feat(containers)!: Remove support for building containers from this repo

This commit is contained in:
Kjeld Schouten
2025-10-06 18:29:51 +02:00
parent d15b91a0c7
commit 17f82c79b1
32 changed files with 2 additions and 515 deletions
@@ -0,0 +1,11 @@
# See https://pre-commit.com for more information
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: fix-byte-order-marker
- id: mixed-line-ending
- id: check-merge-conflict
- id: check-case-conflict
+48
View File
@@ -0,0 +1,48 @@
# Container Images
Images are hosted on Quay [here](https://quay.io/organization/truecharts).
Some older images can be found on [GitHub Container Registry](https://github.com/orgs/truecharts/packages?ecosystem=container&visibility=public).
## Mirror
We host a dedicated mirror repostiory, these containers are directly fetched from official and/or trusted sources.
### Purpose
We host our own mirror for a multitude of reasons, which includes:
- Getting around Docker Hub rate-limiting
- Preventing upstream maintainers removing tags from breaking our Apps
- Generating usage metrics
- Applying patches
- Improving code uniformity
- Allowing multi-registry failover
### Adding New Containers
Before a chart can be added to the [truecharts/charts](https://github.com/trueforge-org/truecharts) repository, you first need to add a container here to the mirror. If you need help with this process please see the **#development** channel in the [TrueCharts Discord Server](https://discord.gg/tVsPTHWTtr).
#### Step 1: Create a Dockerfile
Copy the contents below and substitute the upstream application owner's name with `<Upstream Owner Name>`, `<Upstream App Name>` with the application name, and `<Upstream Tag>` with the upstream tag's name. Also get the digest value of the app and substitute that in for `<Upstream Digest>`.
``` Update Highlighted Row #1
FROM <Upstream Owner Name>/<Upstream App Name>:<Upstream Tag>@sha256:<Upstream Digest>
LABEL org.opencontainers.image.source=https://github.com/truecharts/containers
ARG CONTAINER_NAME
ARG CONTAINER_VER
LABEL org.opencontainers.image.title="${CONTAINER_NAME}"
LABEL org.opencontainers.image.url="https://truecharts.org/docs/charts/${CONTAINER_NAME}"
LABEL org.opencontainers.image.version="${CONTAINER_VER}"
LABEL org.opencontainers.image.description="Container for ${CONTAINER_NAME} by TrueCharts"
LABEL org.opencontainers.image.authors="TrueCharts"
LABEL org.opencontainers.image.documentation="https://truecharts.org/docs/charts/${CONTAINER_NAME}"
```
### Step 2: Create a PLATFORM file
Based on the upstream platform, create a file with that value. Typically the value is `linux/amd64`.
### Step 3: Submit a Pull Request
Once all these steps are completed and you verified that they are correct, please submit a pull request to this repository! When finished, you can create your chart in the [truecharts/charts](https://github.com/trueforge-org/truecharts) repository.
+25
View File
@@ -0,0 +1,25 @@
# /bin/bash
cd ../apps
export CONTAINERS=$(find . -name 'values.yaml' | xargs cat | grep "repository" | grep -v "{" | awk -F":" '{ print $2 }' | grep -v '^$' | grep -v "truecharts" | grep -v "ghcr.io" | sort --unique)
cd -
echo "${CONTAINERS}" >> mirrors.txt
for container in ${CONTAINERS}; do
if [ -d "mirror/${container}" ]; then
echo "Repository already exists"
else
basename=${container##*/}
echo "processing ${basename}..."
mkdir -p mirror/${basename}
cp -Rf tools/template/* mirror/${basename}
sed -i "s|PLACEHOLDER|${container}|g" mirror/${basename}/Dockerfile
fi
done
for container in ${CONTAINERS}; do
if [ -d "mirror/${container}" ]; then
basename=${container##*/}
echo "${basename}..."
