Refactor CI workflows (#37487)

1. only trigger docker-dryrun arm64&riscv64 when dockerfile changes 2. de-duplicate "contents: read" permission for most workflows 3. merge various "lint-*" jobs into one job 4. add missing lint targets to the "lint" (all) target
2026-05-06 04:01:05 +09:00 · 2026-05-01 02:15:01 +08:00
parent 81692ceafa
commit 1721c235a7
10 changed files with 103 additions and 197 deletions
--- a/.github/actions/docker-dryrun/action.yml
+++ b/.github/actions/docker-dryrun/action.yml
@@ -0,0 +1,29 @@
+name: docker-dryrun
+description: Composite action that performs the container build steps for a single platform.
+
+inputs:
+  platform:
+    description: "The target platform: linux/amd64, linux/arm64, linux/riscv64."
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+    - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+    - name: Build regular image
+      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      with:
+        context: .
+        platforms: ${{ inputs.platform }}
+        push: false
+        file: Dockerfile
+        cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
+    - name: Build rootless image
+      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      with:
+        context: .
+        platforms: ${{ inputs.platform }}
+        push: false
+        file: Dockerfile.rootless
+        cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
--- a/.github/workflows/cache-seeder.yml
+++ b/.github/workflows/cache-seeder.yml
@@ -27,11 +27,12 @@ concurrency:
  group: cache-seeder
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  gobuild:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -49,8 +50,6 @@ jobs:

  lint:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/cron-renovate.yml
+++ b/.github/workflows/cron-renovate.yml
@@ -11,13 +11,14 @@ concurrency:
 env:
  RENOVATE_VERSION: 43.141.5 # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate

+permissions:
+  contents: read
+
 jobs:
  cron-renovate:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea' # prevent running on forks
    timeout-minutes: 30
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: renovatebot/github-action@83ec54fee49ab67d9cd201084c1ff325b4b462e4 # v46.1.10
--- a/.github/workflows/files-changed.yml
+++ b/.github/workflows/files-changed.yml
@@ -15,6 +15,8 @@ on:
        value: ${{ jobs.detect.outputs.templates }}
      docker:
        value: ${{ jobs.detect.outputs.docker }}
+      dockerfile:
+        value: ${{ jobs.detect.outputs.dockerfile }}
      swagger:
        value: ${{ jobs.detect.outputs.swagger }}
      yaml:
@@ -24,12 +26,13 @@ on:
      e2e:
        value: ${{ jobs.detect.outputs.e2e }}

+permissions:
+  contents: read
+
 jobs:
  detect:
    runs-on: ubuntu-latest
    timeout-minutes: 3
-    permissions:
-      contents: read
    outputs:
      backend: ${{ steps.changes.outputs.backend }}
      frontend: ${{ steps.changes.outputs.frontend }}
@@ -37,6 +40,7 @@ jobs:
      actions: ${{ steps.changes.outputs.actions }}
      templates: ${{ steps.changes.outputs.templates }}
      docker: ${{ steps.changes.outputs.docker }}
+      dockerfile: ${{ steps.changes.outputs.dockerfile }}
      swagger: ${{ steps.changes.outputs.swagger }}
      yaml: ${{ steps.changes.outputs.yaml }}
      json: ${{ steps.changes.outputs.json }}
@@ -94,6 +98,10 @@ jobs:
              - "docker/**"
              - "Makefile"

+            dockerfile:
+                - "Dockerfile"
+                - "Dockerfile.rootless"
+
            swagger:
              - "templates/swagger/v1_json.tmpl"
              - "templates/swagger/v1_input.json"
--- a/.github/workflows/part-docker-dryrun.yml
+++ b/.github/workflows/part-docker-dryrun.yml
@@ -1,35 +0,0 @@
-# Reusable workflow that performs the container build steps for a single platform.
-# Used by `pull-docker-dryrun.yml` to run builds in parallel per-platform.
-on:
-  workflow_call:
-    inputs:
-      platform:
-        description: 'The target platform(s) to build for (e.g. linux/amd64)'
-        required: true
-        type: string
-
-jobs:
-  build-dryrun:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - name: Build rootful image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          platforms: ${{ inputs.platform }}
-          push: false
-          file: Dockerfile
-          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
-      - name: Build rootless image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          platforms: ${{ inputs.platform }}
-          push: false
-          file: Dockerfile.rootless
-          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -7,18 +7,17 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read

  lint-backend:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -35,93 +34,40 @@ jobs:
        env:
          TAGS: bindata sqlite sqlite_unlock_notify

