Update scripts to hell and back

Signed-off-by: Andrei Jiroh Halili <ajhalili2006@gmail.com>

.build.yml

@@ -27,40 +27,14 @@ tasks:
   # in case of triggered from hottub
   - repo-sync: |
       cd tildeweb
-      env # for debugging purposes only
-
-      git remote add hub https://github.com/ajhalili2006/tildeverse-web && git pull hub main
-      git remote add lab https://mau.dev/ajhalili2006/tildeverse-web && git pull lab main
-
-      if [ "$BUILD_REASON" != "patchset" ] && [ "$BUILD_SUBMITTER" != "hub.sr.ht" ]; then
-        git remote set-url origin ssh://git@git.sr.ht/~ajhalili2006/tildeweb
-      fi
   - build: |
       cd tildeweb && pip3 install -r requirements.txt --user
       export PATH="$PATH:$HOME/.local/bin"
-
-      mkdocs build -d public -f mkdocs.yml
+      bash ./build.sh
   - generate-archive: |
       cd tildeweb
-      tar cvzf tildeweb-prod-build.tar.gz public
+      tar -C public -cvz . -f tildeweb-prod-build.tar.gz
   - deploy: |
-      if [ "$BUILD_REASON" == "patchset" ] && [ "$BUILD_SUBMITTER" == "hub.sr.ht" ]; then
-        complete-build
-        exit 0
-      elif [ ! -f "$HOME/.ssh/passowrdless-auth-sshfs" ]; then
-        complete-build
-        exit 0
-      fi
-  
-      cd tildeweb
-      echo "StrictHostKeyChecking=no" >> ~/.ssh/config
-      eval $(ssh-agent) && ssh-add ~/.ssh/passwordless-auth-sshfs
-      rsync -rP public ajhalili2006@vern.cc:/home/ajhalili2006/public_html/ || true
-      rsync -rP public ajhalili2006@ctrl-c.club:/home/ajhalili2006/public_html/ || true
-      #rsync -rP gmi ajhalili2006@vern.cc:/home/ajhalili2006/public_gemini/
-      #rsync -rP gmi ajhalili2006@ctrl-c.club:/home/ajhalili2006/public_gemini/
-  
-      git push origin -o skip-ci
-      git remote set-url lab ssh://git@mau.dev/ajhalili2006/tildeverse-web && git push lab main
+      echo done
 artifacts:
   - tildeweb/tildeweb-prod-build.tar.gz

.github/workflows/docker.yml

@@ -32,17 +32,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
-        with:
-          cosign-release: 'v1.13.1'
-
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v2
+        with:
+          buildkitd-flags: --debug
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
@@ -74,7 +68,7 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
             type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long
             type=schedule,pattern=nightly
-
+            type=raw,prefix=branch-,value={{branch}}
       - uses: actions/checkout@v3
       - uses: hadolint/hadolint-action@v3.1.0
         with:
@@ -93,24 +87,14 @@ jobs:
           load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:buildkit-cache-web
+            type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:branch-main
+            type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:latest
+          cache-to: type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:buildkit-cache-web
       - name: Workaround pushbot for misbehaving reverse proxies
         if: ${{ github.event_name != 'pull_request' }}
         run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {}
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
   devenv:
     name: Generate Gitpod workspace image snapshot
     runs-on: ubuntu-latest
@@ -124,17 +108,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
-        with:
-          cosign-release: 'v1.13.1'
-
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@
+        with:
+          buildkitd-flags: --debug
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
@@ -165,11 +143,12 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
             type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long
             type=schedule,pattern=nightly
+            type=raw,prefix=branch-,value={{branch}}
 
       - uses: actions/checkout@v3
       - uses: hadolint/hadolint-action@v3.1.0
         with:
-          dockerfile: docker/Dockerfile
+          dockerfile: .gitpod.Dockerfile
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -184,21 +163,11 @@ jobs:
           load: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=registry,ref=quay.io/ajhalili2006/gitpod-workspace:buildkit-cache-web
+            type=registry,ref=ghcr.io/ajhalili2006/ajhalili2006.github.io/devenv:nightly
+            type=registry,ref=cr.io/ajhalili2006/ajhalili2006.github.io/devenv:branch-main
+          cache-to: type=registry,ref=quay.io/ajhalili2006/gitpod-workspace:buildkit-cache-web
       - name: Workaround pushbot for misbehaving reverse proxies
         if: ${{ github.event_name != 'pull_request' }}
         run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {}
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}

.gitignore

@@ -6,4 +6,5 @@ venv
 .venv
 .cache
 node_modules
-.env
+.env
+*.tar.gz

.gitlab-ci.yml

@@ -1,13 +1,19 @@
 # The Docker image that will be used to build your app
 image: quay.io/ajhalili2006/mkdocs-material-build-ci:nightly
 
-# Functions that should be executed before the build script is run
-before_script:
-  - pip3 install -r requirements.txt
-  - npm ci
-  - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
-  - (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh
+stages:
+  - build
 
+default:
+  tags:
+    - amd64 # currently, we only the image in amd64 right now.
+  # Functions that should be executed before the build script is run
+  before_script:
+    - pip3 install -r requirements.txt
+    - npm ci
+    - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
+    - (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh
+# Global builds and stuff
 variables:
   DEBUG: "1"
   FF_ENABLE_COMMIT_DATA: "true"
@@ -15,6 +21,7 @@ variables:
   SECURE_FILES_DOWNLOAD_PATH: /run/secrets
 
 pages:
+  stage: build
   script:
     - bash ./build.sh
     - doppler run -- ./bin/deploykit-pages.sh
@@ -28,3 +35,12 @@ pages:
     # This ensures that only pushes to the default branch will trigger
     # a pages deploy
     - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+pages:srht:
+  stage: build
+  needs:
+    - pages
+  script:
+    - tar -C gmi -cvz . -f site.tar.gz
+    - doppler run -- ./bin/deploykit-srht.site.sh
+  rules:
+    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

bin/deploykit-srht.site.sh

@@ -0,0 +1,11 @@
+#!/bin/env bash
+
+if [[ $SOURCEHUT_PAGES_TOKEN == "" ]]; then
+  echo "missing SOURCEHUT_PAGES_TOKEN variable"
+  exit 1
+fi
+
+curl --oauth2-bearer "$SOURCEHUT_PAGES_TOKEN" \
+    -Fcontent=@site.tar.gz \
+    -Fprotocol=GEMINI \
+    https://pages.sr.ht/publish/username.srht.site

docker/build.sh

@@ -10,4 +10,8 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-"0"} \
   docker build \
   -t $TAG \
   -f "$DOCKERFILE" \
-  "$CONTEXT"
+  "$CONTEXT"
+
+if [[ $DEPLOY != "" ]]; then
+  docker push "$TAG"
+fi