mirror of
https://gitea.com/gitea/helm-actions.git
synced 2026-07-16 19:24:46 +00:00
Compare commits
1 Commits
renovate/l
...
feed57504f
| Author | SHA1 | Date | |
|---|---|---|---|
| feed57504f |
@ -13,7 +13,7 @@ jobs:
|
||||
- name: install tools
|
||||
run: |
|
||||
apk add -q --update --no-cache nodejs curl jq sed
|
||||
- uses: actions/checkout@v7
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Generate upcoming changelog
|
||||
|
||||
@ -11,9 +11,9 @@ on:
|
||||
jobs:
|
||||
check-and-test:
|
||||
runs-on: ubuntu-latest
|
||||
container: commitlint/commitlint:21.2.0
|
||||
container: commitlint/commitlint:21.0.2
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- uses: actions/checkout@v6
|
||||
- name: check PR title
|
||||
run: |
|
||||
echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json
|
||||
|
||||
@ -13,7 +13,7 @@ jobs:
|
||||
generate-chart-publish:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: install Docker CLI
|
||||
uses: https://github.com/docker/setup-buildx-action@v4 # Gitea
|
||||
|
||||
@ -9,6 +9,6 @@ jobs:
|
||||
shellcheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7
|
||||
- uses: actions/checkout@v6
|
||||
- run: apt update --yes && apt install --yes shellcheck
|
||||
- run: find . -type f -name "*.sh" -exec shellcheck -a {} \;
|
||||
|
||||
@ -26,7 +26,7 @@ jobs:
|
||||
uses: pnpm/action-setup@v6
|
||||
with:
|
||||
version: 11
|
||||
- uses: actions/checkout@v7
|
||||
- uses: actions/checkout@v6
|
||||
- name: install chart dependencies
|
||||
run: helm dependency build
|
||||
- name: lint
|
||||
|
||||
30
README.md
30
README.md
@ -29,16 +29,6 @@ Deploy with your values, make sure the path is correct:
|
||||
helm upgrade --install gitea-actions gitea-charts/actions -f values.yaml
|
||||
```
|
||||
|
||||
Alternatively:
|
||||
|
||||
```sh
|
||||
helm upgrade --install gitea-actions gitea-charts/actions \
|
||||
--set enabled=true \
|
||||
--set giteaRootURL=https://gitea.com \
|
||||
--set existingSecret=foo \
|
||||
--set existingSecretKey=bar
|
||||
```
|
||||
|
||||
You should be good to go!
|
||||
|
||||
### Runner Token Secret Template
|
||||
@ -85,7 +75,7 @@ If `.Values.statefulset.dind.rootless: true` is set, then the following will be
|
||||
| `statefulset.persistence.size` | Size for persistence to store Gitea Runner data | `1Gi` |
|
||||
| `statefulset.runner.registry` | image registry, e.g. gcr.io,docker.io | `docker.gitea.com` |
|
||||
| `statefulset.runner.repository` | The Gitea Runner image | `runner` |
|
||||
| `statefulset.runner.tag` | The Gitea Runner tag | `2.0.1` |
|
||||
| `statefulset.runner.tag` | The Gitea Runner tag | `1.0.6` |
|
||||
| `statefulset.runner.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
|
||||
| `statefulset.runner.pullPolicy` | The Gitea Runner pullPolicy | `IfNotPresent` |
|
||||
| `statefulset.runner.fullOverride` | Completely overrides the image registry, path/image, tag and digest. | `""` |
|
||||
@ -107,16 +97,14 @@ If `.Values.statefulset.dind.rootless: true` is set, then the following will be
|
||||
|
||||
### Gitea Actions Init
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------- | ---------------------------------------------------------------------------------------------------------- | -------------- |
|
||||
| `init.image.registry` | Image registry, e.g. gcr.io,docker.io | `""` |
|
||||
| `init.image.repository` | The init image (default: busyboxy but can be changed to alpine e.g.) | `busybox` |
|
||||
| `init.image.tag` | The init image tag | `1.38.0` |
|
||||
| `init.image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
|
||||
| `init.image.pullPolicy` | The init image pullPolicy | `IfNotPresent` |
|
||||
| `init.image.fullOverride` | Completely overrides the image registry, path/image, tag and digest | `""` |
|
||||
