256 --check $binary$suffix.sha256
rm $binary$suffix
done
done
sources=forgejo-src-$version.tar.gz
curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$sources > $sources
curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$sources.sha256 > $sources.sha256
shasum -a 256 --check $sources.sha256
docker pull ${{ steps.forgejo.outputs.host-port }}/root/forgejo:$version
docker pull ${{ steps.forgejo.outputs.host-port }}/root/forgejo:$version-rootless

View file

@ -0,0 +1,190 @@
name: Build release
on:
push:
tags: 'v*'
jobs:
release:
runs-on: self-hosted
# root is used for testing, allow it
if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
steps:
- uses: actions/checkout@v3
- name: Increase the verbosity when there are no secrets
id: verbose
run: |
if test -z "${{ secrets.TOKEN }}"; then
value=true
else
value=false
fi
echo "value=$value" >> "$GITHUB_OUTPUT"
- name: Sanitize the name of the repository
id: repository
run: |
set -x # comment out
repository="${{ github.repository }}"
echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
- name: When in a test environment, create a token
id: token
if: ${{ secrets.TOKEN == '' }}
run: |
apt-get -qq install -y jq
url="${{ env.GITHUB_SERVER_URL }}"
hostport=${url##http*://}
hostport=${hostport%%/}
doer=root
api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens
curl -sS -X DELETE $api/release
token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
echo "value=${token}" >> "$GITHUB_OUTPUT"
- uses: https://code.forgejo.org/actions/setup-node@v3
with:
node-version: 18
- uses: https://code.forgejo.org/actions/setup-go@v4
with:
go-version: ">=1.20"
check-latest: true
- name: Create the version from ref_name
id: tag-version
run: |
version="${{ github.ref_name }}"
version=${version##*v}
echo "value=$version" >> "$GITHUB_OUTPUT"
- name: Create the release notes
id: release-notes
run: |
cat >> "$GITHUB_OUTPUT" <<EOF
value<<ENDVAR
See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#${{ steps.tag-version.outputs.value }}
ENDVAR
EOF
- name: Build sources
run: |
set -x
apt-get -qq install -y make
version=${{ steps.tag-version.outputs.value }}
#
# Make sure all files are owned by the current user.
# When run as root `npx webpack` will assume the identity
# of the owner of the current working directory and may
# fail to create files if some sub-directories are not owned
# by the same user.
#
# Binaries:
# Node: 18.17.0 - /usr/local/node-v18.17.0-linux-x64/bin/node
# npm: 9.6.7 - /usr/local/node-v18.17.0-linux-x64/bin/npm
# Packages:
# add-asset-webpack-plugin: 2.0.1 => 2.0.1
# css-loader: 6.8.1 => 6.8.1
# esbuild-loader: 3.0.1 => 3.0.1
# license-checker-webpack-plugin: 0.2.1 => 0.2.1
# monaco-editor-webpack-plugin: 7.0.1 => 7.0.1
# vue-loader: 17.2.2 => 17.2.2
# webpack: 5.87.0 => 5.87.0
# webpack-cli: 5.1.4 => 5.1.4
#
chown -R $(id -u) .
make VERSION=$version TAGS=bindata sources-tarbal
mv dist/release release
(
tmp=$(mktemp -d)
tar --directory $tmp -zxvf release/*$version*.tar.gz
cd $tmp/*
#
# Verify `make frontend` files are available
#
test -d public/assets/css
test -d public/assets/fonts
test -d public/assets/js
#
# Verify `make generate` files are available
#
test -f modules/public/bindata.go
#
# Sanity check to verify that the source tarbal knows the
# version and is able to rebuild itself from it.
#
# When in sources the version is determined with git.
# When in the tarbal the version is determined from a VERSION file.
#
make sources-tarbal
tarbal=$(echo dist/release/*$version*.tar.gz)
if ! test -f $tarbal ; then
echo $tarbal does not exist
find dist release
exit 1
fi
)
- name: build container & release (when TOKEN secret is not set)
if: ${{ secrets.TOKEN == '' }}
uses: ./.forgejo/actions/build-release
with:
forgejo: "${{ env.GITHUB_SERVER_URL }}"
owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
repository: "${{ steps.repository.outputs.value }}"
doer: root
tag-version: "${{ steps.tag-version.outputs.value }}"
token: ${{ steps.token.outputs.value }}
platforms: linux/amd64,linux/arm64,linux/arm/v6
release-notes: "${{ steps.release-notes.outputs.value }}"
binary-name: forgejo
binary-path: /app/gitea/gitea
verbose: ${{ steps.verbose.outputs.value }}
- name: build rootless container (when TOKEN secret is not set)
if: ${{ secrets.TOKEN == '' }}
uses: ./.forgejo/actions/build-release
with:
forgejo: "${{ env.GITHUB_SERVER_URL }}"
owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
repository: "${{ steps.repository.outputs.value }}"
doer: root
tag-version: "${{ steps.tag-version.outputs.value }}"
token: ${{ steps.token.outputs.value }}
platforms: linux/amd64,linux/arm64,linux/arm/v6
suffix: -rootless
dockerfile: Dockerfile.rootless
verbose: ${{ steps.verbose.outputs.value }}
- name: build container & release (when TOKEN secret is set)
if: ${{ secrets.TOKEN != '' }}
uses: ./.forgejo/actions/build-release
with:
forgejo: "${{ env.GITHUB_SERVER_URL }}"
owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
repository: "${{ steps.repository.outputs.value }}"
doer: "${{ secrets.DOER }}"
tag-version: "${{ steps.tag-version.outputs.value }}"
token: "${{ secrets.TOKEN }}"
platforms: linux/amd64,linux/arm64,linux/arm/v6
release-notes: "${{ steps.release-notes.outputs.value }}"
binary-name: forgejo
binary-path: /app/gitea/gitea
verbose: ${{ steps.verbose.outputs.value }}
- name: build rootless container (when TOKEN secret is set)
if: ${{ secrets.TOKEN != '' }}
uses: ./.forgejo/actions/build-release
with:
forgejo: "${{ env.GITHUB_SERVER_URL }}"
owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
repository: "${{ steps.repository.outputs.value }}"
doer: "${{ secrets.DOER }}"
tag-version: "${{ steps.tag-version.outputs.value }}"
token: "${{ secrets.TOKEN }}"
platforms: linux/amd64,linux/arm64,linux/arm/v6
suffix: -rootless
dockerfile: Dockerfile.rootless
verbose: ${{ steps.verbose.outputs.value }}

