mariusrugan/build-image.yaml

## build-image.yaml
# Inspired by:
# https://blog.gitea.com/creating-go-actions/
# https://gitea.com/Zettat123/test-simple-go-action/src/branch/main/.gitea/workflows/call-username.yml
# https://gitea.com/actions/release-action
# https://gitea.com/gitea/runner-images
# https://github.com/vegardit/docker-gitea-act-runner
# https://github.com/catthehacker/docker_images
#
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: build-image
run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀 🚀 🚀

on:
  push:
    branches: ["main"]
    paths:
      - .gitea/workflows/build-image.yaml

jobs:
  build-image:
    name: build-image
    runs-on: ubuntu-latest

    container:
      # image: ghcr.io/catthehacker/ubuntu:act-latest
      # image: gitea/runner-images:ubuntu-latest
      image: gitea.example.com/xyz/ubuntu-act:22.04
      credentials:
        username: ${{ gitea.actor }}
        password: ${{ secrets.GA_TOKEN }}

    steps:
      - uses: actions/checkout@v4

      - name: Install QEMU
        run: |
          sudo apt-get update
          sudo apt-get install -y qemu-user-static

      #
      # https://github.com/docker/metadata-action
      #
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            gitea.example.com/xyz/alpine
          tags: |
            type=schedule,pattern={{date 'YYYYMMDDHHMM'}}
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=sha

      - name: Set up Docker Context for Buildx
        id: buildx-context
        run: |
          export DOCKER_HOST=tcp://docker:2376/
          export DOCKER_TLS_CERTDIR="/certs"
          export DOCKER_TLS_VERIFY=1
          export DOCKER_CERT_PATH="/certs/client"
          docker context create builders

      # https://github.com/docker/setup-buildx-action
      # https://docs.docker.com/engine/reference/commandline/cli/#environment-variables
      - name: Setup Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
        with:
          # buildkitd-flags: --debug
          endpoint: builders
        env:
          DOCKER_HOST: "tcp://docker:2376/"
          DOCKER_TLS_CERTDIR: "/certs"
          DOCKER_TLS_VERIFY: 1
          DOCKER_CERT_PATH: "/certs/client"

      #
      # Debug
      #
      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}

      #
      # https://github.com/docker/login-action
      #
      - name: Login to Gitea
        uses: docker/login-action@v3
        with:
          registry: gitea.example.com
          username: ${{ gitea.actor }}
          password: ${{ secrets.GA_TOKEN }}

      #
      # https://github.com/docker/build-push-action
      #
      - name: Build and push the image
        if: gitea.event_name != 'pull_request'
        uses: docker/build-push-action@v5
        with:
          push: ${{ gitea.event_name != 'pull_request' }}
          platforms: linux/amd64
          context: containers/test
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
        env:
          DOCKER_HOST: "tcp://docker:2376/"
          DOCKER_TLS_CERTDIR: "/certs"
          DOCKER_TLS_VERIFY: 1
          DOCKER_CERT_PATH: "/certs/client"

      #
      #
      #
      - name: Inspect
        run: |
          docker buildx imagetools inspect gitea.example.com/xyz/ubuntu-act:22.04
        env:
          DOCKER_HOST: "tcp://docker:2376/"
          DOCKER_TLS_CERTDIR: "/certs"
          DOCKER_TLS_VERIFY: 1
          DOCKER_CERT_PATH: "/certs/client"

## gitea-config-cm.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: config
  namespace: actions-runner-system
  annotations:
    reloader.stakater.com/auto: "true"
data:
  config.yaml: |-
    log:
      # The level of logging, can be trace, debug, info, warn, error, fatal
      level: debug

    runner:
      # Where to store the registration result.
      file: .runner
      # Execute how many tasks concurrently at the same time.
      capacity: 1
      # Extra environment variables to run jobs.
      envs:
        A_TEST_ENV_NAME_1: a_test_env_value_1
        A_TEST_ENV_NAME_2: a_test_env_value_2
      # Extra environment variables to run jobs from a file.
      # It will be ignored if it's empty or the file doesn't exist.
      env_file: .env
      # The timeout for a job to be finished.
      # Please note that the Gitea instance also has a timeout (3h by default) for the job.
      # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
      timeout: 30m
      # Whether skip verifying the TLS certificate of the Gitea instance.
      insecure: false
      # The timeout for fetching the job from the Gitea instance.
      fetch_timeout: 5s
      # The interval for fetching the job from the Gitea instance.
      fetch_interval: 2s
      # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
      # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
      # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
      # If it's empty when registering, it will ask for inputting labels.
      # If it's empty when execute `daemon`, will use labels in `.runner` file.
      labels:
        - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
        - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
        - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"

