9 changed files with 76 additions and 246 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -2,59 +2,33 @@ on:
  push:
    tags:
      - "*-v*"
-  workflow_dispatch:

 env:
  REGISTRY_ENDPOINT: host.containers.internal:5000

 jobs:
-  pre-run:
-    runs-on: imagefactory-latest
-    steps:
-      - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
-        with:
-          webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}}
-          status: "Started"
-          init: true
-  build-runner:
-    needs: [pre-run]
-    runs-on: imagefactory-latest
+  build-images:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image-name: ['ubuntu-2204']
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: 3.12
      - name: Login to Registry
        run: podman login -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }} ${{ env.REGISTRY_ENDPOINT }}
      - name: Set image metadata
        id: image-metadata
        run: |
-          echo "image-tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-          echo "full-image-name=debian-12.6-slim:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+          echo "image-tag=$(./script/get-tag.sh)" >> $GITHUB_OUTPUT
+          echo "full-image-name=${{ matrix.image-name }}:$(./script/get-tag.sh)" >> $GITHUB_OUTPUT
      - name: Build image
-        run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/debian-12.6-slim/Dockerfile
+        run: ./script/build-image.sh ${{ matrix.image-name }} ${{ steps.image-metadata.outputs.image-tag }}
      - name: Tag image as latest
-        run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} debian-12.6-slim:latest
+        run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} ${{ matrix.image-name }}:latest
      - name: List images
        run: podman image ls
      - name: Push tagged image to registry
-        if: ${{ github.event_name == 'push' }}
        run: |
          podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }}
-          podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/debian-12.6-slim:latest
-  post-run:
-    runs-on: imagefactory-latest
-    needs: [build-runner]
-    steps:
-      - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
-        if: ${{success()}}
-        with:
-          webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}}
-          status: "Success"
-          variant: "success"
-      - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
-        if: ${{failure()}}
-        with:
-          webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}}
-          status: "Failure"
-          variant: "failure"
+          podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ matrix.image-name }}:latest
+
--- a/README.md
+++ b/README.md
@ -1,15 +1,3 @@
 # runner-images

