Update scripts to hell and back

Signed-off-by: Andrei Jiroh Halili <ajhalili2006@gmail.com>
This commit is contained in:
Andrei Jiroh Halili 2023-07-15 16:22:08 +00:00
parent f57b1b1670
commit 8b77e1e70f
6 changed files with 61 additions and 86 deletions

View file

@ -27,40 +27,14 @@ tasks:
# in case of triggered from hottub # in case of triggered from hottub
- repo-sync: | - repo-sync: |
cd tildeweb cd tildeweb
env # for debugging purposes only
git remote add hub https://github.com/ajhalili2006/tildeverse-web && git pull hub main
git remote add lab https://mau.dev/ajhalili2006/tildeverse-web && git pull lab main
if [ "$BUILD_REASON" != "patchset" ] && [ "$BUILD_SUBMITTER" != "hub.sr.ht" ]; then
git remote set-url origin ssh://git@git.sr.ht/~ajhalili2006/tildeweb
fi
- build: | - build: |
cd tildeweb && pip3 install -r requirements.txt --user cd tildeweb && pip3 install -r requirements.txt --user
export PATH="$PATH:$HOME/.local/bin" export PATH="$PATH:$HOME/.local/bin"
bash ./build.sh
mkdocs build -d public -f mkdocs.yml
- generate-archive: | - generate-archive: |
cd tildeweb cd tildeweb
tar cvzf tildeweb-prod-build.tar.gz public tar -C public -cvz . -f tildeweb-prod-build.tar.gz
- deploy: | - deploy: |
if [ "$BUILD_REASON" == "patchset" ] && [ "$BUILD_SUBMITTER" == "hub.sr.ht" ]; then echo done
complete-build
exit 0
elif [ ! -f "$HOME/.ssh/passowrdless-auth-sshfs" ]; then
complete-build
exit 0
fi
cd tildeweb
echo "StrictHostKeyChecking=no" >> ~/.ssh/config
eval $(ssh-agent) && ssh-add ~/.ssh/passwordless-auth-sshfs
rsync -rP public ajhalili2006@vern.cc:/home/ajhalili2006/public_html/ || true
rsync -rP public ajhalili2006@ctrl-c.club:/home/ajhalili2006/public_html/ || true
#rsync -rP gmi ajhalili2006@vern.cc:/home/ajhalili2006/public_gemini/
#rsync -rP gmi ajhalili2006@ctrl-c.club:/home/ajhalili2006/public_gemini/
git push origin -o skip-ci
git remote set-url lab ssh://git@mau.dev/ajhalili2006/tildeverse-web && git push lab main
artifacts: artifacts:
- tildeweb/tildeweb-prod-build.tar.gz - tildeweb/tildeweb-prod-build.tar.gz

