diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 9115bd9..3cadae8 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -32,23 +32,38 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Install Docker CLI + - name: Install Buildah run: | apt-get update - apt-get install -y docker.io + apt-get install -y buildah - name: Login to Gitea Registry env: REGISTRY_HOST: ${{ vars.REGISTRY_HOST }} + REGISTRY_PUSH_HOST: ${{ vars.REGISTRY_PUSH_HOST }} + REGISTRY_INSECURE: ${{ vars.REGISTRY_INSECURE }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} run: | - printf '%s' "${REGISTRY_PASSWORD}" | docker login "${REGISTRY_HOST}" -u "${GITHUB_REPOSITORY_OWNER}" --password-stdin + push_host="${REGISTRY_PUSH_HOST:-${REGISTRY_HOST}}" + tls_verify=true + if [ "${REGISTRY_INSECURE}" = "true" ]; then + tls_verify=false + fi + printf '%s' "${REGISTRY_PASSWORD}" | buildah login --tls-verify="${tls_verify}" -u "${GITHUB_REPOSITORY_OWNER}" --password-stdin "${push_host}" - name: Build and Push Image env: REGISTRY_HOST: ${{ vars.REGISTRY_HOST }} + REGISTRY_PUSH_HOST: ${{ vars.REGISTRY_PUSH_HOST }} + REGISTRY_INSECURE: ${{ vars.REGISTRY_INSECURE }} run: | - image="${REGISTRY_HOST}/${GITHUB_REPOSITORY}" - docker build -t "${image}:main" -t "${image}:sha-${GITHUB_SHA}" . - docker push "${image}:main" - docker push "${image}:sha-${GITHUB_SHA}" + push_host="${REGISTRY_PUSH_HOST:-${REGISTRY_HOST}}" + tls_verify=true + if [ "${REGISTRY_INSECURE}" = "true" ]; then + tls_verify=false + fi + export BUILDAH_ISOLATION=chroot + image="${push_host}/${GITHUB_REPOSITORY}" + buildah bud --storage-driver=vfs --format docker -t "${image}:main" -t "${image}:sha-${GITHUB_SHA}" . + buildah push --tls-verify="${tls_verify}" "${image}:main" + buildah push --tls-verify="${tls_verify}" "${image}:sha-${GITHUB_SHA}" diff --git a/README.md b/README.md index 9e1fb35..9eb213c 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,13 @@ It runs on pushes to `main` and pull requests, and currently: - runs `go build .` - builds and pushes `:main` and `:sha-` container tags on pushes to `main` -The workflow expects a runner with the `ubuntu-latest` label and a repository Actions secret named `REGISTRY_PASSWORD` that can push to the Gitea container registry. The cluster runner deployed for this repo provides the required runner label. +The workflow expects a runner with the `ubuntu-latest` label, a repository Actions secret named `REGISTRY_PASSWORD`, and these repository variables: + +- `REGISTRY_HOST` for the canonical registry hostname +- optional `REGISTRY_PUSH_HOST` when runners should push to a different internal endpoint +- optional `REGISTRY_INSECURE=true` when that push endpoint is plain HTTP or has a certificate the runner should not verify + +The cluster runner deployed for this repo provides the required runner label. ## Container