    cache:
      # Enable cache server to use actions/cache.
      enabled: true
      # The directory to store the cache data.
      # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
      dir: ""
      # The host of the cache server.
      # It's not for the address to listen, but the address to connect from job containers.
      # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
      host: ""
      # The port of the cache server.
      # 0 means to use a random available port.
      port: 0
      # The external cache server URL. Valid only when enable is true.
      # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
      # The URL should generally end with "/".
      external_server: ""

    container:
      # Specifies the network to which the container will connect.
      # Could be host, bridge or the name of a custom network.
      # If it's empty, act_runner will create a network automatically.
      network: ""
      # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
      privileged: false
      # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
      options: "--add-host=docker:host-gateway -v /certs:/certs"
      # The parent directory of a job's working directory.
      # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
      # If the path starts with '/', the '/' will be trimmed.
      # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
      # If it's empty, /workspace will be used.
      # workdir_parent:
      # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
      # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
      # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
      # valid_volumes:
      #   - data
      #   - /src/*.json
      # If you want to allow any volume, please use the following configuration:
      # valid_volumes:
      #   - '**'
      valid_volumes:
        - /certs
      # overrides the docker client host with the specified one.
      # If it's empty, act_runner will find an available docker host automatically.
      # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
      # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
      # docker_host: ""
      # Pull docker image(s) even if already present
      # force_pull: true
      # Rebuild docker image(s) even if already present
      # force_rebuild: false

    host:
      # The parent directory of a job's working directory.
      # If it's empty, $HOME/.cache/act/ will be used.
      # workdir_parent:

## gitea-sts.yaml

# Inspired by:
#
# https://gitea.com/gitea/act_runner/src/branch/main/examples/kubernetes/dind-docker.yaml
# https://github.com/pikatenor/infra/blob/dc281adf838c00f563e3aa9dd5e0b5bc585d9d2e/dream0/default/gitea-runner-dind.yml
#
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: gitea-act-runner-dind
  name: gitea-act-runner-dind
  namespace: actions-runner-system
  annotations:
    reloader.stakater.com/auto: "true"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea-act-runner-dind
  serviceName: gitea-act-runner-dind
  template:
    metadata:
      labels:
        app: gitea-act-runner-dind
    spec:
      restartPolicy: Always
      containers:
      #
      # 1.
      #
      - name: runner
        image: gitea/act_runner:nightly
        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]

        env:
        - name: DOCKER_HOST
          value: tcp://localhost:2376
        - name: DOCKER_CERT_PATH
          value: /certs/client
        - name: DOCKER_TLS_VERIFY
          value: "1"
        - name: CONFIG_FILE
          value: /config.yaml
        - name: GITEA_INSTANCE_URL
          value: https://gitea.example.com
        - name: GITEA_RUNNER_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        - name: GITEA_RUNNER_REGISTRATION_TOKEN
          valueFrom:
            secretKeyRef:
              name: gitea-runner-secret
              key: token

        volumeMounts:
        - name: docker-certs
          mountPath: /certs
        - name: runner-data
          mountPath: /data
        - name: config
          mountPath: /config.yaml
          subPath: config.yaml
      #
      # 2.
      #
      - name: daemon
        image: docker:26.1.3-dind
        env:
        - name: DOCKER_TLS_CERTDIR
          value: /certs
        securityContext:
          privileged: true
        volumeMounts:
        - name: docker-certs
          mountPath: /certs