View file

@ -32,17 +32,11 @@ jobs:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v3
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
with:
cosign-release: 'v1.13.1'
# Workaround: https://github.com/docker/build-push-action/issues/461 # Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx - name: Setup Docker buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
with:
buildkitd-flags: --debug
# Login against a Docker registry except on PR # Login against a Docker registry except on PR
# https://github.com/docker/login-action # https://github.com/docker/login-action
@ -74,7 +68,7 @@ jobs:
type=raw,value=latest,enable={{is_default_branch}} type=raw,value=latest,enable={{is_default_branch}}
type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long
type=schedule,pattern=nightly type=schedule,pattern=nightly
type=raw,prefix=branch-,value={{branch}}
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: hadolint/hadolint-action@v3.1.0 - uses: hadolint/hadolint-action@v3.1.0
with: with:
@ -93,24 +87,14 @@ jobs:
load: true load: true
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha cache-from: |
cache-to: type=gha,mode=max type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:buildkit-cache-web
type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:branch-main
type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:latest
cache-to: type=registry,ref=quay.io/ajhalili2006/mkdocs-material-build-ci:buildkit-cache-web
- name: Workaround pushbot for misbehaving reverse proxies - name: Workaround pushbot for misbehaving reverse proxies
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {} run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {}
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
devenv: devenv:
name: Generate Gitpod workspace image snapshot name: Generate Gitpod workspace image snapshot
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -124,17 +108,11 @@ jobs:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v3
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
with:
cosign-release: 'v1.13.1'
# Workaround: https://github.com/docker/build-push-action/issues/461 # Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx - name: Setup Docker buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@
with:
buildkitd-flags: --debug
# Login against a Docker registry except on PR # Login against a Docker registry except on PR
# https://github.com/docker/login-action # https://github.com/docker/login-action
@ -165,11 +143,12 @@ jobs:
type=raw,value=latest,enable={{is_default_branch}} type=raw,value=latest,enable={{is_default_branch}}
type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long type=sha,enable=true,priority=100,prefix=commit-,suffix=,format=long
type=schedule,pattern=nightly type=schedule,pattern=nightly
type=raw,prefix=branch-,value={{branch}}
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: hadolint/hadolint-action@v3.1.0 - uses: hadolint/hadolint-action@v3.1.0
with: with:
dockerfile: docker/Dockerfile dockerfile: .gitpod.Dockerfile
# Build and push Docker image with Buildx (don't push on PR) # Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action # https://github.com/docker/build-push-action
@ -184,21 +163,11 @@ jobs:
load: true load: true
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha cache-from: |
cache-to: type=gha,mode=max type=registry,ref=quay.io/ajhalili2006/gitpod-workspace:buildkit-cache-web
type=registry,ref=ghcr.io/ajhalili2006/ajhalili2006.github.io/devenv:nightly
type=registry,ref=cr.io/ajhalili2006/ajhalili2006.github.io/devenv:branch-main
cache-to: type=registry,ref=quay.io/ajhalili2006/gitpod-workspace:buildkit-cache-web
- name: Workaround pushbot for misbehaving reverse proxies - name: Workaround pushbot for misbehaving reverse proxies
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {} run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} docker push {}
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}

1
.gitignore vendored
View file

@ -7,3 +7,4 @@ venv
.cache .cache
node_modules node_modules
.env .env
*.tar.gz

View file

@ -1,13 +1,19 @@
# The Docker image that will be used to build your app # The Docker image that will be used to build your app
image: quay.io/ajhalili2006/mkdocs-material-build-ci:nightly image: quay.io/ajhalili2006/mkdocs-material-build-ci:nightly
# Functions that should be executed before the build script is run stages:
before_script: - build
- pip3 install -r requirements.txt
- npm ci
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
- (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh
default:
tags:
- amd64 # currently, we only the image in amd64 right now.
# Functions that should be executed before the build script is run
before_script:
- pip3 install -r requirements.txt
- npm ci
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
- (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh
# Global builds and stuff
variables: variables:
DEBUG: "1" DEBUG: "1"
FF_ENABLE_COMMIT_DATA: "true" FF_ENABLE_COMMIT_DATA: "true"
@ -15,6 +21,7 @@ variables:
SECURE_FILES_DOWNLOAD_PATH: /run/secrets SECURE_FILES_DOWNLOAD_PATH: /run/secrets
pages: pages:
stage: build
script: script:
- bash ./build.sh - bash ./build.sh
- doppler run -- ./bin/deploykit-pages.sh - doppler run -- ./bin/deploykit-pages.sh
@ -28,3 +35,12 @@ pages:
# This ensures that only pushes to the default branch will trigger # This ensures that only pushes to the default branch will trigger
# a pages deploy # a pages deploy
- if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
pages:srht:
stage: build
needs:
- pages
script:
- tar -C gmi -cvz . -f site.tar.gz
- doppler run -- ./bin/deploykit-srht.site.sh
rules:
- if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

11
bin/deploykit-srht.site.sh Executable file
View file

@ -0,0 +1,11 @@
#!/bin/env bash
if [[ $SOURCEHUT_PAGES_TOKEN == "" ]]; then
echo "missing SOURCEHUT_PAGES_TOKEN variable"
exit 1
fi
curl --oauth2-bearer "$SOURCEHUT_PAGES_TOKEN" \
-Fcontent=@site.tar.gz \
-Fprotocol=GEMINI \
https://pages.sr.ht/publish/username.srht.site

4
docker/build.sh Normal file → Executable file
View file

@ -11,3 +11,7 @@ DOCKER_BUILDKIT=${DOCKER_BUILDKIT:-"0"} \
-t $TAG \ -t $TAG \
-f "$DOCKERFILE" \ -f "$DOCKERFILE" \
"$CONTEXT" "$CONTEXT"
if [[ $DEPLOY != "" ]]; then
docker push "$TAG"
fi