View file

@ -0,0 +1,60 @@
# SPDX-License-Identifier: MIT
#
# See also https://forgejo.org/docs/next/developer/RELEASE/#release-process
#
# https://codeberg.org/forgejo-experimental/forgejo
#
# Copies a release from codeberg.org/forgejo-integration to codeberg.org/forgejo-experimental
#
# ROLE: forgejo-experimental
# FORGEJO: https://codeberg.org
# FROM_OWNER: forgejo-integration
# TO_OWNER: forgejo-experimental
# DOER: forgejo-experimental-ci
# TOKEN: <generated from codeberg.org/forgejo-experimental-ci>
#
# https://forgejo.octopuce.forgejo.org/forgejo/forgejo
#
# Copies & sign a release from codeberg.org/forgejo-integration to codeberg.org/forgejo
#
# ROLE: forgejo-release
# FORGEJO: https://codeberg.org
# FROM_OWNER: forgejo-integration
# TO_OWNER: forgejo
# DOER: release-team
# TOKEN: <generated from codeberg.org/release-team>
# GPG_PRIVATE_KEY: <XYZ>
# GPG_PASSPHRASE: <ABC>
#
name: Pubish release
on:
push:
tags: 'v*'
jobs:
publish:
runs-on: self-hosted
if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != ''
steps:
- name: install the certificate authority
if: secrets.ROLE == 'forgejo-release'
run: |
apt-get install -qq -y wget
wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
update-ca-certificates --fresh
- uses: actions/checkout@v3
- name: copy & sign binaries and container images from one owner to another
uses: ./.forgejo/actions/publish-release
with:
forgejo: ${{ secrets.FORGEJO }}
from-owner: ${{ secrets.FROM_OWNER }}
to-owner: ${{ secrets.TO_OWNER }}
ref-name: ${{ github.ref_name }}
doer: ${{ secrets.DOER }}
token: ${{ secrets.TOKEN }}
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
verbose: ${{ secrets.VERBOSE }}

View file

@ -1,5 +1,6 @@
# Build stage
FROM docker.io/library/golang:1.21-alpine3.18 AS build-env
FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21-alpine3.18 as build-env
ARG GOPROXY
ENV GOPROXY ${GOPROXY:-direct}
@ -9,24 +10,33 @@ ARG TAGS="sqlite sqlite_unlock_notify"
ENV TAGS "bindata timetzdata $TAGS"
ARG CGO_EXTRA_CFLAGS
# Build deps
RUN apk --no-cache add \
build-base \
git \
nodejs \
npm \
&& rm -rf /var/cache/apk/*
#
# Transparently cross compile for the target platform
#
COPY --from=xx / /
ARG TARGETPLATFORM
RUN apk --no-cache add clang lld
RUN xx-apk --no-cache add gcc musl-dev
ENV CGO_ENABLED=1
RUN xx-go --wrap
#
# for go generate and binfmt to find
# without it the generate phase will fail with
# #19 25.04 modules/public/public_bindata.go:8: running "go": exit status 1
# #19 25.39 aarch64-binfmt-P: Could not open '/lib/ld-musl-aarch64.so.1': No such file or directory
# why exactly is it needed? where is binfmt involved?
#
RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
RUN apk --no-cache add build-base git nodejs npm
# Setup repo
COPY . ${GOPATH}/src/code.gitea.io/gitea
WORKDIR ${GOPATH}/src/code.gitea.io/gitea
# Checkout version if set
RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
&& make clean-all build
# Begin env-to-ini build
RUN go build contrib/environment-to-ini/environment-to-ini.go
RUN make clean-all
RUN make frontend
RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
RUN make go-check generate-backend static-executable && xx-verify gitea
# Copy local files
COPY docker/root /tmp/local
@ -81,6 +91,7 @@ ENTRYPOINT ["/usr/bin/entrypoint"]
CMD ["/bin/s6-svscan", "/etc/s6"]
COPY --from=build-env /tmp/local /
RUN cd /usr/local/bin ; ln -s gitea forgejo
COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh

