Compare commits

...

14 commits

Author SHA1 Message Date
893514cbad
fix: add docker.io to unqualified registries conf
All checks were successful
/ pre-run (push) Successful in 24s
/ build-runner (push) Successful in 3m48s
/ post-run (push) Successful in 29s
2024-11-06 22:34:14 -05:00
5df3bdf743
chore(deadcode): remove unused ubuntu-2204 image
All checks were successful
/ pre-run (push) Successful in 25s
/ build-runner (push) Successful in 3m54s
/ post-run (push) Successful in 30s
2024-11-06 21:32:10 -05:00
01277e9159
docs: add notes on building images locally+ci 2024-11-06 21:31:53 -05:00
f0e5a4f260
ci: set up container to build containers within podman 2024-11-06 21:16:02 -05:00
0578333f9d
ci: allow manual dispatch 2024-11-06 19:47:55 -05:00
3d890d7e2f
ci: use imagefactory runner
Some checks failed
/ post-run (push) Has been skipped
/ pre-run (push) Successful in 51s
/ build-images (debian-12.6-slim) (push) Failing after 1m35s
2024-11-06 19:31:22 -05:00
3cce76e206
feat(runner-latest): add unzip to system dependencies
Some checks are pending
/ pre-run (push) Waiting to run
/ build-images (debian-12.6-slim) (push) Blocked by required conditions
/ post-run (push) Blocked by required conditions
2024-11-06 19:29:43 -05:00
8f54762625
ci: only build debian images
Some checks failed
/ pre-run (push) Successful in 25s
/ post-run (push) Has been cancelled
/ build-images (debian-12.6-slim) (push) Has been cancelled
2024-07-30 18:57:01 -04:00
cc6dcd8aa3
ci: use debian runner image
Some checks failed
/ post-run (push) Has been skipped
/ pre-run (push) Successful in 24s
/ build-images (ubuntu-2204) (push) Failing after 47s
/ build-images (debian-12.6-slim) (push) Failing after 48s
2024-07-29 20:25:35 -04:00
948294ae2f
feat: add debian-12.6 based image, remove broken ubuntu-2404
All checks were successful
/ post-run (push) Successful in 29s
/ pre-run (push) Successful in 1m14s
/ build-images (debian-12.6-slim) (push) Successful in 8m17s
/ build-images (ubuntu-2204) (push) Successful in 5m44s
2024-07-29 19:56:32 -04:00
0fea8d3168
feat: add ubuntu-2404 based image
Some checks failed
/ pre-run (push) Successful in 23s
/ post-run (push) Has been skipped
/ build-images (ubuntu-2204) (push) Successful in 8m14s
/ build-images (ubuntu-2404) (push) Failing after 2m23s
2024-07-28 23:40:55 -04:00
1646584afc
fix: revert to apt-installed python
All checks were successful
/ pre-run (push) Successful in 26s
/ post-run (push) Successful in 28s
/ build-images (ubuntu-2204) (push) Successful in 5m56s
2024-07-28 23:32:51 -04:00
35080fd3b0
ci: replace shell scripts with python util
Some checks failed
/ pre-run (push) Successful in 23s
/ post-run (push) Has been cancelled
/ build-images (ubuntu-2204) (push) Has been cancelled
2024-07-28 23:22:47 -04:00
8315904427
fix: ensure healthy node20, corepack, python3.12
Some checks failed
/ pre-run (push) Successful in 40s
/ build-images (ubuntu-2204) (push) Failing after 22m38s
/ post-run (push) Has been cancelled
2024-07-28 15:07:29 -04:00
9 changed files with 225 additions and 83 deletions