| `init.connectionCommandOverride` | Possiblity to change the command with which the container tests its connection to the Gitea server | `""` |
|
||||
| `init.preConnectionCommandOverride` | Possibility to add commands that happen before the connection test loop | `""` |
|
||||
| Name | Description | Value |
|
||||
| ------------------------- | ---------------------------------------------------------------------------------------------------------- | -------------- |
|
||||
| `init.image.registry` | image registry, e.g. gcr.io,docker.io | `""` |
|
||||
| `init.image.repository` | The init image | `busybox` |
|
||||
| `init.image.tag` | the init image tag | `1.38.0` |
|
||||
| `init.image.digest` | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""` |
|
||||
| `init.image.pullPolicy` | The init image pullPolicy | `IfNotPresent` |
|
||||
| `init.image.fullOverride` | Completely overrides the image registry, path/image, tag and digest. | `""` |
|
||||
|
||||
### Runner Token Secret Configuration
|
||||
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
# Gitea Actions Helm Chart Docs
|
||||
|
||||
- [connectionCommandOverride explanation](./connectionCommandOverride.md)
|
||||
- [Share dind with job container](share-dind-with-job-container.md)
|
||||
31
docs/actions-dev.md
Normal file
31
docs/actions-dev.md
Normal file
@ -0,0 +1,31 @@
|
||||
# Gitea Actions
|
||||
|
||||
In order to use the Gitea Actions act-runner you must either:
|
||||
|
||||
- enable persistence (used for automatic deployment to be able to store the token in a place accessible for the Job)
|
||||
- create a secret containing the act runner token and reference it as a `existingSecret`
|
||||
|
||||
In order to use Gitea Actions, you must log on the server that's running Gitea and run the command:
|
||||
`gitea actions generate-runner-token`
|
||||
|
||||
This command will out a token that is needed by the act-runner to register with the Gitea backend.
|
||||
|
||||
Because this is a manual operation, we automated this using a Kubernetes Job using the following containers:
|
||||
|
||||
1) `actions-token-create`: it uses the current `gitea-rootless` image, mounts the persistent directory to `/data/` then it saves the output from `gitea actions generate-runner-token` to `/data/actions/token`
|
||||
2) `actions-token-upload`: it uses a `bitnami/kubectl` image, mounts the scripts directory (`/scripts`) and
|
||||
the persistent directory (`/data/`), and using the script from `/scripts/token.sh` stores the token in a Kubernetes secret
|
||||
|
||||
After the token is stored in a Kubernetes secret we can create the statefulset that contains the following containers:
|
||||
|
||||
1) `act-runner`: authenticates with Gitea using the token that was stored in the secret
|
||||
2) `dind`: DockerInDocker image that is used to run the actions
|
||||
|
||||
If you are not using persistent volumes, you cannot use the Job to automatically generate the token.
|
||||
In this case, you can use either the Web UI to generate the token or run a shell into a Gitea pod and invoke
|
||||
the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
|
||||
|
||||
```yaml
|
||||
existingSecret: "secret-name"
|
||||
existingSecretKey: "secret-key"
|
||||
```
|
||||
@ -1,48 +0,0 @@
|
||||
# Using a custom connectionCommand
|
||||
|
||||
By default, before the container starts it tries to reach the given giteaRootURL.
|
||||
Normally this is done by the busybox image using the wget binary.
|
||||
|
||||
However, due to [Issue #162](https://gitea.com/gitea/helm-actions/issues/162) there has been a change made where we can customize that command.
|
||||
|
||||
Using the `values.yaml` file by default it calls `wget --spider --no-check-certificate <your giteaRootURL>` with a timeout of 10 seconds.
|
||||
But with a custom init section like detailed below we can make our check compliant with whatever certificate you have.
