Merge pull request 'refactor and simplify the release process' (#73) from wip-release-process into main

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/73
pull/74/head
earl-warren 2023-08-25 13:44:44 +00:00
commit e87b34bdc6
8 changed files with 185 additions and 227 deletions

View File

@ -5,13 +5,13 @@ on:
paths: paths:
- go.mod - go.mod
- Dockerfile - Dockerfile
- .forgejo/workflows/release.yml - .forgejo/workflows/build-release.yml
- .forgejo/workflows/integration.yml - .forgejo/workflows/build-release-integration.yml
jobs: jobs:
release-simulation: release-simulation:
runs-on: self-hosted runs-on: self-hosted
if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-experimental' && github.repository_owner != 'forgejo-release' if: github.repository_owner != 'forgejo-integration' && github.repository_owner != 'forgejo-release'
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
@ -23,10 +23,18 @@ jobs:
image-version: 1.19 image-version: 1.19
lxc-ip-prefix: 10.0.9 lxc-ip-prefix: 10.0.9
- name: publish the runner release - name: publish
run: | run: |
set -x set -x
version=1.2.3
cat > /etc/docker/daemon.json <<EOF
{
"insecure-registries" : ["${{ steps.forgejo.outputs.host-port }}"]
}
EOF
systemctl restart docker
dir=$(mktemp -d) dir=$(mktemp -d)
trap "rm -fr $dir" EXIT trap "rm -fr $dir" EXIT
@ -37,23 +45,37 @@ jobs:
# Create a new project with the runner and the release workflow only # Create a new project with the runner and the release workflow only
# #
rsync -a --exclude .git ./ $dir/ rsync -a --exclude .git ./ $dir/
rm $(find $dir/.forgejo/workflows/*.yml | grep -v release.yml) rm $(find $dir/.forgejo/workflows/*.yml | grep -v build-release.yml)
forgejo-test-helper.sh push $dir $url root runner |& tee $dir/pushed forgejo-test-helper.sh push $dir $url root runner |& tee $dir/pushed
eval $(grep '^sha=' < $dir/pushed) eval $(grep '^sha=' < $dir/pushed)
# #
# Push a tag to trigger the release workflow and wait for it to complete # Push a tag to trigger the release workflow and wait for it to complete
# #
forgejo-test-helper.sh api POST $url repos/root/runner/tags ${{ steps.forgejo.outputs.token }} --data-raw '{"tag_name": "v1.2.3", "target": "'$sha'"}' forgejo-test-helper.sh api POST $url repos/root/runner/tags ${{ steps.forgejo.outputs.token }} --data-raw '{"tag_name": "v'$version'", "target": "'$sha'"}'
LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/runner $sha LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/runner $sha
# #
# Minimal sanity checks. e2e test is for the setup-forgejo action # uncomment to see the logs even when everything is reported to be working ok
# and the infrastructure playbook.
# #
curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64 > forgejo-runner #cat $FORGEJO_RUNNER_LOGS
chmod +x forgejo-runner
./forgejo-runner --version | grep 1.2.3 #
curl -L -sS $url/root/runner/releases/download/v1.2.3/forgejo-runner-amd64.sha256 > forgejo-runner.one # Minimal sanity checks. e2e test is for the setup-forgejo action
shasum -a 256 < forgejo-runner | cut -f1 -d ' ' > forgejo-runner.two #
diff forgejo-runner.one forgejo-runner.two for arch in amd64 arm64 ; do
binary=forgejo-runner-$version-linux-$arch
for suffix in '' '.xz' ; do
curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix > $binary$suffix
if test "$suffix" = .xz ; then
unxz --keep $binary$suffix
fi
chmod +x $binary
./$binary --version | grep $version
curl --fail -L -sS $url/root/runner/releases/download/v$version/$binary$suffix.sha256 > $binary$suffix.sha256
shasum -a 256 --check $binary$suffix.sha256
rm $binary$suffix
done
done
docker pull ${{ steps.forgejo.outputs.host-port }}/root/runner:$version