-  lint-templates:
-    if: needs.files-changed.outputs.templates == 'true'
+  lint-on-demand:
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
-      - run: uv python install 3.14
-      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-py
-      - run: make deps-frontend
-      - run: make lint-templates
-
-  lint-yaml:
-    if: needs.files-changed.outputs.yaml == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
-      - run: uv python install 3.14
-      - run: make deps-py
-      - run: make lint-yaml
-
-  lint-json:
-    if: needs.files-changed.outputs.json == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend
-      - run: make lint-json
-
-  lint-swagger:
-    if: needs.files-changed.outputs.swagger == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend
-      - run: make lint-swagger
-
-  lint-spell:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
+          cache: false
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+
      - run: make lint-spell

+      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
+        run: uv python install 3.14 && make deps-py lint-templates lint-yaml
+
+      - if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.swagger == 'true' || needs.files-changed.outputs.json == 'true'
+        run: make deps-frontend lint-md lint-swagger lint-json
+
+      - if: needs.files-changed.outputs.actions == 'true'
+        run: make lint-actions
+
  lint-go-windows:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -144,8 +90,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -166,8 +110,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -186,8 +128,6 @@ jobs:
    if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -206,8 +146,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -217,13 +155,12 @@ jobs:
          cache: false
      - uses: ./.github/actions/go-cache
        with:
-          cache-name: backend
-      # no frontend build here as backend should be able to build
-      # even without any frontend files
-      - run: make deps-backend
-      - run: go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
+          cache-name: compliance-backend
+      - run: make deps-backend generate-go
+      # no frontend build here as backend should be able to build, even without any frontend files
+      # CGO is not used when cross-compile, so these steps also test if the code is compatible with CGO disabled
      - name: build-backend-arm64
-        run: make backend # test cross compile
+        run: go build -o gitea_linux_arm64
        env:
          GOOS: linux
          GOARCH: arm64
@@ -235,38 +172,7 @@ jobs:
          GOARCH: amd64
          TAGS: bindata gogit
      - name: build-backend-386
-        run: go build -o gitea_linux_386 # test if compatible with 32 bit
+        run: go build -o gitea_linux_386
        env:
          GOOS: linux
          GOARCH: 386
-
-  docs:
-    if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-        with:
-          node-version: 24
-          cache: pnpm
-          cache-dependency-path: pnpm-lock.yaml
-      - run: make deps-frontend
-      - run: make lint-md
-
-  actions:
-    if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make lint-actions
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -7,18 +7,17 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read

  test-pgsql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    services:
      pgsql:
        image: postgres:14
@@ -70,8 +69,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -103,8 +100,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    services:
      elasticsearch:
        image: elasticsearch:7.5.0
@@ -173,8 +168,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    services:
      mysql:
        # the bitnami mysql image has more options than the official one, it's easier to customize
@@ -227,8 +220,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    services:
      mssql:
        image: mcr.microsoft.com/mssql/server:2019-latest
--- a/.github/workflows/pull-docker-dryrun.yml
+++ b/.github/workflows/pull-docker-dryrun.yml
@@ -13,27 +13,35 @@ permissions:
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read

-  # dryrun build is slow, so run them in parallel per-platform
+  # QEMU-based build is slow (40-50 minutes), so run arm64 and riscv64 when dockerfile changes.
+  # Run amd64 when any docker-related files change, which is fast (4 minutes).
  container-amd64:
    if: needs.files-changed.outputs.docker == 'true'
    needs: [files-changed]
-    uses: ./.github/workflows/part-docker-dryrun.yml
-    with:
-      platform: linux/amd64
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/docker-dryrun
+        with:
+          platform: linux/amd64

  container-arm64:
-    if: needs.files-changed.outputs.docker == 'true'
+    if: needs.files-changed.outputs.dockerfile == 'true'
    needs: [files-changed]
-    uses: ./.github/workflows/part-docker-dryrun.yml
-    with:
-      platform: linux/arm64
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/docker-dryrun
+        with:
+          platform: linux/arm64

  container-riscv64:
-    if: needs.files-changed.outputs.docker == 'true'
+    if: needs.files-changed.outputs.dockerfile == 'true'
    needs: [files-changed]
-    uses: ./.github/workflows/part-docker-dryrun.yml
-    with:
-      platform: linux/riscv64
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/docker-dryrun
+        with:
+          platform: linux/riscv64
--- a/.github/workflows/pull-e2e-tests.yml
+++ b/.github/workflows/pull-e2e-tests.yml
@@ -7,18 +7,17 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
-    permissions:
-      contents: read

  test-e2e:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.e2e == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
--- a/2
+++ b/2
@@ -274,7 +274,7 @@ checks-frontend: lockfile-check svg-check ## check frontend files
 checks-backend: tidy-check swagger-check openapi3-check fmt-check swagger-validate security-check ## check backend files

 .PHONY: lint
-lint: lint-frontend lint-backend lint-spell ## lint everything
+lint: lint-frontend lint-backend lint-templates lint-swagger lint-spell lint-md lint-actions lint-json lint-yaml ## lint everything

 .PHONY: lint-fix
 lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix ## lint everything and fix issues