fi
done
+22
View File
@@ -0,0 +1,22 @@
PLAIN='jackett'
ajson="Accept:application/json"
credentials="Authorization: Bearer ${1}"
CT="Content-Type:application/json"
data='{"name":"truecharts/'${PLAIN}'","backendUrl":"https://ghcr.io/truecharts/'${PLAIN}'","longDescription":"","shortDescription":"example description","website":"https://truecharts.org","libraryType":"docker","publicUrl":"https://oci.trueforge.org/truecharts/'${PLAIN}'"}'
url="https://scarf.sh/api/v1/packages"
curl --header "$ajson" --header "$credentials" --data "$data" --header "$CT" "$url"
for group in apps dev mirror base; do
for i in ${group}/*; do
PLAIN=$( echo $i | cut -d'/' -f2 )
data='{"name":"truecharts/'${PLAIN}'","backendUrl":"https://ghcr.io/truecharts/'${PLAIN}'","longDescription":"","shortDescription":"example description","website":"https://truecharts.org","libraryType":"docker","publicUrl":"https://oci.trueforge.org/truecharts/'${PLAIN}'"}'
url="https://scarf.sh/api/v1/packages"
curl --header "$ajson" --header "$credentials" --data "$data" --header "$CT" "$url"
done
done
+11
View File
@@ -0,0 +1,11 @@
for i in $(cat ./to-mirror.txt); do
PLAIN=${i##*/}
PLAIN=$( echo $PLAIN | cut -d':' -f1 )
CLEAN=${PLAIN//$'\r'/}
echo ${CLEAN##*|}
mkdir mirror/${CLEAN}
echo "FROM ${i//$'\r'/}" >> mirror/${CLEAN}/Dockerfile
echo 'LABEL "org.opencontainers.image.source"="https://github.com/truecharts/containers"' >> mirror/${CLEAN}/Dockerfile
echo "linux/amd64" >> mirror/${CLEAN}/PLATFORM
done
+48
View File
@@ -0,0 +1,48 @@
oci.trueforge.org/truecharts/boinc:v18.04.1
oci.trueforge.org/truecharts/chevereto:v1.5.1
oci.trueforge.org/truecharts/couchpotato:v2021.11.22
oci.trueforge.org/truecharts/darktable:v3.4.1
oci.trueforge.org/truecharts/ddclient:v3.9.1
oci.trueforge.org/truecharts/dillinger:v3.39.1
oci.trueforge.org/truecharts/dokuwiki:v2021.11.28
oci.trueforge.org/truecharts/domoticz:v2021.1.20211128
oci.trueforge.org/truecharts/duckdns:v2021.11.17
oci.trueforge.org/truecharts/embystat:v0.2.0
oci.trueforge.org/truecharts/emulatorjs:v1.4.2
oci.trueforge.org/truecharts/endlessh:v2021.11.21
oci.trueforge.org/truecharts/firefox:v78.15.0
oci.trueforge.org/truecharts/fleet:v2.3.1
oci.trueforge.org/truecharts/foldingathome:v7.6.21
oci.trueforge.org/truecharts/guacd:v1.3.0
oci.trueforge.org/truecharts/habridge:v5.4.0
oci.trueforge.org/truecharts/hedgedoc:v1.9.2
oci.trueforge.org/truecharts/htpcmanager:v2021.11.17
oci.trueforge.org/truecharts/ipfs:v2.13.0
oci.trueforge.org/truecharts/libreoffice:v6.4.6
oci.trueforge.org/truecharts/limnoria:v2021.11.20
oci.trueforge.org/truecharts/minetest:v5.4.1
oci.trueforge.org/truecharts/minisatip:v2021.12.01
oci.trueforge.org/truecharts/mysql-workbench:v8.0.27
oci.trueforge.org/truecharts/nano-wallet:v1.3.2
oci.trueforge.org/truecharts/netbootxyz:v2.0.53
oci.trueforge.org/truecharts/ngircd:v2021.11.21
oci.trueforge.org/truecharts/nntp2nntp:v0.3.20211116
oci.trueforge.org/truecharts/openvscode-server:v1.62.3
oci.trueforge.org/truecharts/paperless-ng:v1.5.0
oci.trueforge.org/truecharts/papermerge:v2.0.1
oci.trueforge.org/truecharts/pidgin:v2.14.3
oci.trueforge.org/truecharts/projectsend:v2021.12.10
oci.trueforge.org/truecharts/pwndrop:v1.0.1
oci.trueforge.org/truecharts/pydio-cells:v3.0.3
oci.trueforge.org/truecharts/pylon:v2.7.0
oci.trueforge.org/truecharts/quassel-core:v0.13.1
oci.trueforge.org/truecharts/quassel-web:v2021.11.18
oci.trueforge.org/truecharts/requestrr:v2.1.1
oci.trueforge.org/truecharts/rsnapshot:v1.4.3
oci.trueforge.org/truecharts/synclounge:v5.1.111
oci.trueforge.org/truecharts/syslog-ng:v3.30.1
oci.trueforge.org/truecharts/ubooquity:v2.1.2
oci.trueforge.org/truecharts/webgrabplus:v3.2.1
oci.trueforge.org/truecharts/wireshark:v2.4.5
oci.trueforge.org/truecharts/znc:v1.8.2
oci.trueforge.org/truecharts/kodi-headless:v190
+21
View File
@@ -0,0 +1,21 @@
#!/bin/bash
app="${1}"
if test -f "/containers/apps/${app}/latest-version.sh"; then