|
||||
|
||||
Assuming:
|
||||
```yaml
|
||||
enabled: true
|
||||
giteaRootURL: https://gitea.com
|
||||
existingSecret: foo
|
||||
existingSecretKey: bar
|
||||
|
||||
init:
|
||||
image:
|
||||
registry: ""
|
||||
repository: alpine
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: "3.24"
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
fullOverride: ""
|
||||
|
||||
connectionCommandOverride: "curl -I"
|
||||
preConnectionCommandOverride: "apk add curl"
|
||||
```
|
||||
|
||||
This now creates the following template section:
|
||||
|
||||
```yaml
|
||||
- name: init-gitea
|
||||
image: "alpine:latest"
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
apk add curl
|
||||
echo 'Trying to reach Gitea on https://gitea.com'
|
||||
until timeout 10 curl -I https://gitea.com; do
|
||||
sleep 3
|
||||
echo "Trying again in 3 seconds..."
|
||||
done
|
||||
echo "Gitea has been reached!"
|
||||
```
|
||||
30
docs/share-dind-with-job-container.md
Normal file
30
docs/share-dind-with-job-container.md
Normal file
@ -0,0 +1,30 @@
|
||||
# Share dind with job container
|
||||
|
||||
You can weaken isolation and allow jobs to call docker commands.
|
||||
|
||||
## Limitations
|
||||
|
||||
-
|
||||
|
||||
## Example Values
|
||||
|
||||
```yaml
|
||||
config: |
|
||||
log:
|
||||
level: debug
|
||||
cache:
|
||||
enabled: false
|
||||
container:
|
||||
require_docker: true
|
||||
docker_timeout: 300s
|
||||
|
||||
## Specify an existing token secret
|
||||
##
|
||||
existingSecret: "runner-token2"
|
||||
existingSecretKey: "token"
|
||||
|
||||
## Specify the root URL of the Gitea instance
|
||||
giteaRootURL: "http://192.168.1.2:3000"
|
||||
```
|
||||
|
||||
Now you can run docker commands inside your jobs.
|
||||
46
pnpm-lock.yaml
generated
46
pnpm-lock.yaml
generated
@ -47,11 +47,11 @@ packages:
|
||||
resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
|
||||
engines: {node: 18 || 20 || >=22}
|
||||
|
||||
brace-expansion@1.1.16:
|
||||
resolution: {integrity: sha512-IDw48K2/2kRkg9LdJxurvq3lV3aBgq0REY89duEqFRthjlPdXHKMj7EnQOXVckxzgisinf3nHfrcE2FufFLXMw==}
|
||||
brace-expansion@1.1.15:
|
||||
resolution: {integrity: sha512-EwOCDEex4quD37XhqM3omwtMoJjr//isUZz1JopUNWms+4Z2ViyM/k1YIRePpoVNnQhENnxtFjLaxNHrT7xIUg==}
|
||||
|
||||
brace-expansion@5.0.7:
|
||||
resolution: {integrity: sha512-7oFy703dxfY3/NLxC1fh2SUCQ0H9rmAY+5EpDVfXjUTTs+HEwR2nYaqLv+GWcTsumwxPfiz6CzCNkwXwBUwqCA==}
|
||||
brace-expansion@5.0.6:
|
||||
resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==}
|
||||
engines: {node: 18 || 20 || >=22}
|
||||
|
||||
character-entities-legacy@3.0.0:
|
||||
@ -133,8 +133,8 @@ packages:
|
||||
resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
|
||||
deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
|
||||
|
||||
ignore@7.0.6:
|
||||
resolution: {integrity: sha512-BAg6QkE8W+TuQLrrw0Ugr7HegXduRuuj8/ti2kSOc+jz1dmx8/WNcjr6XGnq5YpDWxFwwaavqD0+jIUOKelTsw==}
|
||||
ignore@7.0.5:
|
||||
resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==}
