replace woodpecker-ci with gitea-act-runner (#166) - part 1

Reviewed-on: #166 Co-authored-by: Michael Grote <michael.grote@posteo.de> Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-08-22 22:45:13 +02:00 · 2024-08-22 22:45:13 +02:00 · 8395c2ec96
commit 8395c2ec96
parent b0cc9943d2
11 changed files with 86 additions and 35 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -27,3 +27,4 @@ exclude_paths:
  - roles/ansible_role_gitea
  - roles/ansible-role-postgresql
  - .woodpecker/
  - .gitea/
--- a/.gitea/workflows/ansible-lint.yaml
+++ b/.gitea/workflows/ansible-lint.yaml
@ -0,0 +1,21 @@
 name: ansible-lint
 on:
  push:
    branches: [ master ]
  pull_request:
 jobs:
  ansible-lint:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: write vault-pass
        run: echo ${{ secrets.VAULTPASS }} > ./vault-pass
      - name: run ansible-lint
        uses: docker://registry.mgrote.net/ansible-devspace:latest
        with:
          args: ansible-lint --force-color --format pep8 --show-relpath
 # VAULTPASS ist als Secrets auf Repo-Ebene angelegt
--- a/.gitea/workflows/demo.yaml
+++ b/.gitea/workflows/demo.yaml
@ -0,0 +1,21 @@
 name: Gitea Actions Demo
 run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
 on:
  schedule:
    - cron: '* * * * *' # test
 jobs:
  Explore-Gitea-Actions:
    runs-on: ubuntu-latest
    steps:
      - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
      - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}."
      - name: Check out repository code
        uses: actions/checkout@v4
      - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner."
      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
      - name: List files in the repository
        run: |
          ls ${{ gitea.workspace }}
      - run: echo "🍏 This job's status is ${{ job.status }}."
--- a/.gitea/workflows/gitleaks.yaml
+++ b/.gitea/workflows/gitleaks.yaml
@ -0,0 +1,16 @@
 name: gitleaks
 on:
  push:
    branches: [ master ]
  pull_request:
 jobs:
  gitleaks:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run Gitleaks
        uses: docker://zricethezav/gitleaks:v8.18.4
        with:
          args: detect --no-git --verbose --source ${{ github.workspace }}
--- a/.woodpecker/ansible-lint.yml
+++ b/.woodpecker/ansible-lint.yml
@ -1,20 +0,0 @@
 ---
 depends_on:
  - gitleaks
 steps:
  ansible-lint:
    image: registry.mgrote.net/ansible-devspace:latest
    commands:
      # Secrets
      - echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreaks, daher mit base64 -w0 "kodiert"
      - echo $${VAULTPASS} | base64 -d > ./vault-pass # Name des Secrets in Großschreibung
      - chmod 0400 ./id_ed25519
      # Doing
      - ansible-lint --force-color --format pep8 --show-relpath 
    # https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
    secrets: [vaultpass]
    when:
      - event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
 ...
--- a/.woodpecker/gitleaks.yml
+++ b/.woodpecker/gitleaks.yml
@ -1,10 +0,0 @@
 ---
 steps:
  gitleaks:
    image: zricethezav/gitleaks:v8.18.4
    commands:
      - gitleaks detect --no-git --verbose --source $CI_WORKSPACE
    when:
      - event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
 ...
--- a/README.md
+++ b/README.md
@ -1,11 +1,13 @@
 # ansible_heimserver
 [![status-badge](https://ci.mgrote.net/api/badges/2/status.svg)](https://ci.mgrote.net/repos/2)
 ## ansible-devspace
 - Repository: https://git.mgrote.net/container-images/ansible-devspace
-  - dort mit Woodpecker-CI gebaut und in eigene Registry gepushed
+  - dort mit CI gebaut und in eigene Registry gepushed
 - ``devspace.sh`` pulled Image, prüft ob SSH-Key und ``vault-pass`` vorhanden sind
  - mountet git-Secrets
 - startet Container
 https://git.mgrote.net/mg/homeserver/actions/workflows/{workflow_file}/badge.svg?branch={branch}&event={event}
 https://git.mgrote.net/mg/homeserver/actions/workflows/ansible-lint.yaml/badge.svg
--- a/docker-compose/act-runner/docker-compose.yml.j2
+++ b/docker-compose/act-runner/docker-compose.yml.j2
@ -0,0 +1,18 @@
 ---
 # https://gitea.com/gitea/act_runner/src/branch/main/examples/docker-compose
 version: "3.7"
 services:
  runner:
    container_name: act-runner
    image: gitea/act_runner
    restart: always
    volumes:
      - act_runner_data:/data
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      GITEA_INSTANCE_URL: https://git.mgrote.net
      GITEA_RUNNER_REGISTRATION_TOKEN: "{{ lookup('viczem.keepass.keepass', 'gitea_act_runner_token', 'password') }}" # only used on first start, https://git.mgrote.net/admin/actions/runners
      GITEA_RUNNER_NAME: "docker10-act-runner"
 volumes:
  act_runner_data:
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@ -55,7 +55,7 @@ ufw_rules:
 ### ansible_role_gitea
 gitea_fork: "forgejo"
 # gitea update
-gitea_version: "1.21.7-0" # alt zum renovate testen
+gitea_version: "1.21.11-2" # TODO renovate, wird das erkannt?
 gitea_version_check: true
 gitea_backup_on_upgrade: false
 # gitea in the linux world
@ -127,7 +127,7 @@ gitea_federation_enabled: false
 # Packages
 gitea_packages_enabled: false
 # actions
-gitea_actions_enabled: false
+gitea_actions_enabled: true
 gitea_extra_config: |
  ; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
  [webhook]
--- a/host_vars/docker10.mgrote.net.yml
+++ b/host_vars/docker10.mgrote.net.yml
@ -67,6 +67,8 @@ compose_files:
    network: traefik
  - name: gramps
    state: present
  - name: act-runner
    state: present
 ### oefenweb.ufw
 ufw_rules:
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx