gitea_admin/test_repo
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update .gitea/workflows/build-and-push.yaml
Some checks failed
Build and Push Container Image / build-and-push (push) Failing after 6s
Details

Browse Source
This commit is contained in:
gitea_admin
2026-05-11 07:44:08 +00:00
parent a246a17336
commit aa7c39bd53
1 changed files with 41 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
.gitea/workflows/build-and-push.yaml
View File

@@ -11,106 +11,66 @@ jobs:
build-and-push:
runs-on: orchestration-platform
container:
image: docker:latest
image: docker:27-cli
steps:
- name: Install tools
run: |
apk add --no-cache git curl
apk add --no-cache git
- name: Checkout code
run: |
git clone --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" .
git clone --depth 1 --branch "${GITHUB_REF_NAME}" "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" .
- name: Determine image tag
- name: Check Dockerfile
run: |
test -f Dockerfile || { echo "Dockerfile not found"; exit 1; }
- name: Determine image metadata
id: meta
run: |
if echo "${{ gitea.ref }}" | grep -q "refs/tags/"; then
TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/||')
REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||; s|/.*$||')
IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}"
if echo "${{ gitea.ref }}" | grep -q '^refs/tags/'; then
TAG=$(echo "${{ gitea.ref }}" | sed 's|refs/tags/v\?||')
EXTRA_TAG=""
else
TAG="latest"
EXTRA_TAG="main-${{ gitea.sha }}"
fi
echo "registry_host=${REGISTRY_HOST}" >> "$GITHUB_OUTPUT"
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
echo "extra_tag=${EXTRA_TAG}" >> "$GITHUB_OUTPUT"
- name: Login to Gitea registry
run: |
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login \
"${{ steps.meta.outputs.registry_host }}" \
--username "${{ secrets.REGISTRY_USERNAME }}" \
--password-stdin
- name: Build image
run: |
REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}"
docker build -t "${IMAGE}" .
echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
id: build
docker build \
--label "org.opencontainers.image.source=${{ gitea.server_url }}/${{ gitea.repository }}" \
--label "org.opencontainers.image.revision=${{ gitea.sha }}" \
-t "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" \
.
# TODO: Registry push is currently blocked.
# The Gitea ingress only routes /gitea/ to the backend; the Docker registry
# API (/v2/) returns 404 from nginx. A separate Ingress rule for /v2 -> gitea-http:3000
# (without rewrite-target) is needed before push can work.
- name: Push image (skipped - registry ingress not configured)
- name: Add trace tag
if: ${{ steps.meta.outputs.extra_tag != '' }}
run: |
REGISTRY_HOST=$(echo "${{ gitea.server_url }}" | sed 's|https\?://||')
IMAGE="${REGISTRY_HOST}/${{ gitea.repository }}:${{ steps.meta.outputs.tag }}"
echo "⚠️ Skipping push: Gitea container registry is not reachable."
echo " The ingress does not route /v2/ to Gitea (returns 404 from nginx)."
echo " Fix: Add a separate Ingress for path /v2 pointing to gitea-http:3000 without rewrite-target."
echo ""
echo " Image built successfully: ${IMAGE}"
echo " To push manually once ingress is fixed:"
echo " crane auth login \${REGISTRY_HOST} -u <user> -p <token>"
echo " crane push image.tar \${IMAGE}"
docker tag \
"${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}" \
"${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.extra_tag }}"
# PoC: Verify Helm + K8s API access from the CI runner
- name: "PoC: Helm upgrade feasibility check"
- name: Push image
run: |
echo "=== 1. Install Helm ==="
apk add --no-cache helm || {
# Fallback: install from official script if not in apk
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | sh
}
helm version
docker push "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}"
echo ""
echo "=== 2. Check in-cluster credentials ==="
SA_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
if [ -f "${SA_TOKEN_PATH}/token" ]; then
echo "✅ ServiceAccount token found"
echo " Namespace: $(cat ${SA_TOKEN_PATH}/namespace)"
else
echo "❌ No ServiceAccount token mounted — Helm cannot authenticate to the API server"
exit 1
fi
echo ""
echo "=== 3. Test K8s API connectivity ==="
KUBE_API="https://kubernetes.default.svc"
TOKEN=$(cat ${SA_TOKEN_PATH}/token)
CA_CERT="${SA_TOKEN_PATH}/ca.crt"
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
--cacert "${CA_CERT}" \
-H "Authorization: Bearer ${TOKEN}" \
"${KUBE_API}/api/v1/namespaces/$(cat ${SA_TOKEN_PATH}/namespace)")
echo " API response: HTTP ${HTTP_CODE}"
if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "403" ]; then
echo "✅ API server is reachable (${HTTP_CODE})"
else
echo "❌ API server not reachable (HTTP ${HTTP_CODE})"
exit 1
fi
echo ""
echo "=== 4. Test Helm list (current namespace) ==="
NAMESPACE=$(cat ${SA_TOKEN_PATH}/namespace)
helm list --namespace "${NAMESPACE}" 2>&1 || echo "⚠️ helm list failed — likely RBAC issue"
echo ""
echo "=== 5. Dry-run Helm upgrade (no actual changes) ==="
echo " Attempting dry-run with a dummy chart to verify permissions..."
helm upgrade --install helm-poc-test oci://registry-1.docker.io/bitnamicharts/nginx \
--namespace "${NAMESPACE}" \
--dry-run \
--set replicaCount=0 2>&1 || echo "⚠️ Dry-run failed — check RBAC permissions for the runner ServiceAccount"
echo ""
echo "=== Summary ==="
echo "If steps 1-4 passed, Helm upgrade from CI is technically feasible."
echo "RBAC may need to be extended for the runner ServiceAccount to allow:"
echo " - get/list/create/update Deployments, Services, ConfigMaps, Secrets"
echo " - in the target namespace for user deployments"
if [ -n "${{ steps.meta.outputs.extra_tag }}" ]; then
docker push "${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.extra_tag }}"
fi