      volumes:
      - name: docker-certs
        emptyDir: {}
      - name: config
        configMap:
          name: config
      - name: runner-data
        persistentVolumeClaim:
          claimName: gitea-act-runner
	# Inspired by:
	# https://blog.gitea.com/creating-go-actions/
	# https://gitea.com/Zettat123/test-simple-go-action/src/branch/main/.gitea/workflows/call-username.yml
	# https://gitea.com/actions/release-action
	# https://gitea.com/gitea/runner-images
	# https://github.com/vegardit/docker-gitea-act-runner
	# https://github.com/catthehacker/docker_images
	#
	---
	# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
	name: build-image
	run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀 🚀 🚀

	on:
	push:
	branches: ["main"]
	paths:
	- .gitea/workflows/build-image.yaml

	jobs:
	build-image:
	name: build-image
	runs-on: ubuntu-latest

	container:
	# image: ghcr.io/catthehacker/ubuntu:act-latest
	# image: gitea/runner-images:ubuntu-latest
	image: gitea.example.com/xyz/ubuntu-act:22.04
	credentials:
	username: ${{ gitea.actor }}
	password: ${{ secrets.GA_TOKEN }}

	steps:
	- uses: actions/checkout@v4

	- name: Install QEMU
	run: \|
	sudo apt-get update
	sudo apt-get install -y qemu-user-static

	#
	# https://github.com/docker/metadata-action
	#
	- name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	gitea.example.com/xyz/alpine
	tags: \|
	type=schedule,pattern={{date 'YYYYMMDDHHMM'}}
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=semver,pattern={{major}}
	type=sha

	- name: Set up Docker Context for Buildx
	id: buildx-context
	run: \|
	export DOCKER_HOST=tcp://docker:2376/
	export DOCKER_TLS_CERTDIR="/certs"
	export DOCKER_TLS_VERIFY=1
	export DOCKER_CERT_PATH="/certs/client"
	docker context create builders

	# https://github.com/docker/setup-buildx-action
	# https://docs.docker.com/engine/reference/commandline/cli/#environment-variables
	- name: Setup Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@v3
	with:
	# buildkitd-flags: --debug
	endpoint: builders
	env:
	DOCKER_HOST: "tcp://docker:2376/"
	DOCKER_TLS_CERTDIR: "/certs"
	DOCKER_TLS_VERIFY: 1
	DOCKER_CERT_PATH: "/certs/client"

	#
	# Debug
	#
	- name: Available platforms
	run: echo ${{ steps.buildx.outputs.platforms }}

	#
	# https://github.com/docker/login-action
	#
	- name: Login to Gitea
	uses: docker/login-action@v3
	with:
	registry: gitea.example.com
	username: ${{ gitea.actor }}
	password: ${{ secrets.GA_TOKEN }}

	#
	# https://github.com/docker/build-push-action
	#
	- name: Build and push the image
	if: gitea.event_name != 'pull_request'
	uses: docker/build-push-action@v5
	with:
	push: ${{ gitea.event_name != 'pull_request' }}
	platforms: linux/amd64
	context: containers/test
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	env:
	DOCKER_HOST: "tcp://docker:2376/"
	DOCKER_TLS_CERTDIR: "/certs"
	DOCKER_TLS_VERIFY: 1
	DOCKER_CERT_PATH: "/certs/client"

	#
	#
	#
	- name: Inspect
	run: \|
	docker buildx imagetools inspect gitea.example.com/xyz/ubuntu-act:22.04
	env:
	DOCKER_HOST: "tcp://docker:2376/"
	DOCKER_TLS_CERTDIR: "/certs"
	DOCKER_TLS_VERIFY: 1
	DOCKER_CERT_PATH: "/certs/client"
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: config
	namespace: actions-runner-system
	annotations:
	reloader.stakater.com/auto: "true"
	data:
	config.yaml: \|-
	log:
	# The level of logging, can be trace, debug, info, warn, error, fatal
	level: debug

	runner:
	# Where to store the registration result.
	file: .runner
	# Execute how many tasks concurrently at the same time.
	capacity: 1
	# Extra environment variables to run jobs.
	envs:
	A_TEST_ENV_NAME_1: a_test_env_value_1
	A_TEST_ENV_NAME_2: a_test_env_value_2
	# Extra environment variables to run jobs from a file.
	# It will be ignored if it's empty or the file doesn't exist.
	env_file: .env
	# The timeout for a job to be finished.
	# Please note that the Gitea instance also has a timeout (3h by default) for the job.
	# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
	timeout: 30m
	# Whether skip verifying the TLS certificate of the Gitea instance.
	insecure: false
	# The timeout for fetching the job from the Gitea instance.
	fetch_timeout: 5s
	# The interval for fetching the job from the Gitea instance.
	fetch_interval: 2s
	# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
	# Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
	# Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
	# If it's empty when registering, it will ask for inputting labels.
	# If it's empty when execute `daemon`, will use labels in `.runner` file.
	labels:
	- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
	- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
	- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"

