-
Notifications
You must be signed in to change notification settings - Fork 28
260 lines (227 loc) · 8.77 KB
/
container.yaml
File metadata and controls
260 lines (227 loc) · 8.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
name: Container
on:
push:
branches:
- "develop"
- "main"
- "releases/**/*"
pull_request:
branches:
- "develop"
- "main"
env:
CARGO_TERM_COLOR: always
jobs:
lints:
name: Lints (Container infra)
runs-on: ubuntu-latest
steps:
- id: checkout
name: Checkout Repository
uses: actions/checkout@v6
# Phase 9 §9.1.3 — guard against re-introducing the
# `mailcatcher` dev sidecar (or any SMTP/mail config)
# into the production-shaped baseline. The override
# file is *expected* to mention `mailcatcher` and is
# deliberately excluded from the audit. Comments are
# stripped before grepping so the explanatory header
# in `compose.yaml` (which legitimately references
# `mailcatcher` in prose) does not trip the audit;
# we are looking for live YAML config, not docs.
- id: compose-baseline-no-mailcatcher
name: compose.yaml has no mailcatcher / SMTP wiring
run: |
set -eu
# awk strips `# ...` comments while preserving line
# numbering 1:1 with the source file, so any error
# output points the reader at the real line.
if awk '{ sub(/#.*/, ""); print }' compose.yaml \
| grep -nE 'mailcatcher|MAILER|SMTP|smtp_'; then
echo "::error file=compose.yaml::dev mail sidecar / SMTP config present in production-shaped baseline (ADR-T-009 §D1 / §8.1)"
exit 1
fi
echo "compose.yaml clean."
# Phase 9 / ADR-T-009 §D8 — vendored `su-exec.c` must not change
# without a fresh audit entry recording the new SHA-256
# in contrib/dev-tools/su-exec/AUDIT.md.
- id: su-exec-audit
name: su-exec audit log matches vendored source
run: |
set -eu
audit=contrib/dev-tools/su-exec/AUDIT.md
test -s "$audit"
recorded=$(sed -n '/^## Audit Log/,$ { s/^SHA-256: \([0-9a-f]\{64\}\)$/\1/p; }' "$audit" | tail -1)
actual=$(sha256sum contrib/dev-tools/su-exec/su-exec.c | cut -d' ' -f1)
if [ -z "$recorded" ]; then
echo "::error file=$audit::no SHA-256 entry found in '## Audit Log' section (ADR-T-009 §D8)"
exit 1
fi
if [ "$recorded" != "$actual" ]; then
echo "::error file=$audit::recorded SHA-256 ($recorded) does not match contrib/dev-tools/su-exec/su-exec.c ($actual). Append a new dated audit entry per ADR-T-009 §D8."
exit 1
fi
echo "su-exec audit current ($actual)."