View File

@ -1,3 +1,13 @@
# SPDX-License-Identifier: MIT
#
# https://code.forgejo.org/forgejo/runner
#
# Build the runner binaries and OCI images
#
# ROLE: forgejo-integration
# DOER: release-team
# TOKEN: <generated from codeberg.org/release-team>
#
name: Build release name: Build release
on: on:
@ -8,126 +18,86 @@ jobs:
release: release:
runs-on: self-hosted runs-on: self-hosted
# root is used for testing, allow it # root is used for testing, allow it
if: github.repository_owner == 'forgejo-integration' || github.repository_owner == 'root' if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- id: verbose - name: Increase the verbosity when there are no secrets
id: verbose
run: | run: |
# if there are no secrets, be verbose
if test -z "${{ secrets.TOKEN }}"; then if test -z "${{ secrets.TOKEN }}"; then
value=true value=true
else else
value=false value=false
fi fi
echo "value=$value" >> "$GITHUB_OUTPUT" echo "value=$value" >> "$GITHUB_OUTPUT"
echo "shell=set -x" >> "$GITHUB_OUTPUT"
- id: registry - name: Sanitize the name of the repository
id: repository
run: | run: |
${{ steps.verbose.outputs.shell }} repository="${{ github.repository }}"
echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
- name: create test TOKEN
id: token
if: ${{ secrets.TOKEN == '' }}
run: |
apt-get -qq install -y jq
url="${{ env.GITHUB_SERVER_URL }}" url="${{ env.GITHUB_SERVER_URL }}"
hostport=${url##http*://} hostport=${url##http*://}
hostport=${hostport%%/} hostport=${hostport%%/}
echo "host-port=${hostport}" >> "$GITHUB_OUTPUT" doer=root
if ! [[ $url =~ ^http:// ]] ; then api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens
exit 0 curl -sS -X DELETE $api/release
fi token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
echo "value=${token}" >> "$GITHUB_OUTPUT"
- name: version from ref_name
id: tag-version
run: |
version="${{ github.ref_name }}"
version=${version##*v}
echo "value=$version" >> "$GITHUB_OUTPUT"
- name: release notes
id: release-notes
run: |
anchor=${{ steps.tag-version.outputs.value }}
anchor=${anchor//./-}
cat >> "$GITHUB_OUTPUT" <<EOF cat >> "$GITHUB_OUTPUT" <<EOF
insecure=true value<<ENDVAR
buildx-config<<ENDVAR See https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#$anchor
[registry."${hostport}"]
http = true
ENDVAR ENDVAR
EOF EOF
- id: secrets - name: build without TOKEN
run: |
token="${{ secrets.TOKEN }}"
doer="${{ secrets.DOER }}"
if test -z "$token"; then
apt-get -qq install -y jq
doer=root
api=http://$doer:admin1234@${{ steps.registry.outputs.host-port }}/api/v1/users/$doer/tokens
curl -sS -X DELETE $api/release
token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
fi
echo "token=${token}" >> "$GITHUB_OUTPUT"
echo "doer=${doer}" >> "$GITHUB_OUTPUT"
- name: allow docker pull/push to forgejo
if: ${{ steps.registry.outputs.insecure }}
run: |-
mkdir /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"insecure-registries" : ["${{ steps.registry.outputs.host-port }}"],
"bip": "172.26.0.1/16"
}
EOF
- run: |
echo deb http://deb.debian.org/debian bullseye-backports main | tee /etc/apt/sources.list.d/backports.list && apt-get -qq update
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y -t bullseye-backports docker.io
- uses: https://github.com/docker/setup-buildx-action@v2
with:
config-inline: |
${{ steps.registry.outputs.buildx-config }}
- run: |
token="${{ steps.secrets.outputs.token }}" ; test -z "$token" && token="${{ secrets.TOKEN }}"
doer="${{ steps.secrets.outputs.doer }}" ; test -z "$doer" && doer="${{ secrets.DOER }}"
BASE64_AUTH=`echo -n "$doer:$token" | base64`
mkdir -p ~/.docker
echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
env:
CI_REGISTRY: "${{ env.GITHUB_SERVER_URL }}${{ env.GITHUB_REPOSITORY_OWNER }}"
- id: build
run: |
${{ steps.verbose.outputs.shell }}
tag="${{ github.ref_name }}"
tag=${tag##*v}
echo "tag=$tag" >> "$GITHUB_OUTPUT"
echo "image=${{ steps.registry.outputs.host-port }}/${{ github.repository }}:${tag}" >> "$GITHUB_OUTPUT"
- uses: https://github.com/docker/build-push-action@v4
# workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released
env:
ACTIONS_RUNTIME_TOKEN: ''
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ steps.build.outputs.image }}
- run: |
${{ steps.verbose.outputs.shell }}
mkdir -p release
for arch in amd64 arm64; do
docker create --platform linux/$arch --name runner ${{ steps.build.outputs.image }}
docker cp runner:/bin/forgejo-runner release/forgejo-runner-$arch
shasum -a 256 < release/forgejo-runner-$arch | cut -f1 -d ' ' > release/forgejo-runner-$arch.sha256
docker rm runner
done
- name: publish release (when TOKEN secret is NOT set)
if: ${{ secrets.TOKEN == '' }} if: ${{ secrets.TOKEN == '' }}
uses: https://code.forgejo.org/actions/forgejo-release@v1 uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1
with: with:
direction: upload forgejo: "${{ env.GITHUB_SERVER_URL }}"
release-dir: release owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}" repository: "${{ steps.repository.outputs.value }}"
token: ${{ steps.secrets.outputs.token }} doer: root
tag-version: "${{ steps.tag-version.outputs.value }}"
token: ${{ steps.token.outputs.value }}
platforms: linux/amd64,linux/arm64
release-notes: "${{ steps.release-notes.outputs.value }}"
binary-name: forgejo-runner
binary-path: /bin/forgejo-runner
verbose: ${{ steps.verbose.outputs.value }} verbose: ${{ steps.verbose.outputs.value }}
- name: publish release (when TOKEN secret is set) - name: build with TOKEN
if: ${{ secrets.TOKEN != '' }} if: ${{ secrets.TOKEN != '' }}
uses: https://code.forgejo.org/actions/forgejo-release@v1 uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v1
with: with:
direction: upload forgejo: "${{ env.GITHUB_SERVER_URL }}"
release-dir: release owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
release-notes: "RELEASE-NOTES#${{ steps.build.outputs.tag }}" repository: "${{ steps.repository.outputs.value }}"
token: ${{ secrets.TOKEN }} doer: "${{ secrets.DOER }}"
tag-version: "${{ steps.tag-version.outputs.value }}"
token: "${{ secrets.TOKEN }}"
platforms: linux/amd64,linux/arm64
release-notes: "${{ steps.release-notes.outputs.value }}"
binary-name: forgejo-runner
binary-path: /bin/forgejo-runner
verbose: ${{ steps.verbose.outputs.value }} verbose: ${{ steps.verbose.outputs.value }}

