Unsupervised/helm-actions
1
0
Fork 0
forked from Gitea/helm-actions
Code Pull Requests Activity

Compare commits

base: Unsupervised:add-dind-docs
Branches Tags
Unsupervised:main Unsupervised:feat-inline-yaml-config Unsupervised:add-dind-docs Unsupervised:update-runner-dind Unsupervised:christopherhx-patch-1 Unsupervised:check-release-secrets
Gitea:v0.0.1
..
compare: Unsupervised:check-release-secrets
Branches Tags
Unsupervised:main Unsupervised:feat-inline-yaml-config Unsupervised:add-dind-docs Unsupervised:update-runner-dind Unsupervised:christopherhx-patch-1 Unsupervised:check-release-secrets Gitea:renovate/workflow-dependencies-(minor-and-patch) Gitea:main Gitea:renovate/lock-file-maintenance Gitea:feat-inline-yaml-config Gitea:add-dind-docs Gitea:update-runner-dind Gitea:christopherhx-patch-1 Gitea:check-release-secrets
Gitea:v0.0.1

1 Commits
add-dind-d ... check-rele

Author SHA1 Message Date
ChristopherHX
1600658386 .gitea/workflows/release-version.yml aktualisiert 2025-08-15 20:01:39 +00:00
8 changed files with 69 additions and 140 deletions
Expand all files Collapse all files

112
.gitea/workflows/release-version.yml
View File

@@ -1,70 +1,68 @@
name: generate-chart name: check-secrets
on: on:
push: push:
tags:
- "*"
env:
# renovate: datasource=docker depName=alpine/helm
HELM_VERSION: "3.17.1"
jobs: jobs:
generate-chart-publish: check-secrets:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: install tools
- name: Check all required secrets
run: | run: |
apt update -y echo "=== Checking availability of required secrets ==="
apt install -y curl ca-certificates curl gnupg
# helm
curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
mv linux-amd64/helm /usr/local/bin/
rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
helm version
# docker
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update -y
apt install -y python3 python3-pip apt-transport-https docker-ce-cli
pip install awscli --break-system-packages
- name: Import GPG key # List of all secrets used in the original workflow
id: import_gpg SECRETS=(
uses: https://github.com/crazy-max/ghaction-import-gpg@v6 "GPGSIGN_KEY"
with: "GPGSIGN_PASSPHRASE"
gpg_private_key: ${{ secrets.GPGSIGN_KEY }} "DOCKER_CHARTS_PASSWORD"
passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} "DOCKER_CHARTS_USERNAME"
fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0 "AWS_KEY_ID"
"AWS_SECRET_ACCESS_KEY"
"AWS_REGION"
"AWS_S3_BUCKET"
)
# Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843 MISSING_SECRETS=()
- name: package chart AVAILABLE_SECRETS=()
run: |
echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
# FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
helm plugin install https://github.com/pat-s/helm-gpg
helm dependency build
helm package --version "${GITHUB_REF#refs/tags/v}" ./
mkdir actions
mv actions*.tgz actions/
curl -s -L -o actions/index.yaml https://dl.gitea.com/charts/index.yaml
helm repo index actions/ --url https://dl.gitea.com/charts --merge actions/index.yaml
# push to dockerhub
echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
helm push actions/actions-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
helm registry logout registry-1.docker.io
- name: aws credential configure for secret in "${SECRETS[@]}"; do
uses: https://github.com/aws-actions/configure-aws-credentials@v4 # Check if secret is set (not empty)
with: if [ -z "${!secret:-}" ]; then
aws-access-key-id: ${{ secrets.AWS_KEY_ID }} echo "❌ Secret '$secret' is NOT available or empty"
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} MISSING_SECRETS+=("$secret")
aws-region: ${{ secrets.AWS_REGION }} else
echo "✅ Secret '$secret' is available"
AVAILABLE_SECRETS+=("$secret")
fi
done
- name: Copy files to S3 and clear cache echo ""
run: | echo "=== Summary ==="
aws s3 sync actions/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/ echo "Available secrets: ${#AVAILABLE_SECRETS[@]}"
echo "Missing secrets: ${#MISSING_SECRETS[@]}"
if [ ${#MISSING_SECRETS[@]} -gt 0 ]; then
echo ""
echo "Missing secrets:"
for secret in "${MISSING_SECRETS[@]}"; do
echo " - $secret"
done
echo ""
echo "❌ Some secrets are missing. Please configure them in repository settings."
exit 1
else
echo ""
echo "✅ All required secrets are available!"
fi
env:
GPGSIGN_KEY: ${{ secrets.GPGSIGN_KEY }}
GPGSIGN_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
DOCKER_CHARTS_PASSWORD: ${{ secrets.DOCKER_CHARTS_PASSWORD }}
DOCKER_CHARTS_USERNAME: ${{ secrets.DOCKER_CHARTS_USERNAME }}
AWS_KEY_ID: ${{ secrets.AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}