View file

@ -1,5 +1,6 @@
# Build stage
FROM docker.io/library/golang:1.21-alpine3.18 AS build-env
FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21-alpine3.18 as build-env
ARG GOPROXY
ENV GOPROXY ${GOPROXY:-direct}
@ -9,24 +10,33 @@ ARG TAGS="sqlite sqlite_unlock_notify"
ENV TAGS "bindata timetzdata $TAGS"
ARG CGO_EXTRA_CFLAGS
#Build deps
RUN apk --no-cache add \
build-base \
git \
nodejs \
npm \
&& rm -rf /var/cache/apk/*
#
# Transparently cross compile for the target platform
#
COPY --from=xx / /
ARG TARGETPLATFORM
RUN apk --no-cache add clang lld
RUN xx-apk --no-cache add gcc musl-dev
ENV CGO_ENABLED=1
RUN xx-go --wrap
#
# for go generate and binfmt to find
# without it the generate phase will fail with
# #19 25.04 modules/public/public_bindata.go:8: running "go": exit status 1
# #19 25.39 aarch64-binfmt-P: Could not open '/lib/ld-musl-aarch64.so.1': No such file or directory
# why exactly is it needed? where is binfmt involved?
#
RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
RUN apk --no-cache add build-base git nodejs npm
# Setup repo
COPY . ${GOPATH}/src/code.gitea.io/gitea
WORKDIR ${GOPATH}/src/code.gitea.io/gitea
# Checkout version if set
RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
&& make clean-all build
# Begin env-to-ini build
RUN go build contrib/environment-to-ini/environment-to-ini.go
RUN make clean-all
RUN make frontend
RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
RUN make go-check generate-backend static-executable && xx-verify gitea
# Copy local files
COPY docker/rootless /tmp/local
@ -69,18 +79,19 @@ RUN mkdir -p /var/lib/gitea /etc/gitea
RUN chown git:git /var/lib/gitea /etc/gitea
COPY --from=build-env /tmp/local /
RUN cd /usr/local/bin ; ln -s gitea forgejo
COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
# git:git
#git:git
USER 1000:1000
ENV GITEA_WORK_DIR /var/lib/gitea
ENV GITEA_CUSTOM /var/lib/gitea/custom
ENV GITEA_TEMP /tmp/gitea
ENV TMPDIR /tmp/gitea
# TODO add to docs the ability to define the ini to load (useful to test and revert a config)
#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
ENV GITEA_APP_INI /etc/gitea/app.ini
ENV HOME "/var/lib/gitea/git"
VOLUME ["/var/lib/gitea", "/etc/gitea"]
@ -88,3 +99,4 @@ WORKDIR /var/lib/gitea
ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
CMD []

View file

@ -83,31 +83,14 @@ endif
STORED_VERSION_FILE := VERSION
HUGO_VERSION ?= 0.111.3
GITHUB_REF_TYPE ?= branch
GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
ifneq ($(GITHUB_REF_TYPE),branch)
VERSION ?= $(subst v,,$(GITHUB_REF_NAME))
GITEA_VERSION ?= $(VERSION)
STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
ifneq ($(STORED_VERSION),)
GITEA_VERSION ?= $(STORED_VERSION)
else
ifneq ($(GITHUB_REF_NAME),)
VERSION ?= $(subst release/v,,$(GITHUB_REF_NAME))
else
VERSION ?= main
endif
STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
ifneq ($(STORED_VERSION),)
GITEA_VERSION ?= $(STORED_VERSION)
else
GITEA_VERSION ?= $(shell git describe --tags --always | sed 's/-/+/' | sed 's/^v//')
endif
endif
# if version = "main" then update version to "nightly"
ifeq ($(VERSION),main)
VERSION := main-nightly
GITEA_VERSION ?= $(shell git describe --tags --always | sed 's/-/+/' | sed 's/^v//')
endif
VERSION = ${GITEA_VERSION}
LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(GITEA_VERSION)" -X "main.Tags=$(TAGS)"
@ -788,9 +771,15 @@ security-check:
$(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
.PHONY: release
release: frontend generate release-windows release-linux release-darwin release-freebsd release-copy release-compress vendor release-sources release-docs release-check
# just the sources, with all assets builtin and frontend resources generated
sources-tarbal: frontend generate vendor release-sources release-check
$(DIST_DIRS):
mkdir -p $(DIST_DIRS)