diff --git a/.build.yml b/.build.yml index 550f54c..ec5d384 100644 --- a/.build.yml +++ b/.build.yml @@ -27,40 +27,14 @@ tasks: # in case of triggered from hottub - repo-sync: | cd tildeweb - env # for debugging purposes only - - git remote add hub https://github.com/ajhalili2006/tildeverse-web && git pull hub main - git remote add lab https://mau.dev/ajhalili2006/tildeverse-web && git pull lab main - - if [ "$BUILD_REASON" != "patchset" ] && [ "$BUILD_SUBMITTER" != "hub.sr.ht" ]; then - git remote set-url origin ssh://git@git.sr.ht/~ajhalili2006/tildeweb - fi - build: | cd tildeweb && pip3 install -r requirements.txt --user export PATH="$PATH:$HOME/.local/bin" - - mkdocs build -d public -f mkdocs.yml + bash ./build.sh - generate-archive: | cd tildeweb - tar cvzf tildeweb-prod-build.tar.gz public + tar -C public -cvz . -f tildeweb-prod-build.tar.gz - deploy: | - if [ "$BUILD_REASON" == "patchset" ] && [ "$BUILD_SUBMITTER" == "hub.sr.ht" ]; then - complete-build - exit 0 - elif [ ! -f "$HOME/.ssh/passowrdless-auth-sshfs" ]; then - complete-build - exit 0 - fi - - cd tildeweb - echo "StrictHostKeyChecking=no" >> ~/.ssh/config - eval $(ssh-agent) && ssh-add ~/.ssh/passwordless-auth-sshfs - rsync -rP public ajhalili2006@vern.cc:/home/ajhalili2006/public_html/ || true - rsync -rP public ajhalili2006@ctrl-c.club:/home/ajhalili2006/public_html/ || true - #rsync -rP gmi ajhalili2006@vern.cc:/home/ajhalili2006/public_gemini/ - #rsync -rP gmi ajhalili2006@ctrl-c.club:/home/ajhalili2006/public_gemini/ - - git push origin -o skip-ci - git remote set-url lab ssh://git@mau.dev/ajhalili2006/tildeverse-web && git push lab main + echo done artifacts: - tildeweb/tildeweb-prod-build.tar.gz \ No newline at end of file diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 1d46355..ff98ee8 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -32,17 +32,11 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - with: - cosign-release: 'v1.13.1' - # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 + with: + buildkitd-flags: --debug # Login against a Docker registry except on PR # https://github.com/docker/login-action @@ -74,7 +68,7 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long type=schedule,pattern=nightly - + type=raw,prefix=branch-,value={{branch}} - uses: actions/checkout@v3 - uses: hadolint/hadolint-action@v3.1.0 with: @@ -93,24 +87,14 @@ jobs: load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: | + type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:buildkit-cache-web + type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:branch-main + type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:latest + cache-to: type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:buildkit-cache-web - name: Workaround pushbot for misbehaving reverse proxies if: ${{ github.event_name != 'pull_request' }} run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {} - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} devenv: name: Generate Gitpod workspace image snapshot runs-on: ubuntu-latest @@ -124,17 +108,11 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0 - with: - cosign-release: 'v1.13.1' - # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@ + with: + buildkitd-flags: --debug # Login against a Docker registry except on PR # https://github.com/docker/login-action @@ -165,11 +143,12 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long type=schedule,pattern=nightly + type=raw,prefix=branch-,value={{branch}} - uses: actions/checkout@v3 - uses: hadolint/hadolint-action@v3.1.0 with: - dockerfile: docker/Dockerfile + dockerfile: .gitpod.Dockerfile # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action @@ -184,21 +163,11 @@ jobs: load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: | + type=registry,ref=quay.io/ajhalili2006/gitpod-workspace:buildkit-cache-web + type=registry,ref=ghcr.io/ajhalili2006/ajhalili2006.github.io/devenv:nightly + type=registry,ref=cr.io/ajhalili2006/ajhalili2006.github.io/devenv:branch-main + cache-to: type=registry,ref=quay.io/ajhalili2006/gitpod-workspace:buildkit-cache-web - name: Workaround pushbot for misbehaving reverse proxies if: ${{ github.event_name != 'pull_request' }} run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {} - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index a0f2549..29003fa 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,5 @@ venv .venv .cache node_modules -.env \ No newline at end of file +.env +*.tar.gz \ No newline at end of file diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d98b0c8..eed8e1d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,13 +1,19 @@ # The Docker image that will be used to build your app image: quay.io/ajhalili2006/mkdocs-material-build-ci:nightly -# Functions that should be executed before the build script is run -before_script: - - pip3 install -r requirements.txt - - npm ci - - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash - - (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh +stages: + - build +default: + tags: + - amd64 # currently, we only the image in amd64 right now. + # Functions that should be executed before the build script is run + before_script: + - pip3 install -r requirements.txt + - npm ci + - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash + - (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh +# Global builds and stuff variables: DEBUG: "1" FF_ENABLE_COMMIT_DATA: "true" @@ -15,6 +21,7 @@ variables: SECURE_FILES_DOWNLOAD_PATH: /run/secrets pages: + stage: build script: - bash ./build.sh - doppler run -- ./bin/deploykit-pages.sh @@ -28,3 +35,12 @@ pages: # This ensures that only pushes to the default branch will trigger # a pages deploy - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH +pages:srht: + stage: build + needs: + - pages + script: + - tar -C gmi -cvz . -f site.tar.gz + - doppler run -- ./bin/deploykit-srht.site.sh + rules: + - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH \ No newline at end of file diff --git a/bin/deploykit-srht.site.sh b/bin/deploykit-srht.site.sh new file mode 100755 index 0000000..711ee0f --- /dev/null +++ b/bin/deploykit-srht.site.sh @@ -0,0 +1,11 @@ +#!/bin/env bash + +if [[ $SOURCEHUT_PAGES_TOKEN == "" ]]; then + echo "missing SOURCEHUT_PAGES_TOKEN variable" + exit 1 +fi + +curl --oauth2-bearer "$SOURCEHUT_PAGES_TOKEN" \ + -Fcontent=@site.tar.gz \ + -Fprotocol=GEMINI \ + https://pages.sr.ht/publish/username.srht.site \ No newline at end of file diff --git a/docker/build.sh b/docker/build.sh old mode 100644 new mode 100755 index dd9dfbe..1166889 --- a/docker/build.sh +++ b/docker/build.sh @@ -10,4 +10,8 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-"0"} \ docker build \ -t $TAG \ -f "$DOCKERFILE" \ - "$CONTEXT" \ No newline at end of file + "$CONTEXT" + +if [[ $DEPLOY != "" ]]; then + docker push "$TAG" +fi \ No newline at end of file