mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-06 04:01:05 +09:00
99cd4f6b22
Replaces Dependabot with Renovate. The new setup: - One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a 5-day release-age cooldown. Vulnerability PRs ship next-day via daily cron + Renovate's `vulnerabilityAlerts` schedule bypass. - All `uses:` action refs SHA-pinned with patch-level version comments (same format as #36971, which this supersedes); `helpers:pinGitHubActionDigests` keeps future bumps in that format. - `renovatebot/github-action` runtime image pinned via the upstream-recommended `RENOVATE_VERSION` env + magic comment + `customManagers:githubActionsVersions` preset, so Renovate keeps the pin updated. - Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>` lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and groups them into the same Go PR via `matchDatasources: ["go"]`. - Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`) and the SVG sprite (`make svg`), gated by an env-level command allowlist. - Replaces the standalone `cron-flake-updater` workflow — Renovate's nix manager tracks `flake.nix` inputs and produces the same `flake.lock` bump PRs on the regular weekly schedule. - npm and gomod-replace pins live in `renovate.json5` only; `updates@17.16.3` reads them from there too, so the standalone `updates.config.ts` is gone and one source of truth covers both tools. Fixes: https://github.com/go-gitea/gitea/issues/33386 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>
136 lines
6.0 KiB
YAML
136 lines
6.0 KiB
YAML
name: release-nightly
|
|
|
|
on:
|
|
push:
|
|
branches: [main, release/v*]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
nightly-binary:
|
|
runs-on: namespace-profile-gitea-release-binary
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
# fetch all commits instead of only the last as some branches are long lived and could have many between versions
|
|
# fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
|
|
- run: git fetch --unshallow --quiet --tags --force
|
|
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
|
|
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
- run: make deps-frontend deps-backend
|
|
# xgo build
|
|
- run: make release
|
|
env:
|
|
TAGS: bindata sqlite sqlite_unlock_notify
|
|
- name: import gpg key
|
|
id: import_gpg
|
|
uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
|
|
with:
|
|
gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
|
|
passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
|
|
- name: sign binaries
|
|
run: |
|
|
for f in dist/release/*; do
|
|
echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
|
|
done
|
|
# clean branch name to get the folder name in S3
|
|
- name: Get cleaned branch name
|
|
id: clean_name
|
|
run: |
|
|
REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
|
|
echo "Cleaned name is ${REF_NAME}"
|
|
echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
|
|
- name: configure aws
|
|
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
|
|
with:
|
|
aws-region: ${{ secrets.AWS_REGION }}
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
- name: upload binaries to s3
|
|
run: |
|
|
aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
|
|
|
|
nightly-container:
|
|
runs-on: namespace-profile-gitea-release-docker
|
|
permissions:
|
|
contents: read
|
|
packages: write # to publish to ghcr.io
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
# fetch all commits instead of only the last as some branches are long lived and could have many between versions
|
|
# fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
|
|
- run: git fetch --unshallow --quiet --tags --force
|
|
- uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
|
|
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
- name: Get cleaned branch name
|
|
id: clean_name
|
|
run: |
|
|
REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
|
|
echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
|
|
- uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
id: meta
|
|
with:
|
|
images: |-
|
|
gitea/gitea
|
|
ghcr.io/go-gitea/gitea
|
|
tags: |
|
|
type=raw,value=${{ steps.clean_name.outputs.branch }}
|
|
annotations: |
|
|
org.opencontainers.image.authors="maintainers@gitea.io"
|
|
- uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
id: meta_rootless
|
|
with:
|
|
images: |-
|
|
gitea/gitea
|
|
ghcr.io/go-gitea/gitea
|
|
# each tag below will have the suffix of -rootless
|
|
flavor: |
|
|
suffix=-rootless
|
|
tags: |
|
|
type=raw,value=${{ steps.clean_name.outputs.branch }}
|
|
annotations: |
|
|
org.opencontainers.image.authors="maintainers@gitea.io"
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
- name: Login to GHCR using PAT
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: build regular docker image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64,linux/riscv64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
annotations: ${{ steps.meta.outputs.annotations }}
|
|
cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
|
|
cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful,mode=max
|
|
- name: build rootless docker image
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64,linux/riscv64
|
|
push: true
|
|
file: Dockerfile.rootless
|
|
tags: ${{ steps.meta_rootless.outputs.tags }}
|
|
annotations: ${{ steps.meta_rootless.outputs.annotations }}
|
|
cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
|
|
cache-to: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless,mode=max
|