View File

@ -1,40 +0,0 @@
name: Publish release
on:
push:
tags: 'v*'
jobs:
release:
runs-on: self-hosted
if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != ''
steps:
- name: install the certificate authority
run: |
apt-get install -qq -y wget
wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
update-ca-certificates --fresh
- uses: actions/checkout@v3
- name: download release
uses: https://code.forgejo.org/actions/forgejo-release@v1
with:
url: https://code.forgejo.org
repo: forgejo-integration/runner
direction: download
release-dir: release
download-retry: 60
token: ${{ secrets.TOKEN }}
- name: upload release
uses: https://code.forgejo.org/actions/forgejo-release@v1
with:
url: https://code.forgejo.org
repo: forgejo/runner
direction: upload
release-dir: release
release-notes: "RELEASE-NOTES"
token: ${{ secrets.TOKEN }}
gpg-private-key: ${{ secrets.GPG }}

View File

@ -1,43 +0,0 @@
# SPDX-License-Identifier: MIT
name: copy container images from integration to the destination organization
on:
push:
tags: 'v*'
jobs:
builder:
runs-on: self-hosted
if: github.repository_owner == 'forgejo-release' && secrets.TOKEN != ''
steps:
- name: apt-get install docker.io
run: |
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y docker.io
- name: login code.forgejo.org
uses: https://github.com/docker/login-action@v2
with:
registry: code.forgejo.org
username: ${{ secrets.DOER }}
password: ${{ secrets.TOKEN }}
- id: tag
run: |
tag="${{ github.ref_name }}"
tag=${tag##*v}
echo "tag=$tag" >> "$GITHUB_OUTPUT"
- uses: https://code.forgejo.org/forgejo/forgejo-container-image@v1
env:
VERIFY: 'false'
with:
url: https://code.forgejo.org
destination-owner: forgejo
owner: forgejo-integration
suffixes: ' '
project: runner
tag: ${{ steps.tag.outputs.tag }}
doer: ${{ secrets.DOER }}
token: ${{ secrets.TOKEN }}
verbose: true

