username/bouncer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: run all CI jobs in containers via container directive
Some checks failed
CI / secrets (push) Failing after 9s
Details
CI / lint (push) Successful in 12s
Details
CI / test (push) Successful in 25s
Details
CI / build (push) Has been skipped
Details

Browse Source 
The linux runner has no git/node on host and rootless podman
lacks namespace privileges. Use container: directive for every
job: alpine for secrets (gitleaks binary), docker:latest for
build (docker socket mounted by runner).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
user
2026-02-22 08:20:20 +01:00
parent f14d067779
commit ed513251db
1 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.gitea/workflows/ci.yml
View File

@@ -42,35 +42,36 @@ jobs:
secrets: secrets:
runs-on: linux runs-on: linux
container:
image: alpine:latest
steps: steps:
- name: Checkout - name: Checkout
run: | run: |
podman run --rm \ apk add --no-cache -q git curl
-v "$PWD:/repo" \ git clone --branch "${GITHUB_REF_NAME}" \
-w /repo \ "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
alpine/git:latest \ - name: Install gitleaks
clone --branch "${GITHUB_REF_NAME}" "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
- name: Scan for secrets
run: | run: |
podman run --rm \ ARCH=$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
-v "$PWD:/scan:ro" \ curl -sSL "https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.22.1_linux_${ARCH}.tar.gz" \
ghcr.io/gitleaks/gitleaks:latest \ | tar xz -C /usr/local/bin/ gitleaks
detect --source /scan -v - name: Scan for secrets
run: gitleaks detect --source . -v
build: build:
runs-on: linux runs-on: linux
needs: [test, secrets] needs: [test, secrets]
if: github.event_name == 'push' && github.ref == 'refs/heads/master' if: github.event_name == 'push' && github.ref == 'refs/heads/master'
container:
image: docker:latest
steps: steps:
- name: Checkout - name: Checkout
run: | run: |
podman run --rm \ apk add --no-cache -q git
-v "$PWD:/repo" \ git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
-w /repo \ "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
alpine/git:latest \
clone --depth 1 --branch "${GITHUB_REF_NAME}" "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
- name: Login to Harbor - name: Login to Harbor
run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me run: echo "$HARBOR_PASS" | docker login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
env: env:
HARBOR_USER: ${{ secrets.HARBOR_USER }} HARBOR_USER: ${{ secrets.HARBOR_USER }}
HARBOR_PASS: ${{ secrets.HARBOR_PASS }} HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
@@ -78,6 +79,6 @@ jobs:
run: | run: |
TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}" TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}"
LATEST="harbor.mymx.me/library/bouncer:latest" LATEST="harbor.mymx.me/library/bouncer:latest"
podman build -t "$TAG" -t "$LATEST" -f Containerfile . docker build -t "$TAG" -t "$LATEST" -f Containerfile .
podman push "$TAG" docker push "$TAG"
podman push "$LATEST" docker push "$LATEST"