View file

@ -2,46 +2,49 @@ on:
push: push:
tags: tags:
- "*-v*" - "*-v*"
workflow_dispatch:
env: env:
REGISTRY_ENDPOINT: host.containers.internal:5000 REGISTRY_ENDPOINT: host.containers.internal:5000
jobs: jobs:
pre-run: pre-run:
runs-on: ubuntu-latest runs-on: imagefactory-latest
steps: steps:
- uses: https://forge.karnov.club/marc/push-status-to-discord-action@main - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
with: with:
webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}} webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}}
status: "Started" status: "Started"
init: true init: true
build-images: build-runner:
runs-on: ubuntu-latest needs: [pre-run]
strategy: runs-on: imagefactory-latest
matrix:
image-name: ['ubuntu-2204']
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: 3.12
- name: Login to Registry - name: Login to Registry
run: podman login -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }} ${{ env.REGISTRY_ENDPOINT }} run: podman login -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }} ${{ env.REGISTRY_ENDPOINT }}
- name: Set image metadata - name: Set image metadata
id: image-metadata id: image-metadata
run: | run: |
echo "image-tag=$(./script/get-tag.sh)" >> $GITHUB_OUTPUT echo "image-tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "full-image-name=${{ matrix.image-name }}:$(./script/get-tag.sh)" >> $GITHUB_OUTPUT echo "full-image-name=debian-12.6-slim:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Build image - name: Build image
run: ./script/build-image.sh ${{ matrix.image-name }} ${{ steps.image-metadata.outputs.image-tag }} run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/debian-12.6-slim/Dockerfile
- name: Tag image as latest - name: Tag image as latest
run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} ${{ matrix.image-name }}:latest run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} debian-12.6-slim:latest
- name: List images - name: List images
run: podman image ls run: podman image ls
- name: Push tagged image to registry - name: Push tagged image to registry
if: ${{ github.event_name == 'push' }}
run: | run: |
podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }} podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }}
podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ matrix.image-name }}:latest podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/debian-12.6-slim:latest
post-run: post-run:
runs-on: ubuntu-latest runs-on: imagefactory-latest
needs: [build-images] needs: [build-runner]
steps: steps:
- uses: https://forge.karnov.club/marc/push-status-to-discord-action@main - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
if: ${{success()}} if: ${{success()}}

View file

@ -1,3 +1,15 @@
# runner-images # runner-images
Image factory for Forgejo action runners Image factory for Forgejo Action runners
## Building
Images can be build locally if needed:
```sh
python build_image.py <image-name> <Dockerfile path>
```
CI will also build images when a tag of the format `v*` is pushed. The images built by CI are tagged as `:latest` and pushed to the registry at the run.
If CI workflows are triggered manually (i.e. via `workflow_dispatch`), then the image push is skipped.

95
build_image.py Normal file
View file

@ -0,0 +1,95 @@
"""
Builds a container image with the provided image name and tag.
Usage:
python build_image.py <image-name> <tag> [<image-path>]
"""
import subprocess
import pathlib
import logging
import typing
import sys
import os
import re
logger = logging.getLogger("build-image")
def get_tag(is_ci: bool) -> str:
"""
Gets an image tag composed of the short sha of the current commit
and, depending on the is_ci flag, a "-dev" suffix.
"""
result = subprocess.run(
"git rev-parse --short HEAD", shell=True, capture_output=True, check=True
)
sha = re.sub(r"\n", "", str(result.stdout.decode('utf-8')))
if not is_ci:
return f"{sha}-dev"
return sha
def build_image(image_name: str, tag: str, image_path: typing.Optional[pathlib.Path]):
"""
Calls Podman to build the container image defined at image_path, which defaults to
the current directory.
The built image is named and tagged using image_name and tag.
"""
if image_path is None:
image_path = pathlib.Path("./Dockerfile")
cwd = image_path.parent
image_path = image_path.relative_to(cwd)
subprocess.run(
f"podman build --no-cache -t {image_name}:{tag} -f {str(image_path)}",
shell=True,
check=True,
cwd=cwd,
)
def run(args: list[str]):
"""
CLI entrypoint.
"""
if len(args) < 1:
raise ValueError(
"There should be at least one argument. "
"Correct usage: python build_image.py <image-name:tag> [image-path]"
)
if len(args) > 2:
raise ValueError(
"Unrecognized arguments. "
"Correct usage: python build_image.py <image-name:tag> [image-path]"
)
tagged_image_name = args[0]
image_name_parts = tagged_image_name.split(":")
name = image_name_parts[0]
tag = (
image_name_parts[1]
if len(image_name_parts) == 2
else get_tag(bool(os.environ.get("CI", False)))
)
image_path = args[1] if len(args) == 2 else None
build_image(name, tag, pathlib.Path(image_path))
if __name__ == "__main__":
try:
run(sys.argv[1:])
except Exception as e: # pylint: disable=broad-exception-caught
logger.error(e)
exit(1)