# Phase 9 / ADR-T-009 Acceptance Criterion #7 — every env
# var listed in the entry script's manifest block must be
# documented in docs/containers.md.
- id: entry-env-docs
name: entry-script env vars documented
run: |
set -eu
script=share/container/entry_script_sh
vars=$(sed -n '/^# ENTRY_ENV_VARS:/,/^# END_ENTRY_ENV_VARS/p' "$script" \
| grep -oE '[A-Z][A-Z0-9_]+' \
| sort -u)
if [ -z "$vars" ]; then
echo "::error file=$script::ENTRY_ENV_VARS manifest block not found or empty (ADR-T-009 Acceptance Criterion #7)"
exit 1
fi
missing=0
for v in $vars; do
grep -q "$v" docs/containers.md || {
echo "::error file=docs/containers.md::env var '$v' is in the entry-script manifest but not documented"
missing=1
}
done
grep -q 'compose\.override\.yaml' docs/containers.md || {
echo "::error file=docs/containers.md::two-file Compose split (compose.override.yaml) is not documented"
missing=1
}
[ "$missing" -eq 0 ]
test:
name: Test (Docker)
needs: lints
runs-on: ubuntu-latest
strategy:
matrix:
target: [debug, release]
steps:
- id: setup
name: Setup Toolchain
uses: docker/setup-buildx-action@v4
- id: build
name: Build
uses: docker/build-push-action@v6
with:
file: ./Containerfile
push: false
load: true
target: ${{ matrix.target }}
tags: torrust-index:local
cache-from: type=gha
cache-to: type=gha
- id: inspect
name: Inspect
run: docker image inspect torrust-index:local
- id: checkout
name: Checkout Repository
uses: actions/checkout@v6
- id: compose
name: Compose
run: docker compose build
context:
name: Context
needs: test
runs-on: ubuntu-latest
outputs:
continue: ${{ steps.check.outputs.continue }}
type: ${{ steps.check.outputs.type }}
version: ${{ steps.check.outputs.version }}
steps:
- id: check
name: Check Context
run: |
if [[ "${{ github.repository }}" == "torrust/torrust-index" ]]; then
if [[ "${{ github.event_name }}" == "push" ]]; then
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
echo "type=development" >> $GITHUB_OUTPUT
echo "continue=true" >> $GITHUB_OUTPUT
echo "On \`main\` Branch, Type: \`development\`"
elif [[ "${{ github.ref }}" == "refs/heads/develop" ]]; then
echo "type=development" >> $GITHUB_OUTPUT
echo "continue=true" >> $GITHUB_OUTPUT
echo "On \`develop\` Branch, Type: \`development\`"
elif [[ $(echo "${{ github.ref }}" | grep -P '^(refs\/heads\/releases\/)(v)(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$') ]]; then
version=$(echo "${{ github.ref }}" | sed -n -E 's/^(refs\/heads\/releases\/)//p')
echo "version=$version" >> $GITHUB_OUTPUT
echo "type=release" >> $GITHUB_OUTPUT
echo "continue=true" >> $GITHUB_OUTPUT
echo "In \`releases/$version\` Branch, Type: \`release\`"
else
echo "Not Correct Branch. Will Not Continue"
fi
else
echo "Not a Push Event. Will Not Continue"
fi
else
echo "On a Forked Repository. Will Not Continue"
fi
publish_development:
name: Publish (Development)
environment: dockerhub-torrust
needs: context
if: needs.context.outputs.continue == 'true' && needs.context.outputs.type == 'development'
runs-on: ubuntu-latest
steps:
- id: meta
name: Docker Meta
uses: docker/metadata-action@v5
with:
images: |
"${{ vars.DOCKER_HUB_USERNAME }}/${{vars.DOCKER_HUB_REPOSITORY_NAME }}"
tags: |
type=ref,event=branch
- id: login
name: Login to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ vars.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- id: setup
name: Setup Toolchain
uses: docker/setup-buildx-action@v4
- name: Build and push
uses: docker/build-push-action@v6
with:
file: ./Containerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha
publish_release:
name: Publish (Release)
environment: dockerhub-torrust
needs: context
if: needs.context.outputs.continue == 'true' && needs.context.outputs.type == 'release'
runs-on: ubuntu-latest
steps:
- id: meta
name: Docker Meta
uses: docker/metadata-action@v5
with:
images: |
"${{ vars.DOCKER_HUB_USERNAME }}/${{vars.DOCKER_HUB_REPOSITORY_NAME }}"
tags: |
type=semver,value=${{ needs.context.outputs.version }},pattern={{raw}}
type=semver,value=${{ needs.context.outputs.version }},pattern={{version}}
type=semver,value=${{ needs.context.outputs.version }},pattern=v{{major}}
type=semver,value=${{ needs.context.outputs.version }},pattern={{major}}.{{minor}}
- id: login
name: Login to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ vars.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- id: setup
name: Setup Toolchain
uses: docker/setup-buildx-action@v4
- name: Build and push
uses: docker/build-push-action@v6
with:
file: ./Containerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha