From 9aeda3e7f43bf50ead30fcbb197f8bfe2b9885d1 Mon Sep 17 00:00:00 2001 From: Job79 Date: Sat, 27 Dec 2025 14:52:11 +0100 Subject: [PATCH] feat(ci): build using podman for zstd:chunked and only build changed containers --- .gitea/workflows/build.yaml | 111 ++++++++++++++++++++++++++++++++ .gitea/workflows/fedora.yaml | 60 ----------------- containers/fedora/Containerfile | 2 +- containers/go/Containerfile | 2 +- 4 files changed, 113 insertions(+), 62 deletions(-) create mode 100644 .gitea/workflows/build.yaml delete mode 100644 .gitea/workflows/fedora.yaml diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml new file mode 100644 index 0000000..e40fe61 --- /dev/null +++ b/.gitea/workflows/build.yaml @@ -0,0 +1,111 @@ +name: Build containers +on: + push: + branches: ["main"] + paths: ["containers/**", ".gitea/workflows/build.yaml"] + pull_request: + branches: ["main"] + paths: ["containers/**", ".gitea/workflows/build.yaml"] + schedule: + - cron: "0 16 * * FRI" + +jobs: + changes: + runs-on: job-v2 + outputs: + fedora: ${{ steps.filter.outputs.fedora == 'true' }} + infra: ${{ steps.filter.outputs.infra == 'true' || steps.filter.outputs.fedora == 'true' }} + go: ${{ steps.filter.outputs.go == 'true' || steps.filter.outputs.fedora == 'true' }} + any_change: ${{ steps.filter.outputs.workflow == 'true' || github.event_name == 'schedule' }} + steps: + - uses: actions/checkout@v4 + - uses: https://github.com/dorny/paths-filter@v3 + id: filter + with: + filters: | + workflow: ['.gitea/workflows/build.yaml'] + fedora: ['containers/fedora/**'] + infra: ['containers/infra/**'] + go: ['containers/go/**'] + + base-image: + needs: [changes] + runs-on: job-v2 + steps: + - name: Clone repo + if: ${{ needs.changes.outputs.fedora == 'true' || needs.changes.outputs.any_change == 'true' }} + uses: actions/checkout@v4 + - name: Log in + uses: redhat-actions/podman-login@v1 + with: + registry: git.plabble.org + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_TOKEN }} + - name: Build + id: build + uses: job79/buildah-build@65b3793a1370c1ccd74a5c0d090d70eb9637a4ef + with: + image: job79/fedora + tags: ${{ github.ref_name }} + context: ./containers/fedora + containerfiles: ./containers/fedora/Containerfile + oci: true + - name: Push + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: git.plabble.org + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_TOKEN }} + extra-args: | + --compression-format=zstd:chunked + --compression-level=12 + + dependent-images: + needs: [changes, base-image] + runs-on: job-v2 + strategy: + fail-fast: false + matrix: + container: [infra, go] + steps: + - name: Check if build needed + id: check + run: | + if [[ "${{ matrix.container }}" == "infra" && "${{ needs.changes.outputs.infra }}" == "true" ]]; then echo "run=true" >> $GITHUB_OUTPUT; fi + if [[ "${{ matrix.container }}" == "go" && "${{ needs.changes.outputs.go }}" == "true" ]]; then echo "run=true" >> $GITHUB_OUTPUT; fi + if [[ "${{ needs.changes.outputs.any_change }}" == "true" ]]; then echo "run=true" >> $GITHUB_OUTPUT; fi + - name: Clone repo + if: steps.check.outputs.run == 'true' + uses: actions/checkout@v4 + - name: Log in + if: steps.check.outputs.run == 'true' + uses: redhat-actions/podman-login@v1 + with: + registry: git.plabble.org + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_TOKEN }} + - name: Build + id: build + if: steps.check.outputs.run == 'true' + uses: job79/buildah-build@65b3793a1370c1ccd74a5c0d090d70eb9637a4ef + with: + image: job79/${{ matrix.container }} + tags: ${{ github.ref_name }} + context: ./containers/${{ matrix.container }} + containerfiles: ./containers/${{ matrix.container }}/Containerfile + build-args: TAG=${{ github.ref_name }} + oci: true + - name: Push + if: steps.check.outputs.run == 'true' + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build.outputs.image }} + tags: ${{ steps.build.outputs.tags }} + registry: git.plabble.org + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_TOKEN }} + extra-args: | + --compression-format=zstd:chunked + --compression-level=12 diff --git a/.gitea/workflows/fedora.yaml b/.gitea/workflows/fedora.yaml deleted file mode 100644 index 90b73cb..0000000 --- a/.gitea/workflows/fedora.yaml +++ /dev/null @@ -1,60 +0,0 @@ -name: Build container -on: - push: - branches: ["main"] - paths: - - "containers/fedora/**" - - "containers/go/**" - - "containers/infra/**" - - ".gitea/workflows/fedora.yaml" - pull_request: - branches: ["main"] - paths: - - "containers/fedora/**" - - "containers/go/**" - - "containers/infra/**" - - ".gitea/workflows/fedora.yaml" - schedule: - - cron: "0 16 * * FRI" - -jobs: - fedora-build: - runs-on: job-latest - steps: - - name: Clone repo - uses: actions/checkout@v4 - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Registry - uses: docker/login-action@v3 - with: - registry: git.plabble.org - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_TOKEN }} - - name: Build and push fedora container - uses: docker/build-push-action@v5 - with: - context: ./containers/fedora - file: ./containers/fedora/Containerfile - push: true - tags: git.plabble.org/job79/fedora:${{ github.ref_name }} - build-args: TAG=${{ github.ref_name }} - outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true - - name: Build and push go container - uses: docker/build-push-action@v5 - with: - context: ./containers/go - file: ./containers/go/Containerfile - push: true - tags: git.plabble.org/job79/go:${{ github.ref_name }} - build-args: TAG=${{ github.ref_name }} - outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true - - name: Build and push infra container - uses: docker/build-push-action@v5 - with: - context: ./containers/infra - file: ./containers/infra/Containerfile - push: true - tags: git.plabble.org/job79/infra:${{ github.ref_name }} - build-args: TAG=${{ github.ref_name }} - outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true diff --git a/containers/fedora/Containerfile b/containers/fedora/Containerfile index d5406ae..31a0cb0 100644 --- a/containers/fedora/Containerfile +++ b/containers/fedora/Containerfile @@ -11,7 +11,7 @@ RUN dnf update -y && \ # === setup user === RUN useradd -ms /bin/bash user && \ echo 'user ALL=NOPASSWD: ALL' > /etc/sudoers && \ - install -d -o user -g user /run/user/1000 /home/user/.config /home/user/.local /home/user/.cache + install -m 0700 -d -o user -g user /run/user/1000 /home/user/.config /home/user/.local /home/user/.cache USER user WORKDIR /home/user diff --git a/containers/go/Containerfile b/containers/go/Containerfile index f3fcd39..d83c067 100644 --- a/containers/go/Containerfile +++ b/containers/go/Containerfile @@ -2,6 +2,6 @@ ARG TAG FROM git.plabble.org/job79/fedora:${TAG} USER root -RUN dnf -y install go && dnf clean all +RUN dnf -y install go USER user