-Image factory for Forgejo Action runners
-
-## Building
-
-Images can be build locally if needed:
-
-```sh
-python build_image.py <image-name> <Dockerfile path>
-```
-
-CI will also build images when a tag of the format `v*` is pushed. The images built by CI are tagged as `:latest` and pushed to the registry at the run.
-
-If CI workflows are triggered manually (i.e. via `workflow_dispatch`), then the image push is skipped.
+Image factory for Forgejo action runners
--- a/build_image.py
+++ b/build_image.py
@ -1,95 +0,0 @@
-"""
-Builds a container image with the provided image name and tag.
-
-Usage:
-    python build_image.py <image-name> <tag> [<image-path>]
-"""
-
-import subprocess
-import pathlib
-import logging
-import typing
-import sys
-import os
-import re
-
-logger = logging.getLogger("build-image")
-
-def get_tag(is_ci: bool) -> str:
-    """
-    Gets an image tag composed of the short sha of the current commit
-    and, depending on the is_ci flag, a "-dev" suffix.
-    """
-
-    result = subprocess.run(
-        "git rev-parse --short HEAD", shell=True, capture_output=True, check=True
-    )
-
-    sha = re.sub(r"\n", "", str(result.stdout.decode('utf-8')))
-
-    if not is_ci:
-        return f"{sha}-dev"
-
-    return sha
-
-
-def build_image(image_name: str, tag: str, image_path: typing.Optional[pathlib.Path]):
-    """
-    Calls Podman to build the container image defined at image_path, which defaults to
-    the current directory.
-
-    The built image is named and tagged using image_name and tag.
-    """
-
-    if image_path is None:
-        image_path = pathlib.Path("./Dockerfile")
-
-    cwd = image_path.parent
-    image_path = image_path.relative_to(cwd)
-
-    subprocess.run(
-        f"podman build --no-cache -t {image_name}:{tag} -f {str(image_path)}",
-        shell=True,
-        check=True,
-        cwd=cwd,
-    )
-
-
-def run(args: list[str]):
-    """
-    CLI entrypoint.
-    """
-
-    if len(args) < 1:
-        raise ValueError(
-            "There should be at least one argument. "
-            "Correct usage: python build_image.py <image-name:tag> [image-path]"
-        )
-
-    if len(args) > 2:
-        raise ValueError(
-            "Unrecognized arguments. "
-            "Correct usage:  python build_image.py <image-name:tag> [image-path]"
-        )
-
-    tagged_image_name = args[0]
-    image_name_parts = tagged_image_name.split(":")
-
-    name = image_name_parts[0]
-    tag = (
-        image_name_parts[1]
-        if len(image_name_parts) == 2
-        else get_tag(bool(os.environ.get("CI", False)))
-    )
-
-    image_path = args[1] if len(args) == 2 else None
-
-    build_image(name, tag, pathlib.Path(image_path))
-
-
-if __name__ == "__main__":
-    try:
-        run(sys.argv[1:])
-    except Exception as e:  # pylint: disable=broad-exception-caught
-        logger.error(e)
-        exit(1)
--- a/images/debian-12.6-slim/Dockerfile
+++ b/images/debian-12.6-slim/Dockerfile
@ -1,31 +0,0 @@
-FROM debian:12.6-slim as skeleton
-
-ENV DEBIAN_FRONTEND noninteractive
-ENV TZ Etc/UTC
-
-RUN apt update && \
-        apt upgrade -y && \
-        apt install -y \
-            curl \
-            unzip \
-            podman \
-            jq \
-            git \
-            xz-utils \
-            ca-certificates \
-            nodejs \
-            npm \
-            python3 \
-            python3-pip \
-            pipx \
-            fuse-overlayfs \
-            --no-install-recommends \
-            --autoremove && \
-            apt-get clean
-
-COPY ./files/registries.conf /etc/containers/registries.conf
-COPY ./files/storage.conf /etc/containers/storage.conf
-
-FROM skeleton as runner
-
-WORKDIR /runner
--- a/images/debian-12.6-slim/files/storage.conf
+++ b/images/debian-12.6-slim/files/storage.conf
@ -1,68 +0,0 @@
-[storage]
-driver = "overlay"
-runroot = "/run/containers/storage"
-graphroot = "/var/lib/containers/storage"
-
-[storage.options.overlay]
-# ignore_chown_errors can be set to allow a non privileged user running with
-# a single UID within a user namespace to run containers. The user can pull
-# and use any image even those with multiple uids.  Note multiple UIDs will be
-# squashed down to the default uid in the container.  These images will have no
-# separation between the users in the container. Only supported for the overlay
-# and vfs drivers.
-# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
-#ignore_chown_errors = "false"
-
-# Inodes is used to set a maximum inodes of the container image.
-# inodes = ""
-
-# Path to an helper program to use for mounting the file system instead of mounting it
-# directly.
-mount_program = "/usr/bin/fuse-overlayfs"
-
-# mountopt specifies comma separated list of extra mount options
-mountopt = "nodev"
-
-# Set to skip a PRIVATE bind mount on the storage home directory.
-# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
-# skip_mount_home = "false"
-
-# Set to use composefs to mount data layers with overlay.
-# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
-# use_composefs = "false"
-
-# Size is used to set a maximum size of the container image.
-# size = ""
-
-# ForceMask specifies the permissions mask that is used for new files and
-# directories.
-#
-# The values "shared" and "private" are accepted.
-# Octal permission masks are also accepted.
-#
-#  "": No value specified.
-#     All files/directories, get set with the permissions identified within the
-#     image.
-#  "private": it is equivalent to 0700.
-#     All files/directories get set with 0700 permissions.  The owner has rwx
-#     access to the files. No other users on the system can access the files.
-#     This setting could be used with networked based homedirs.
-#  "shared": it is equivalent to 0755.
-#     The owner has rwx access to the files and everyone else can read, access
-#     and execute them. This setting is useful for sharing containers storage
-#     with other users.  For instance have a storage owned by root but shared
-#     to rootless users as an additional store.
-#     NOTE:  All files within the image are made readable and executable by any
-#     user on the system. Even /etc/shadow within your image is now readable by
-#     any user.
-#
-#   OCTAL: Users can experiment with other OCTAL Permissions.
-#
-#  Note: The force_mask Flag is an experimental feature, it could change in the
-#  future.  When "force_mask" is set the original permission mask is stored in
-#  the "user.containers.override_stat" xattr and the "mount_program" option must
-#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
-#  extended attribute permissions to processes within containers rather than the
-#  "force_mask"  permissions.
-#
-# force_mask = ""
--- a/images/ubuntu-2204/Dockerfile
+++ b/images/ubuntu-2204/Dockerfile
@ -0,0 +1,33 @@
+FROM ubuntu:22.04 as skeleton
+
+ENV NODE_VERSION="20.12.2"
+
+RUN apt update && \
+        apt upgrade -y && \
+        apt install -y \
+            curl \
+            podman \
+            jq \
+            git \
+            xz-utils \
+            ca-certificates \
+            unzip \
+            --no-install-recommends \
+            --autoremove
+
+FROM skeleton as build
+
+WORKDIR tmp
+
+RUN curl https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz \
+            --output /tmp/node-v$NODE_VERSION-linux-x64.tar.xz && \
+        tar -xf /tmp/node-v$NODE_VERSION-linux-x64.tar.xz
+
+FROM skeleton as runner
+
+WORKDIR /runner
+
+COPY --from=build /tmp/node-v$NODE_VERSION-linux-x64/bin/* /bin/
+COPY --from=build /tmp/node-v$NODE_VERSION-linux-x64/lib/* /lib/
+
+COPY ./files/registries.conf /etc/containers/registries.conf
--- a/images/debian-12.6-slim/files/registries.conf
+++ b/images/debian-12.6-slim/files/registries.conf
@ -1,5 +1,3 @@
-unqualified-search-registries = ["docker.io"]
-
 [[registry]]
 insecure = true
 location = "host.containers.internal:5000"
--- a/script/build-image.sh
+++ b/script/build-image.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+
+image_name=$1
+image_tag=$2
+
+if [[ -z $image_name ]]; then
+    echo "An image name must be provided."
+    exit 1
+fi
+
+if [[ -z $image_tag ]]; then
+    echo "An image tag must be provided."
+    exit 1
+fi
+
+(
+    cd "images/$image_name"
+    podman build -t "$image_name:$image_tag" -f ./Dockerfile
+) || exit 1
--- a/script/get-tag.sh
+++ b/script/get-tag.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+
+has_changes=$(git status --short)
+head_sha=$(git rev-parse --short HEAD)
+
+tag=$head_sha
+
+if [[ -n $has_changes ]]; then
+    tag="$tag-dev"
+fi
+
+echo "$tag"