	cache:
	# Enable cache server to use actions/cache.
	enabled: true
	# The directory to store the cache data.
	# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
	dir: ""
	# The host of the cache server.
	# It's not for the address to listen, but the address to connect from job containers.
	# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
	host: ""
	# The port of the cache server.
	# 0 means to use a random available port.
	port: 0
	# The external cache server URL. Valid only when enable is true.
	# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
	# The URL should generally end with "/".
	external_server: ""

	container:
	# Specifies the network to which the container will connect.
	# Could be host, bridge or the name of a custom network.
	# If it's empty, act_runner will create a network automatically.
	network: ""
	# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
	privileged: false
	# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
	options: "--add-host=docker:host-gateway -v /certs:/certs"
	# The parent directory of a job's working directory.
	# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
	# If the path starts with '/', the '/' will be trimmed.
	# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
	# If it's empty, /workspace will be used.
	# workdir_parent:
	# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
	# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
	# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
	# valid_volumes:
	# - data
	# - /src/*.json
	# If you want to allow any volume, please use the following configuration:
	# valid_volumes:
	# - '**'
	valid_volumes:
	- /certs
	# overrides the docker client host with the specified one.
	# If it's empty, act_runner will find an available docker host automatically.
	# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
	# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
	# docker_host: ""
	# Pull docker image(s) even if already present
	# force_pull: true
	# Rebuild docker image(s) even if already present
	# force_rebuild: false

	host:
	# The parent directory of a job's working directory.
	# If it's empty, $HOME/.cache/act/ will be used.
	# workdir_parent:

	# Inspired by:
	#
	# https://gitea.com/gitea/act_runner/src/branch/main/examples/kubernetes/dind-docker.yaml
	# https://github.com/pikatenor/infra/blob/dc281adf838c00f563e3aa9dd5e0b5bc585d9d2e/dream0/default/gitea-runner-dind.yml
	#
	---
	apiVersion: apps/v1
	kind: StatefulSet
	metadata:
	labels:
	app: gitea-act-runner-dind
	name: gitea-act-runner-dind
	namespace: actions-runner-system
	annotations:
	reloader.stakater.com/auto: "true"
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: gitea-act-runner-dind
	serviceName: gitea-act-runner-dind
	template:
	metadata:
	labels:
	app: gitea-act-runner-dind
	spec:
	restartPolicy: Always
	containers:
	#
	# 1.
	#
	- name: runner
	image: gitea/act_runner:nightly
	command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]

	env:
	- name: DOCKER_HOST
	value: tcp://localhost:2376
	- name: DOCKER_CERT_PATH
	value: /certs/client
	- name: DOCKER_TLS_VERIFY
	value: "1"
	- name: CONFIG_FILE
	value: /config.yaml
	- name: GITEA_INSTANCE_URL
	value: https://gitea.example.com
	- name: GITEA_RUNNER_NAME
	valueFrom:
	fieldRef:
	fieldPath: spec.nodeName
	- name: GITEA_RUNNER_REGISTRATION_TOKEN
	valueFrom:
	secretKeyRef:
	name: gitea-runner-secret
	key: token

	volumeMounts:
	- name: docker-certs
	mountPath: /certs
	- name: runner-data
	mountPath: /data
	- name: config
	mountPath: /config.yaml
	subPath: config.yaml
	#
	# 2.
	#
	- name: daemon
	image: docker:26.1.3-dind
	env:
	- name: DOCKER_TLS_CERTDIR
	value: /certs
	securityContext:
	privileged: true
	volumeMounts:
	- name: docker-certs
	mountPath: /certs

	volumes:
	- name: docker-certs
	emptyDir: {}
	- name: config
	configMap:
	name: config
	- name: runner-data
	persistentVolumeClaim:
	claimName: gitea-act-runner