|
||||
engines: {node: '>= 4'}
|
||||
|
||||
inflight@1.0.6:
|
||||
@ -175,8 +175,8 @@ packages:
|
||||
resolution: {integrity: sha512-Eeo8Ys1doU1z+x8AZsPpQu+p/QcZBI5PeOo7QGQdy2x2m0MU/hYagBbGOmXwr5KVbEfVuWv9LpnQWeehogurjg==}
|
||||
hasBin: true
|
||||
|
||||
linkify-it@5.0.2:
|
||||
resolution: {integrity: sha512-ONTm2jCMAVZjgQa/Fy1kScXsuOoF5NPTsoFBdE1KVIZ2vAh/r9+Bqo+0jINCBYnavTPQZz38QzFTme79ENoN3Q==}
|
||||
linkify-it@5.0.1:
|
||||
resolution: {integrity: sha512-wVoTjP4Q6R0NW5hiZkVJaFZPWgtXfoGF+6LucL3/FtiNjmcHhYjEr5f1Kqjirc1nBW07J/ZuRFumqr2oqccEWg==}
|
||||
|
||||
lodash@4.18.1:
|
||||
resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==}
|
||||
@ -298,8 +298,8 @@ packages:
|
||||
resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
|
||||
engines: {node: '>=0.10.0'}
|
||||
|
||||
picomatch@4.0.5:
|
||||
resolution: {integrity: sha512-RvwwcruNjI1ncT5xRakeyS9Lf8lcItv34KD+aif+VH9kduAyfYBipGh12274xtenIPZ119/R9BdTBa8gAwSh0A==}
|
||||
picomatch@4.0.4:
|
||||
resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
|
||||
engines: {node: '>=12'}
|
||||
|
||||
punycode.js@2.3.1:
|
||||
@ -373,12 +373,12 @@ snapshots:
|
||||
|
||||
balanced-match@4.0.4: {}
|
||||
|
||||
brace-expansion@1.1.16:
|
||||
brace-expansion@1.1.15:
|
||||
dependencies:
|
||||
balanced-match: 1.0.2
|
||||
concat-map: 0.0.1
|
||||
|
||||
brace-expansion@5.0.7:
|
||||
brace-expansion@5.0.6:
|
||||
dependencies:
|
||||
balanced-match: 4.0.4
|
||||
|
||||
@ -421,9 +421,9 @@ snapshots:
|
||||
|
||||
entities@4.5.0: {}
|
||||
|
||||
fdir@6.5.0(picomatch@4.0.5):
|
||||
fdir@6.5.0(picomatch@4.0.4):
|
||||
optionalDependencies:
|
||||
picomatch: 4.0.5
|
||||
picomatch: 4.0.4
|
||||
|
||||
fs.realpath@1.0.0: {}
|
||||
|
||||
@ -438,7 +438,7 @@ snapshots:
|
||||
once: 1.4.0
|
||||
path-is-absolute: 1.0.1
|
||||
|
||||
ignore@7.0.6: {}
|
||||
ignore@7.0.5: {}
|
||||
|
||||
inflight@1.0.6:
|
||||
dependencies:
|
||||
@ -472,7 +472,7 @@ snapshots:
|
||||
dependencies:
|
||||
commander: 8.3.0
|
||||
|
||||
linkify-it@5.0.2:
|
||||
linkify-it@5.0.1:
|
||||
dependencies:
|
||||
uc.micro: 2.1.0
|
||||
|
||||
@ -482,7 +482,7 @@ snapshots:
|
||||
dependencies:
|
||||
argparse: 2.0.1
|
||||
entities: 4.5.0
|
||||
linkify-it: 5.0.2
|
||||
linkify-it: 5.0.1
|
||||
mdurl: 2.0.0
|
||||
punycode.js: 2.3.1
|
||||
uc.micro: 2.1.0
|
||||
@ -495,7 +495,7 @@ snapshots:
|
||||
dependencies:
|
||||
commander: 15.0.0
|
||||
deep-extend: 0.6.0
|
||||
ignore: 7.0.6
|
||||
ignore: 7.0.5
|
||||
js-yaml: 4.2.0
|
||||
jsonc-parser: 3.3.1
|
||||
jsonpointer: 5.0.1
|
||||
@ -698,11 +698,11 @@ snapshots:
|
||||
|
||||
minimatch@10.2.5:
|
||||
dependencies:
|
||||
brace-expansion: 5.0.7
|
||||
brace-expansion: 5.0.6
|
||||
|
||||
minimatch@3.1.5:
|
||||
dependencies:
|
||||
brace-expansion: 1.1.16
|
||||
brace-expansion: 1.1.15
|
||||
|
||||
minimist@1.2.8: {}
|
||||
|
||||
@ -724,7 +724,7 @@ snapshots:
|
||||
|
||||
path-is-absolute@1.0.1: {}
|
||||
|
||||
picomatch@4.0.5: {}
|
||||
