feat(ci): publish container images to Forgejo registry
Some checks failed
CI Smoke / host-smoke (push) Successful in 1s
CI Smoke / container-smoke (push) Successful in 2s
Build and Publish Container Image / build-and-push (push) Failing after 2m30s

Add image.yaml workflow targeting forgejo.coulomb.social; update Dockerfile
for Forgejo PyPI secret names. Point pyproject issue-core index at Forgejo
(uv.lock regen blocked until issue-core is published there).
This commit is contained in:
tegwick 2026-07-12 00:32:32 +02:00
parent 1061f3ea3d
commit 050942ffc1
3 changed files with 73 additions and 14 deletions

View file

@ -0,0 +1,59 @@
# Container image publish to forgejo.coulomb.social (RAILIANCE-WP-0014).
# Org secrets: REGISTRY_USER, REGISTRY_TOKEN; optional FORGEJO_PYPI_USER, FORGEJO_PYPI_TOKEN
name: Build and Publish Container Image
on:
push:
branches:
- main
paths:
- ".forgejo/workflows/image.yaml"
- "Dockerfile"
- "pyproject.toml"
- "uv.lock"
- "package.json"
- "package-lock.json"
- "vergabe_teilnahme/**"
- "static/**"
- "templates/**"
workflow_dispatch:
env:
REGISTRY: forgejo.coulomb.social
IMAGE_NAME: coulomb/vergabe-teilnahme
DOCKER_HOST: tcp://127.0.0.1:2375
jobs:
build-and-push:
runs-on: container-build
steps:
- name: Build and push image
env:
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
FORGEJO_PYPI_USER: ${{ secrets.FORGEJO_PYPI_USER }}
FORGEJO_PYPI_TOKEN: ${{ secrets.FORGEJO_PYPI_TOKEN }}
run: |
set -eu
REF="${GITHUB_SHA:-main}"
SHORT="${REF:0:7}"
mkdir -p buildctx "${HOME}/bin"
wget -qO /tmp/repo.tar.gz \
"https://forgejo.coulomb.social/${GITHUB_REPOSITORY}/archive/${SHORT}.tar.gz"
tar xzf /tmp/repo.tar.gz -C buildctx --strip-components=1
wget -qO- https://download.docker.com/linux/static/stable/x86_64/docker-27.3.1.tgz \
| tar xz --strip-components=1 -C "${HOME}/bin" docker/docker
export PATH="${HOME}/bin:${PATH}"
echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY}" -u "${REGISTRY_USER}" --password-stdin
IMAGE="${REGISTRY}/${IMAGE_NAME}"
BUILD_ARGS=()
if [ -n "${FORGEJO_PYPI_USER:-}" ] && [ -n "${FORGEJO_PYPI_TOKEN:-}" ]; then
BUILD_ARGS+=(--secret "id=forgejo_pypi_user,env=FORGEJO_PYPI_USER")
BUILD_ARGS+=(--secret "id=forgejo_pypi_password,env=FORGEJO_PYPI_TOKEN")
fi
docker build "${BUILD_ARGS[@]}" \
-t "${IMAGE}:latest" -t "${IMAGE}:${SHORT}" -t "${IMAGE}:main-${SHORT}" buildctx
docker push "${IMAGE}:latest"
docker push "${IMAGE}:${SHORT}"
docker push "${IMAGE}:main-${SHORT}"
echo "pushed ${IMAGE}:latest ${IMAGE}:${SHORT}"

View file

@ -2,12 +2,12 @@
#
# Build:
# docker build \
# --secret id=gitea_pypi_user,env=GITEA_PYPI_USER \
# --secret id=gitea_pypi_password,env=GITEA_PYPI_TOKEN \
# -t gitea.coulomb.social/coulomb/vergabe-teilnahme:<tag> .
# --secret id=forgejo_pypi_user,env=FORGEJO_PYPI_USER \
# --secret id=forgejo_pypi_password,env=FORGEJO_PYPI_TOKEN \
# -t forgejo.coulomb.social/coulomb/vergabe-teilnahme:<tag> .
#
# The optional secrets let uv authenticate to the Gitea Python package
# registry when resolving issue-core.
# Optional secrets authenticate to the Forgejo Python package registry
# when resolving issue-core.
# ─── Stage 1 ─── Vite + Tailwind asset build ────────────────────────────────
@ -41,14 +41,14 @@ COPY --from=ghcr.io/astral-sh/uv:0.5.11 /uv /usr/local/bin/uv
WORKDIR /app
COPY pyproject.toml uv.lock ./
RUN --mount=type=secret,id=gitea_pypi_user,required=false \
--mount=type=secret,id=gitea_pypi_password,required=false \
RUN --mount=type=secret,id=forgejo_pypi_user,required=false \
--mount=type=secret,id=forgejo_pypi_password,required=false \
sh -eu -c '\
if [ -f /run/secrets/gitea_pypi_user ]; then \
export UV_INDEX_GITEA_USERNAME="$(cat /run/secrets/gitea_pypi_user)"; \
if [ -f /run/secrets/forgejo_pypi_user ]; then \
export UV_INDEX_FORGEJO_USERNAME="$(cat /run/secrets/forgejo_pypi_user)"; \
fi; \
if [ -f /run/secrets/gitea_pypi_password ]; then \
export UV_INDEX_GITEA_PASSWORD="$(cat /run/secrets/gitea_pypi_password)"; \
if [ -f /run/secrets/forgejo_pypi_password ]; then \
export UV_INDEX_FORGEJO_PASSWORD="$(cat /run/secrets/forgejo_pypi_password)"; \
fi; \
uv sync --no-dev --no-install-project \
'

View file

@ -15,11 +15,11 @@ dependencies = [
]
[tool.uv.sources]
issue-core = { index = "gitea" }
issue-core = { index = "forgejo" }
[[tool.uv.index]]
name = "gitea"
url = "https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/"
name = "forgejo"
url = "https://forgejo.coulomb.social/api/packages/coulomb/pypi/simple/"
explicit = true
[dependency-groups]