1
CODEOWNERS
View File

@@ -1 +0,0 @@
* @DaanSelen @volker.raschek @ChristopherHX

15
Chart.yaml
View File

@@ -13,18 +13,7 @@ keywords:
sources: sources:
- https://gitea.com/gitea/helm-actions - https://gitea.com/gitea/helm-actions
- https://gitea.com/gitea/act - https://gitea.com/gitea/act
# FIXME:
maintainers: # maintainers:
# https://gitea.com/DaanSelen
- name: Daan Selen
email: dselen@nerthus.nl
# https://gitea.com/volker.raschek
- name: Markus Pesch
email: markus.pesch+apps@cryptic.systems
# https://gitea.com/ChristopherHX
- name: Christopher Homberger
email: christopher.homberger@web.de
dependencies: [] dependencies: []

8
README.md
View File

@@ -6,10 +6,6 @@ The parameters which can be used to customize the deployment are described below
If you want to propose a new feature or mechanism, submit an [issue here](https://gitea.com/gitea/helm-actions/issues). If you want to propose a new feature or mechanism, submit an [issue here](https://gitea.com/gitea/helm-actions/issues).
## Docs
[Docs](./docs/README.md)
## Rootless Defaults ## Rootless Defaults
If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image: If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:
@@ -34,12 +30,12 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
| `statefulset.affinity` | Affinity for the statefulset | `{}` | | `statefulset.affinity` | Affinity for the statefulset | `{}` |
| `statefulset.extraVolumes` | Extra volumes for the statefulset | `[]` | | `statefulset.extraVolumes` | Extra volumes for the statefulset | `[]` |
| `statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` | | `statefulset.actRunner.repository` | The Gitea act runner image | `gitea/act_runner` |
| `statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.12` | | `statefulset.actRunner.tag` | The Gitea act runner tag | `0.2.11` |
| `statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` | | `statefulset.actRunner.pullPolicy` | The Gitea act runner pullPolicy | `IfNotPresent` |
| `statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container | `[]` | | `statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container | `[]` |
| `statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` | | `statefulset.actRunner.config` | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
| `statefulset.dind.repository` | The Docker-in-Docker image | `docker` | | `statefulset.dind.repository` | The Docker-in-Docker image | `docker` |
| `statefulset.dind.tag` | The Docker-in-Docker image tag | `28.3.3-dind` | | `statefulset.dind.tag` | The Docker-in-Docker image tag | `25.0.2-dind` |
| `statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` | | `statefulset.dind.pullPolicy` | The Docker-in-Docker pullPolicy | `IfNotPresent` |
| `statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` | | `statefulset.dind.extraVolumeMounts` | Allows mounting extra volumes in the Docker-in-Docker container | `[]` |
| `statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` | | `statefulset.dind.extraEnvs` | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY` | `[]` |

3
docs/README.md
View File

@@ -1,3 +0,0 @@
# Gitea Actions Helm Chart Docs
- [Share dind with job container](share-dind-with-job-container.md)