version=$(bash "/containers/apps/${app}/latest-version.sh")
if [[ ! -z "${version}" || "${version}" != "null" ]]; then
echo "${version}" | tee "/containers/apps/${app}/VERSION" >/dev/null
echo "App: ${app} using version: ${version}"
fi
fi
if test -f "/containers/apps/${app}/BASE"; then
if test -f "/containers/apps/${app}/latest-base.sh"; then
base=$(bash "/containers/apps/${app}/latest-base.sh")
if [[ ! -z "${base}" || "${base}" != "null" ]]; then
echo "${base}" | tee "/containers/apps/${app}/BASE" >/dev/null
echo "App: ${app} using Base: ${base}"
fi
fi
fi
+369
View File
@@ -0,0 +1,369 @@
name: "Containers: Test-and-Build"
on:
workflow_call:
workflow_dispatch:
push:
branches:
- master
paths:
- "containers/apps/**"
- "containers/base/**"
- ".github/workflows/containers.build.yaml"
# pull_request:
# paths:
# - "apps/**"
# - "base/**"
# - ".github/workflows/containers.build.yaml"
env:
# How long to sleep before running the tests (gives the application time to start)
GOSS_SLEEP: 30
# Number of times to run the goss test
GOSS_ITERATIONS: 3
# Detect which folders in project-root (which contain the containers) contain changes
jobs:
changes:
name: Get changes
runs-on: ubuntu-24.04
outputs:
matrix: '{"container": ${{ steps.reduce.outputs.containers }} }'
containers_found: ${{ steps.reduce.outputs.containers_found }} # New output
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
id: filter
with:
list-files: json
filters: |
changed:
- 'containers/apps/**'
- 'containers/dev/**'
- 'containers/base/**'
- run: echo '${{ toJson(steps.filter.outputs) }}' > changes.json
- id: reduce
run: |
CONTAINERS=$(jq --raw-output '.changed_files | fromjson | .[] |= sub("(?<filepath>/?containers/(?<first_directory>(?<root1>[/]?)[^/]+/)(?<second_directory>(?<root2>[/]?)[^/]+)(?<extra_paths>/[^/]+)*)"; "\(.second_directory)") | unique' changes.json)
# Set the containers output
echo ::set-output name=containers::${CONTAINERS}
# Check if containers were found and set the containers_found output
if [[ "$CONTAINERS" == "[]" || -z "$CONTAINERS" ]]; then
echo "No Containers Found, Skipping"
echo ::set-output name=containers_found::false
else
echo ::set-output name=containers_found::true
echo "Containers Found: "
echo $CONTAINERS
fi
hadolint:
name: Run hadolint
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
#- name: hadolint
# uses: reviewdog/action-hadolint@73fec8b28091e5082c19df69815dd749d97b882a # v1.46.0
# with:
# github_token: ${{ secrets.GITHUB_TOKEN }}
# reporter: github-pr-review
# filter_mode: diff_context
# hadolint_ignore: DL3007
# fail_on_error: true
# exclude: |
# /website/*
# /cluster/*
# /archive/*
# /clustertool/*
# /.github/*
# /website/*
# /repositories/*
# /templates/*
build:
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
name: Build
runs-on: ubuntu-24.04
needs:
- hadolint
- changes
if: ${{ needs.changes.outputs.containers_found == 'true' }}
strategy:
matrix: ${{ fromJson(needs.changes.outputs.matrix) }}
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
# Define if tests and push should be run against which versions/platforms
- name: Prepare
id: prep
run: |
# Make sure we have the latest version in the version file
# To avoid publishing a new container version with an old tag
bash ./.github/scripts/update-version-file.sh "${{ matrix.container }}"
if test -f "./containers/apps/${{ matrix.container }}/VERSION"; then
CATEGORY="apps"
VERSION=$(cat ./containers/${CATEGORY}/${{ matrix.container }}/VERSION)
elif test -f "./containers/apps/${{ matrix.container }}/get-version.sh"; then
CATEGORY="apps"
VERSION=$(bash ./containers/${CATEGORY}/${{ matrix.container }}/get-version.sh)
elif test -f "./containers/apps/${{ matrix.container }}/Dockerfile"; then
CATEGORY="apps"
echo ::set-output name=category::${CATEGORY}
VERSION="$(head -1 ./containers/${CATEGORY}/${{ matrix.container }}/Dockerfile | cut -d'@' -f1 | sed 's/^FROM.*://' )"
