mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-19 11:31:05 +00:00
02be228ed6
Adds [zizmor](https://docs.zizmor.sh/) to `make lint-actions` with `--min-confidence=medium`. Fixes the remaining findings: - Pin floating-tag service images in `pull-db-tests.yml` to `tag@sha256:digest` - Move `github.ref` / `github.ref_name` (and surrounding secrets/step outputs for consistency) out of `run:` into `env:` --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>
146 lines
6.2 KiB
YAML
146 lines
6.2 KiB
YAML
name: release-nightly
|
|
|
|
on:
|
|
push:
|
|
branches: [main, release/v*]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
nightly-binary:
|
|
runs-on: namespace-profile-gitea-release-binary
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
# fetch all commits instead of only the last as some branches are long lived and could have many between versions
|
|
# fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
|
|
- run: git fetch --unshallow --quiet --tags --force
|
|
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
- uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
|
|
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
- run: make deps-frontend deps-backend
|
|
# xgo build
|
|
- run: make release
|
|
env:
|
|
TAGS: bindata
|
|
- name: import gpg key
|
|
id: import_gpg
|
|
uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
|
|
with:
|
|
gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
|
|
passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
|
|
- name: sign binaries
|
|
env:
|
|
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
|
|
GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
|
|
run: |
|
|
for f in dist/release/*; do
|
|
echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
|
|
done
|
|
# clean branch name to get the folder name in S3
|
|
- name: Get cleaned branch name
|
|
id: clean_name
|
|
env:
|
|
REF: ${{ github.ref }}
|
|
run: |
|
|
REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
|
|
echo "Cleaned name is ${REF_NAME}"
|
|
echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
|
|
- name: configure aws
|
|
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
|
|
with:
|
|
aws-region: ${{ secrets.AWS_REGION }}
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
- name: upload binaries to s3
|
|
env:
|
|
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
|
|
BRANCH: ${{ steps.clean_name.outputs.branch }}
|
|
run: |
|
|
aws s3 sync dist/release "s3://$AWS_S3_BUCKET/gitea/$BRANCH" --no-progress
|
|
|
|
nightly-container:
|
|
runs-on: namespace-profile-gitea-release-docker
|
|
permissions:
|
|
contents: read
|
|
packages: write # to publish to ghcr.io
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
# fetch all commits instead of only the last as some branches are long lived and could have many between versions
|
|
# fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
|
|
- run: git fetch --unshallow --quiet --tags --force
|
|
- uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
|
|
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
- name: Get cleaned branch name
|
|
id: clean_name
|
|
env:
|
|
REF: ${{ github.ref }}
|
|
run: |
|
|
REF_NAME=$(echo "$REF" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
|
|
echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
|
|
- uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
id: meta
|
|
with:
|
|
images: |-
|
|
gitea/gitea
|
|
ghcr.io/go-gitea/gitea
|
|
tags: |
|
|
type=raw,value=${{ steps.clean_name.outputs.branch }}
|
|
annotations: |
|
|
org.opencontainers.image.authors="maintainers@gitea.io"
|
|
- uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
id: meta_rootless
|
|
with:
|
|
images: |-
|
|
gitea/gitea
|
|
ghcr.io/go-gitea/gitea
|
|
# each tag below will have the suffix of -rootless
|
|
flavor: |
|
|
suffix=-rootless
|
|
tags: |
|
|
type=raw,value=${{ steps.clean_name.outputs.branch }}
|
|
annotations: |
|
|
org.opencontainers.image.authors="maintainers@gitea.io"
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
- name: Login to GHCR using PAT
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: build regular docker image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64,linux/riscv64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
annotations: ${{ steps.meta.outputs.annotations }}
|
|
cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
|
|
cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful,mode=max
|
|
- name: build rootless docker image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64,linux/riscv64
|
|
push: true
|
|
file: Dockerfile.rootless
|
|
tags: ${{ steps.meta_rootless.outputs.tags }}
|
|
annotations: ${{ steps.meta_rootless.outputs.annotations }}
|
|
cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
|
|
cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless,mode=max
|