From a64b09de8e75fa8c88d5259e9ec232063dc179d6 Mon Sep 17 00:00:00 2001 From: user Date: Sun, 22 Feb 2026 07:08:55 +0100 Subject: [PATCH] fix: run CI jobs in rootless podman containers Use container: directive per job instead of nested podman run. Each job specifies its execution image directly: - test: python:3.13-alpine - secrets: ghcr.io/gitleaks/gitleaks:latest - build: quay.io/podman/stable (--privileged for nested builds) Co-Authored-By: Claude Opus 4.6 --- .gitea/workflows/ci.yaml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index e78747d..a0d4d8d 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -7,37 +7,35 @@ on: jobs: test: runs-on: linux + container: python:3.13-alpine steps: + - run: apk add --no-cache git - run: | git clone --depth 1 \ -c "http.extraHeader=Authorization: token ${{ github.token }}" \ "${{ github.server_url }}/${{ github.repository }}.git" . - - run: | - podman run --rm \ - -v "$PWD:/app:ro" \ - -w /app \ - python:3.13-alpine \ - sh -c "pip install --no-cache-dir -r requirements.txt ruff pytest && \ - ruff check src/ tests/ && \ - PYTHONPATH=src pytest tests/ -v" + - run: pip install --no-cache-dir -r requirements.txt ruff pytest + - run: ruff check src/ tests/ + - run: PYTHONPATH=src pytest tests/ -v secrets: runs-on: linux + container: ghcr.io/gitleaks/gitleaks:latest steps: - run: | git clone \ -c "http.extraHeader=Authorization: token ${{ github.token }}" \ "${{ github.server_url }}/${{ github.repository }}.git" . - - run: | - podman run --rm \ - -v "$PWD:/scan:ro" \ - ghcr.io/gitleaks/gitleaks:latest \ - detect --source /scan -v + - run: gitleaks detect --source . -v build: needs: [test, secrets] runs-on: linux + container: + image: quay.io/podman/stable + options: --privileged steps: + - run: dnf install -y git - run: | git clone --depth 1 \ -c "http.extraHeader=Authorization: token ${{ github.token }}" \