36
docs/share-dind-with-job-container.md
View File

@@ -1,36 +0,0 @@
# Share dind with job container
You can weaken isolation and allow jobs to call docker commands.
## Limitations
- Docker bind mounts like `-v /path/on/self/container:/path/to/new/container` do not work, because they are going to mount the path from the dind container
- Docker port expose to local host `-e 80:8080` is not going to work
## Example Values
```yaml
enabled: true
statefulset:
actRunner:
# See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
config: |
log:
level: debug
cache:
enabled: false
container:
valid_volumes:
- /var/run/docker.sock
options: -v /var/run/docker.sock:/var/run/docker.sock
## Specify an existing token secret
##
existingSecret: "runner-token2"
existingSecretKey: "token"
## Specify the root URL of the Gitea instance
giteaRootURL: "http://192.168.1.2:3000"
```
Now you can run docker commands inside your jobs.

22
templates/statefulset.yaml
View File

@@ -48,27 +48,13 @@ spec:
image: "{{ .Values.statefulset.actRunner.repository }}:{{ .Values.statefulset.actRunner.tag }}" image: "{{ .Values.statefulset.actRunner.repository }}:{{ .Values.statefulset.actRunner.tag }}"
imagePullPolicy: {{ .Values.statefulset.actRunner.pullPolicy }} imagePullPolicy: {{ .Values.statefulset.actRunner.pullPolicy }}
workingDir: /data workingDir: /data
command:
# The following is a workaround for: https://gitea.com/gitea/act_runner/issues/731
# We must add the docker-cli package for the server AND client cert verification.
- sh
- -c
- |
apk add --no-cache docker-cli
echo "Waiting for Docker daemon..."
until timeout 10 docker info > /dev/null; do
echo "Failed, retrying..."
sleep 2
done
echo "Docker is ready, starting act-runner..."
exec run.sh
env: env:
- name: DOCKER_HOST - name: DOCKER_HOST
value: tcp://127.0.0.1:2376 value: tcp://127.0.0.1:2376
- name: DOCKER_TLS_VERIFY - name: DOCKER_TLS_VERIFY
value: "1" value: "1"
- name: DOCKER_CERT_PATH - name: DOCKER_CERT_PATH
value: /certs/client value: /certs/server
- name: GITEA_RUNNER_REGISTRATION_TOKEN - name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@@ -84,7 +70,7 @@ spec:
- mountPath: /actrunner/config.yaml - mountPath: /actrunner/config.yaml
name: act-runner-config name: act-runner-config
subPath: config.yaml subPath: config.yaml
- mountPath: /certs/client - mountPath: /certs/server
name: docker-certs name: docker-certs
- mountPath: /data - mountPath: /data
name: data-act-runner name: data-act-runner
@@ -100,7 +86,7 @@ spec:
- name: DOCKER_TLS_VERIFY - name: DOCKER_TLS_VERIFY
value: "1" value: "1"
- name: DOCKER_CERT_PATH - name: DOCKER_CERT_PATH
value: /certs/client value: /certs/server
{{- if .Values.statefulset.dind.extraEnvs }} {{- if .Values.statefulset.dind.extraEnvs }}
{{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }} {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }}
{{- end }} {{- end }}
@@ -109,7 +95,7 @@ spec:
resources: resources:
{{- toYaml .Values.statefulset.resources | nindent 12 }} {{- toYaml .Values.statefulset.resources | nindent 12 }}
volumeMounts: volumeMounts:
- mountPath: /certs/client - mountPath: /certs/server
name: docker-certs name: docker-certs
{{- with .Values.statefulset.dind.extraVolumeMounts }} {{- with .Values.statefulset.dind.extraVolumeMounts }}
{{- toYaml . | nindent 12 }} {{- toYaml . | nindent 12 }}

4
values.yaml
View File

@@ -39,7 +39,7 @@ statefulset:
actRunner: actRunner:
repository: gitea/act_runner repository: gitea/act_runner
tag: 0.2.12 tag: 0.2.11
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
extraVolumeMounts: [] extraVolumeMounts: []
@@ -52,7 +52,7 @@ statefulset:
dind: dind:
repository: docker repository: docker
tag: 28.3.3-dind tag: 25.0.2-dind
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
extraVolumeMounts: [] extraVolumeMounts: []