VERSION=$(echo $VERSION | sed "s/latest-//g")
VERSION=$(echo $VERSION | sed "s/stable-//g")
VERSION=$(echo $VERSION | sed "s/edge-//g")
VERSION=$(echo $VERSION | sed "s/build-//g")
VERSION=$(echo $VERSION | sed "s/cpu-//g")
VERSION=$(echo $VERSION | sed "s/gpu-//g")
VERSION=$(echo $VERSION | sed "s/release-//g")
VERSION=$(echo $VERSION | sed "s/release_//g")
VERSION=$(echo $VERSION | sed "s/version-//g")
VERSION=$(echo $VERSION | sed "s/version_//g")
VERSION=$(echo $VERSION | sed "s/apache-//g")
VERSION=$(echo $VERSION | sed "s/ubuntu-//g")
VERSION=$(echo $VERSION | sed "s/focal-//g")
VERSION=$(echo $VERSION | sed "s/fpm-//g")
VERSION=$(echo $VERSION | sed "s/vaapi-//g")
VERSION=$(echo $VERSION | sed "s/cuda-//g")
VERSION=$(echo $VERSION | sed "s/-centos7//g")
VERSION=$(echo $VERSION | sed "s/java[0-9]*-//g")
VERSION="${VERSION#*V.}"
VERSION="${VERSION#*v.}"
VERSION="${VERSION#*v-}"
VERSION="${VERSION#*v}"
VERSION="${VERSION%-*}"
if (echo "$VERSION" | grep -Pq "^\d+\.\d+$"); then
VERSION="${VERSION}.0"
fi;
else
CATEGORY="base"
VERSION=$(cat ./containers/${CATEGORY}/${{ matrix.container }}/VERSION) || VERSION="$(head -1 ./containers/${CATEGORY}/${{ matrix.container }}/Dockerfile | cut -d'@' -f1 | sed 's/^FROM.*://' )"
VERSION=$(echo $VERSION | sed "s/latest-//g")
VERSION=$(echo $VERSION | sed "s/stable-//g")
VERSION="${VERSION#*V.}"
VERSION="${VERSION#*v.}"
VERSION="${VERSION#*v-}"
VERSION="${VERSION#*v}"
VERSION="${VERSION%-*}"
if (echo "$VERSION" | grep -Pq "^\d+\.\d+$"); then
VERSION="${VERSION}.0"
fi;
fi
echo ::set-output name=category::${CATEGORY}
echo ::set-output name=version::${VERSION}
PLATFORM="linux/amd64"
echo ::set-output name=platform::${PLATFORM}
if test -f "./${CATEGORY}/${{ matrix.container }}/goss.yaml"; then
echo ::set-output name=goss::true
else
echo ::set-output name=goss::false
fi
if [ "${{github.event_name}}" == "pull_request" ]; then
echo ::set-output name=push::false
echo ::set-output name=cache_from::"type=registry,ref=ghcr.io/truecharts/${{ matrix.container }}:buildcache" || echo ::set-output name=cache_from::""
echo ::set-output name=cache_to::""
else
echo ::set-output name=push::true
echo ::set-output name=cache_from::"type=registry,ref=ghcr.io/truecharts/${{ matrix.container }}:buildcache"
echo ::set-output name=cache_to::"type=registry,ref=ghcr.io/truecharts/${{ matrix.container }}:buildcache,mode=max"
fi
- name: Get Time
id: time
uses: nanzm/get-time-action@887e4db9af58ebae64998b7105921b816af77977 # v2.0
with:
timeZone: 1
format: "YYYYMMDDHHmmss"
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
with:
platforms: amd64
- uses: sigstore/cosign-installer@main
- name: Install Syft
uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
- name: Login to Quay
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
if: github.event_name != 'pull_request'
with:
registry: quay.io
username: ${{ secrets.QUAY_TCCR_USER }}
password: ${{ secrets.QUAY_TCCR_TOKEN }}
- name: Login to GHCR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5
with:
# list of Docker images to use as base name for tags
images: |
quay.io/tccr/${{ matrix.container }}
oci.trueforge.org/tccr/${{ matrix.container }}
# Install and configure Buildx
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
with:
install: true
version: latest
driver-opts: image=moby/buildkit:latest
# Install the GOSS testing framework
- name: Set up goss/dgoss
uses: e1himself/goss-installation-action@fbb6fb55d3e59c96045b2500eeb8ce0995d99ac1 # v1.2.1
if: ${{ steps.prep.outputs.goss == 'true' }}
with:
version: "v0.3.16"
# Creates a local build to run tests on
- name: Build and Load local test-container
if: ${{ steps.prep.outputs.goss == 'true' }}
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
build-args: |
VERSION=${{ steps.prep.outputs.version }}
CONTAINER_NAME=${{ matrix.container }}
CONTAINER_VER=${{ steps.prep.outputs.version }}
context: .