View File

@ -0,0 +1,47 @@
# SPDX-License-Identifier: MIT
#
# https://forgejo.octopuce.forgejo.org/forgejo-release/runner
#
# Copies & sign a release from code.forgejo.org/forgejo-integration/runner to code.forgejo.org/forgejo/runner
#
# ROLE: forgejo-release
# FORGEJO: https://code.forgejo.org
# FROM_OWNER: forgejo-integration
# TO_OWNER: forgejo
# DOER: release-team
# TOKEN: <generated from codeberg.org/release-team>
# GPG_PRIVATE_KEY: <XYZ>
# GPG_PASSPHRASE: <ABC>
#
name: pubish
on:
push:
tags: 'v*'
jobs:
publish:
runs-on: self-hosted
if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != ''
steps:
- name: install the certificate authority
if: secrets.ROLE == 'forgejo-release'
run: |
apt-get install -qq -y wget
wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
update-ca-certificates --fresh
- uses: actions/checkout@v3
- name: copy & sign
uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v1
with:
forgejo: ${{ secrets.FORGEJO }}
from-owner: ${{ secrets.FROM_OWNER }}
to-owner: ${{ secrets.TO_OWNER }}
ref-name: ${{ github.ref_name }}
doer: ${{ secrets.DOER }}
token: ${{ secrets.TOKEN }}
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
verbose: ${{ secrets.VERBOSE }}

View File

@ -1,16 +1,37 @@
FROM golang:1.21-alpine3.18 as builder FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21-alpine3.18 as build-env
#
# Transparently cross compile for the target platform
#
COPY --from=xx / /
ARG TARGETPLATFORM
RUN apk --no-cache add clang lld
RUN xx-apk --no-cache add gcc musl-dev
RUN xx-go --wrap
# Do not remove `git` here, it is required for getting runner version when executing `make build` # Do not remove `git` here, it is required for getting runner version when executing `make build`
RUN apk add --no-cache make git RUN apk add --no-cache build-base git
COPY . /srv COPY . /srv
WORKDIR /srv WORKDIR /srv
RUN make clean && make build RUN make clean && make build
FROM alpine:3.18 FROM docker.io/library/alpine:3.18
RUN apk add --no-cache git bash tini LABEL maintainer="contact@forgejo.org"
COPY --from=builder /srv/forgejo-runner /bin/forgejo-runner RUN apk add --no-cache git bash
COPY scripts/run.sh /opt/act/run.sh
ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"] COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner
ENV HOME=/data
USER 1000:1000
WORKDIR /data
VOLUME ["/data"]
CMD ["/bin/forgejo-runner"]

View File

@ -1,24 +0,0 @@
FROM golang:1.21-alpine3.18 as builder
# Do not remove `git` here, it is required for getting runner version when executing `make build`
RUN apk add --no-cache make git
COPY . /opt/src/forgejo-runner
WORKDIR /opt/src/forgejo-runner
RUN make clean && make build
FROM docker:dind-rootless
USER root
RUN apk add --no-cache \
git bash supervisor
COPY --from=builder /opt/src/forgejo-runner/forgejo-runner /usr/local/bin/forgejo-runner
COPY /scripts/supervisord.conf /etc/supervisord.conf
COPY /scripts/run.sh /opt/act/run.sh
COPY /scripts/rootless.sh /opt/act/rootless.sh
RUN mkdir /data \
&& chown rootless:rootless /data
USER rootless
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

View File

@ -1,5 +1,10 @@
# Release Notes # Release Notes
## v3.0.0
* Publish a rootless OCI image with examples on how to use it
* Refactor the release process
## v2.5.0 ## v2.5.0
* Update [code.forgejo.org/forgejo/act v1.10.0](https://code.forgejo.org/forgejo/runner/pulls/71) * Update [code.forgejo.org/forgejo/act v1.10.0](https://code.forgejo.org/forgejo/runner/pulls/71)