picomatch@4.0.4: {}
|
||||
|
||||
punycode.js@2.3.1: {}
|
||||
|
||||
@ -752,8 +752,8 @@ snapshots:
|
||||
|
||||
tinyglobby@0.2.17:
|
||||
dependencies:
|
||||
fdir: 6.5.0(picomatch@4.0.5)
|
||||
picomatch: 4.0.5
|
||||
fdir: 6.5.0(picomatch@4.0.4)
|
||||
picomatch: 4.0.4
|
||||
|
||||
uc.micro@2.1.0: {}
|
||||
|
||||
|
||||
@ -66,21 +66,14 @@ spec:
|
||||
- mountPath: /data
|
||||
name: data-runner
|
||||
{{- end }}
|
||||
- name: reach-gitea
|
||||
- name: init-gitea
|
||||
image: "{{ include "gitea.actions.init.image" . }}"
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
{{- if .Values.init.preConnectionCommandOverride }}
|
||||
{{ .Values.init.preConnectionCommandOverride }}
|
||||
{{- end }}
|
||||
echo 'Trying to reach Gitea on {{ include "gitea.actions.local_root_url" . }}'
|
||||
{{- if .Values.init.connectionCommandOverride }}
|
||||
until timeout 10 {{ .Values.init.connectionCommandOverride }} {{ include "gitea.actions.local_root_url" . }}; do
|
||||
{{- else }}
|
||||
until timeout 10 wget --no-check-certificate --spider {{ include "gitea.actions.local_root_url" . }}; do
|
||||
{{- end }}
|
||||
sleep 3
|
||||
echo "Trying again in 3 seconds..."
|
||||
done
|
||||
|
||||
16
values.yaml
16
values.yaml
@ -71,7 +71,7 @@ statefulset:
|
||||
runner:
|
||||
registry: "docker.gitea.com"
|
||||
repository: runner
|
||||
tag: 2.0.1
|
||||
tag: 1.0.6
|
||||
digest: ""
|
||||
pullPolicy: IfNotPresent
|
||||
fullOverride: ""
|
||||
@ -121,15 +121,12 @@ statefulset:
|
||||
|
||||
## @section Gitea Actions Init
|
||||
#
|
||||
## @param init.image.registry Image registry, e.g. gcr.io,docker.io
|
||||
## @param init.image.repository The init image (default: busyboxy but can be changed to alpine e.g.)
|
||||
## @param init.image.tag The init image tag
|
||||
## @param init.image.registry image registry, e.g. gcr.io,docker.io
|
||||
## @param init.image.repository The init image
|
||||
## @param init.image.tag the init image tag
|
||||
## @param init.image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
|
||||
## @param init.image.pullPolicy The init image pullPolicy
|
||||
## @param init.image.fullOverride Completely overrides the image registry, path/image, tag and digest
|
||||
#
|
||||
## @param init.connectionCommandOverride Possiblity to change the command with which the container tests its connection to the Gitea server
|
||||
## @param init.preConnectionCommandOverride Possibility to add commands that happen before the connection test loop
|
||||
## @param init.image.fullOverride Completely overrides the image registry, path/image, tag and digest.
|
||||
init:
|
||||
image:
|
||||
registry: ""
|
||||
@ -140,9 +137,6 @@ init:
|
||||
pullPolicy: IfNotPresent
|
||||
fullOverride: ""
|
||||
|
||||
connectionCommandOverride: ""
|
||||
preConnectionCommandOverride: ""
|
||||
|
||||
## @section Runner Token Secret Configuration
|
||||
#
|
||||
## @param existingSecret Secret that contains the token
|
||||
|
||||
Reference in New Issue
Block a user