View file

@ -0,0 +1,31 @@
FROM debian:12.6-slim as skeleton
ENV DEBIAN_FRONTEND noninteractive
ENV TZ Etc/UTC
RUN apt update && \
apt upgrade -y && \
apt install -y \
curl \
unzip \
podman \
jq \
git \
xz-utils \
ca-certificates \
nodejs \
npm \
python3 \
python3-pip \
pipx \
fuse-overlayfs \
--no-install-recommends \
--autoremove && \
apt-get clean
COPY ./files/registries.conf /etc/containers/registries.conf
COPY ./files/storage.conf /etc/containers/storage.conf
FROM skeleton as runner
WORKDIR /runner

View file

@ -1,3 +1,5 @@
unqualified-search-registries = ["docker.io"]
[[registry]] [[registry]]
insecure = true insecure = true
location = "host.containers.internal:5000" location = "host.containers.internal:5000"

View file

@ -0,0 +1,68 @@
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids. Note multiple UIDs will be
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
#ignore_chown_errors = "false"
# Inodes is used to set a maximum inodes of the container image.
# inodes = ""
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs"
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"
# Set to skip a PRIVATE bind mount on the storage home directory.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# skip_mount_home = "false"
# Set to use composefs to mount data layers with overlay.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_composefs = "false"
# Size is used to set a maximum size of the container image.
# size = ""
# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
# "": No value specified.
# All files/directories, get set with the permissions identified within the
# image.
# "private": it is equivalent to 0700.
# All files/directories get set with 0700 permissions. The owner has rwx
# access to the files. No other users on the system can access the files.
# This setting could be used with networked based homedirs.
# "shared": it is equivalent to 0755.
# The owner has rwx access to the files and everyone else can read, access
# and execute them. This setting is useful for sharing containers storage
# with other users. For instance have a storage owned by root but shared
# to rootless users as an additional store.
# NOTE: All files within the image are made readable and executable by any
# user on the system. Even /etc/shadow within your image is now readable by
# any user.
#
# OCTAL: Users can experiment with other OCTAL Permissions.
#
# Note: The force_mask Flag is an experimental feature, it could change in the
# future. When "force_mask" is set the original permission mask is stored in
# the "user.containers.override_stat" xattr and the "mount_program" option must
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
# extended attribute permissions to processes within containers rather than the
# "force_mask" permissions.
#
# force_mask = ""

View file

@ -1,38 +0,0 @@
FROM ubuntu:22.04 as skeleton
ENV NODE_VERSION="20.12.2"
RUN apt update && \
apt upgrade -y && \
apt install -y \
curl \
podman \
jq \
git \
xz-utils \
ca-certificates \
python3 \
python3-pip \
python3-venv \
--no-install-recommends \
--autoremove
FROM skeleton as build-node
WORKDIR tmp
# Install node.
RUN curl https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz \
--output /tmp/node-v$NODE_VERSION-linux-x64.tar.xz && \
tar -xf /tmp/node-v$NODE_VERSION-linux-x64.tar.xz
FROM skeleton as runner
WORKDIR /runner
COPY --from=build-node /tmp/node-v$NODE_VERSION-linux-x64/bin/* /bin/
COPY --from=build-node /tmp/node-v$NODE_VERSION-linux-x64/lib/* /lib/
RUN python3 -m pip install pipx
COPY ./files/registries.conf /etc/containers/registries.conf

View file

@ -1,19 +0,0 @@
#!/bin/bash
image_name=$1
image_tag=$2
if [[ -z $image_name ]]; then
echo "An image name must be provided."
exit 1
fi
if [[ -z $image_tag ]]; then
echo "An image tag must be provided."
exit 1
fi
(
cd "images/$image_name"
podman build -t "$image_name:$image_tag" -f ./Dockerfile
) || exit 1

View file

@ -1,12 +0,0 @@
#!/bin/bash
has_changes=$(git status --short)
head_sha=$(git rev-parse --short HEAD)
tag=$head_sha
if [[ -n $has_changes ]]; then
tag="$tag-dev"
fi
echo "$tag"