file: ./containers/${{ steps.prep.outputs.category }}/${{ matrix.container }}/Dockerfile
load: true
tags: |
oci.trueforge.org/tccr/${{ matrix.container }}:test
cache-from: ${{ steps.prep.outputs.cache_from }}
cache-to: ${{ steps.prep.outputs.cache_to }}
# Run GOSS tests if included with the container
- name: Run GOSS tests
if: ${{ steps.prep.outputs.goss == 'true' }}
env:
GOSS_FILE: ./containers/${{ steps.prep.outputs.category }}/${{ matrix.container }}/goss.yaml
run: |
for i in $(seq 1 ${{ env.GOSS_ITERATIONS }}); do
echo "Running GOSS test iteration $i of ${{ env.GOSS_ITERATIONS }}..."
dgoss run oci.trueforge.org/tccr/${{ matrix.container }}:test
done
# Push if not a PR, otherwise just test the build process for all requested platforms
- name: Build and Push
id: push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
build-args: |
VERSION=${{ steps.prep.outputs.version }}
CONTAINER_NAME=${{ matrix.container }}
CONTAINER_VER=${{ steps.prep.outputs.version }}
context: .
platforms: ${{ steps.prep.outputs.platform }}
file: ./containers/${{ steps.prep.outputs.category }}/${{ matrix.container }}/Dockerfile
push: ${{ steps.prep.outputs.push }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: ${{ steps.prep.outputs.cache_from }}
cache-to: ${{ steps.prep.outputs.cache_to }}
tags: |
quay.io/tccr/${{ matrix.container }}:latest
quay.io/tccr/${{ matrix.container }}:v${{ steps.prep.outputs.version }}
quay.io/tccr/${{ matrix.container }}:build${{ steps.time.outputs.time }}
- name: Set quay to Public
if: github.event_name != 'pull_request'
run: |
curl -X POST -H "Content-Type: application/json" -d '{"visibility": "public"}' -H "Authorization: Bearer ${{ secrets.QUAY_TCCR_API_TOKEN }}" "https://quay.io/api/v1/repository/tccr/${{ matrix.container }}/changevisibility"
- name: Sign the images
if: github.event_name != 'pull_request'
run: |
cosign sign quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} -y -a "repo=${{ github.repository }}" -a "workflow=${{ github.workflow }}" -a "ref=${{ github.sha }}"
- name: Verify the pushed tags
if: github.event_name != 'pull_request'
run: |
cosign verify quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/trueforge-org/truecharts/.github/workflows/containers.build.yaml@refs/heads/master
- name: Generate SBOM
id: generate_sbom
if: github.event_name != 'pull_request'
continue-on-error: true
run: |
syft "quay.io/tccr/${{ matrix.container }}:v${{ steps.prep.outputs.version }}@${{ steps.push.outputs.digest }}" -o spdx-json=${{ matrix.container }}-sbom-spdx.json
- name: Attach SBOM to image
if: github.event_name != 'pull_request' && steps.generate_sbom.outcome == 'success'
run: |
cosign attest --predicate ${{ matrix.container }}-sbom-spdx.json --type spdx "quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }}" -y
- name: Verify SBOM attestation
if: github.event_name != 'pull_request' && steps.generate_sbom.outcome == 'success'
run: |
cosign verify-attestation quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --type https://spdx.dev/Document --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/trueforge-org/truecharts/.github/workflows/containers.build.yaml@refs/heads/master | jq '.payload |= @base64d | .payload | fromjson'
- name: Generate provenance
id: gen-prov
if: github.event_name != 'pull_request'
run: |
wget https://github.com/slsa-framework/slsa-github-generator/releases/download/v1.5.0/slsa-generator-container-linux-amd64
