Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 50beed4c02 |
@@ -13,7 +13,7 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
IMAGE: gitea.larvit.se/${{ github.repository }}:${{ github.sha }}
|
IMAGE: gitea.larvit.se/${{ github.repository }}:${{ github.sha }}
|
||||||
REGISTRY_TOKEN: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
|
REGISTRY_TOKEN: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
|
||||||
REGISTRY_USER: ${{ vars.DOCKER_REGISTRY_USER }}
|
REGISTRY_USER: ${{ secrets.DOCKER_REGISTRY_USER }}
|
||||||
run: |
|
run: |
|
||||||
printf '%s' "$REGISTRY_TOKEN" | docker login gitea.larvit.se -u "$REGISTRY_USER" --password-stdin
|
printf '%s' "$REGISTRY_TOKEN" | docker login gitea.larvit.se -u "$REGISTRY_USER" --password-stdin
|
||||||
docker build -t "$IMAGE" .
|
docker build -t "$IMAGE" .
|
||||||
|
|||||||
@@ -1191,9 +1191,8 @@ merges are fast-forward-only, the image for any `main` commit already exists —
|
|||||||
and pushed by that exact commit's branch gate; nothing is rebuilt after merge (build once,
|
and pushed by that exact commit's branch gate; nothing is rebuilt after merge (build once,
|
||||||
promote by re-tagging). One-time setup: on an account with package write in the `larvit` org,
|
promote by re-tagging). One-time setup: on an account with package write in the `larvit` org,
|
||||||
create a Gitea access token with `read:package` + `write:package`, and store the account name
|
create a Gitea access token with `read:package` + `write:package`, and store the account name
|
||||||
as the Actions **variable** `DOCKER_REGISTRY_USER` and the token as the Actions **secret**
|
and token as the Actions secrets `DOCKER_REGISTRY_USER` and `DOCKER_REGISTRY_TOKEN`
|
||||||
`DOCKER_REGISTRY_TOKEN` (a `GITEA_` prefix is rejected — reserved, like `GITHUB_`). Because
|
(a `GITEA_` prefix is rejected — reserved, like `GITHUB_`). Because this step runs
|
||||||
this step runs
|
|
||||||
inside the required gate, a missing/expired token (or registry outage) fails every branch's
|
inside the required gate, a missing/expired token (or registry outage) fails every branch's
|
||||||
gate and blocks **all** merges until restored — set the secrets before this lands, and use a
|
gate and blocks **all** merges until restored — set the secrets before this lands, and use a
|
||||||
non-expiring token or track its expiry. Retention: hash tags
|
non-expiring token or track its expiry. Retention: hash tags
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
- [x] CI/CD - Test on push to any branch except main. (`.gitea/workflows/ci.yml` runs `bash ci.sh`; the one-time act_runner setup it needs is documented in README → CI/CD.)
|
- [x] CI/CD - Test on push to any branch except main. (`.gitea/workflows/ci.yml` runs `bash ci.sh`; the one-time act_runner setup it needs is documented in README → CI/CD.)
|
||||||
- [x] CI/CD - Require PR to main and don't allow merge if tests does not pass. Only allow linear history and history that leaves the last commit hash on main the exact same as on the branch we just merged in. (Gitea branch protection on main + fast-forward-only merge style, set via API; documented in README → CI/CD.)
|
- [x] CI/CD - Require PR to main and don't allow merge if tests does not pass. Only allow linear history and history that leaves the last commit hash on main the exact same as on the branch we just merged in. (Gitea branch protection on main + fast-forward-only merge style, set via API; documented in README → CI/CD.)
|
||||||
- [x] CI/CD - Sync up to github after every successful merge to main, URL: git@github.com:larvit/plainpages.git - also note the true home top of the README. Force push to github, it should only ever be a mirror of the gitea.larvit.se repository. (`.gitea/workflows/mirror.yml` force-pushes main + tags over HTTPS with a dedicated account's PAT in the `MIRROR_GITHUB_TOKEN` secret; setup documented in README → CI/CD.)
|
- [x] CI/CD - Sync up to github after every successful merge to main, URL: git@github.com:larvit/plainpages.git - also note the true home top of the README. Force push to github, it should only ever be a mirror of the gitea.larvit.se repository. (`.gitea/workflows/mirror.yml` force-pushes main + tags over HTTPS with a dedicated account's PAT in the `MIRROR_GITHUB_TOKEN` secret; setup documented in README → CI/CD.)
|
||||||
- [x] CI/CD - Build docker images as part of the requirements to be able to merge to main. Push them with the git commit hash as docker tag. Push to container registry at Gitea. (`ci.yml` builds + pushes `gitea.larvit.se/larvit/plainpages:<commit hash>` after a green gate — with ff-only merges that is the main commit's image; auth via the `DOCKER_REGISTRY_USER` variable + `DOCKER_REGISTRY_TOKEN` secret, retention via an org cleanup rule; documented in README → CI/CD.)
|
- [x] CI/CD - Build docker images as part of the requirements to be able to merge to main. Push them with the git commit hash as docker tag. Push to container registry at Gitea. (`ci.yml` builds + pushes `gitea.larvit.se/larvit/plainpages:<commit hash>` after a green gate — with ff-only merges that is the main commit's image; auth via `DOCKER_REGISTRY_USER`/`DOCKER_REGISTRY_TOKEN` secrets, retention via an org cleanup rule; documented in README → CI/CD.)
|
||||||
- [ ] CI/CD - Re-tag docker images from git hash to semver when a semver git tag is pushed.
|
- [ ] CI/CD - Re-tag docker images from git hash to semver when a semver git tag is pushed.
|
||||||
- [ ] CI/CD - Sync docker images to docker hub after each re-tag to git tags.
|
- [ ] CI/CD - Sync docker images to docker hub after each re-tag to git tags.
|
||||||
- [ ] CI/CD - Setup renovate bot.
|
- [ ] CI/CD - Setup renovate bot.
|
||||||
|
|||||||
Reference in New Issue
Block a user