chmod +x slsa-generator-container-linux-amd64
# Generate a predicate only.
./slsa-generator-container-linux-amd64 generate --predicate="${{ matrix.container }}-predicate.json"
env:
UNTRUSTED_IMAGE: "quay.io/tccr/${{ matrix.container }}"
UNTRUSTED_DIGEST: "${{ steps.push.outputs.digest }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
- name: Sign provenance
id: sign-prov
if: github.event_name != 'pull_request'
run: |
cosign attest --predicate="${{ matrix.container }}-predicate.json" \
--type slsaprovenance \
--yes \
"quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }}"
env:
COSIGN_EXPERIMENTAL: 1
- name: Verify provenance attestation
if: github.event_name != 'pull_request'
id: verf-prov
run: |
cosign verify-attestation quay.io/tccr/${{ matrix.container }}@${{ steps.push.outputs.digest }} --type slsaprovenance --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/trueforge-org/truecharts/.github/workflows/containers.build.yaml@refs/heads/master | jq '.payload |= @base64d | .payload | fromjson'
env:
COSIGN_EXPERIMENTAL: 1
# Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
container-build-complete:
needs: [changes, hadolint, build]
if: ${{ always() }}
name: Container Build Completed
runs-on: ubuntu-latest
steps:
- name: Check Results
run: |
if [[ "${{ needs.changes.outputs.containers_found }}" == 'true' && ( "${{ needs.hadolint.result }}" != "success" || \
"${{ needs.build.result }}" != "success") ]]; then
echo "One or more jobs failed!"
exit 1
else
echo "Container Build and Tests Completed Successfully"
fi
@@ -0,0 +1,36 @@
name: "Housekeeping"
on:
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/workflows/housekeeping.yaml"
schedule:
- cron: "0 1 * * *"
jobs:
housekeeping:
runs-on: ubuntu-latest
name: "Housekeeping"
steps:
- name: Checkout branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: 0
token: ${{ secrets.BOT_TOKEN }}
- name: Containers - Fetch new application versions
run: |
find ./apps -maxdepth 1 -mindepth 1 -type d -exec basename {} \; | while read app; do
bash ./.github/scripts/update-version-file.sh "${app}"
done
- name: Commit and Push Housekeeping
run: |
git config user.name "TrueCharts-Bot"
git config user.email "bot@truecharts.org"
git add --all
git commit -sm "Daily Housekeeping" || exit 0
git push
+36
View File
@@ -0,0 +1,36 @@
name: "Scarf-Processing"
on:
workflow_dispatch:
jobs:
housekeeping:
runs-on: ubuntu-latest
name: "Add to Scarf"
steps:
- name: Checkout branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: 0
token: ${{ secrets.BOT_TOKEN }}
- name: Containers - Fetch new application versions
env:
scarf_key: ${{ secrets.SCARF_SECRET }}
run: |
PLAIN='jackett'
ajson="Accept:application/json"
credentials="Authorization: Bearer ${scarf_key}"
CT="Content-Type:application/json"
for group in apps dev mirror base; do
for i in containers/${group}/*; do
PLAIN=$( echo $i | cut -d'/' -f3 )
data='{"name":"tccr/'${PLAIN}'","backendUrl":"https://quay.io/tccr/'${PLAIN}'","longDescription":"","shortDescription":"example description","website":"https://truecharts.org","libraryType":"docker","publicUrl":"https://oci.trueforge.org/tccr/'${PLAIN}'"}'
url="https://scarf.sh/api/v1/packages"
curl --header "$ajson" --header "$credentials" --data "$data" --header "$CT" "$url"
done
done
+17
View File
@@ -0,0 +1,17 @@
name: "Prune Old Releases"
on:
workflow_dispatch:
jobs:
housekeeping:
runs-on: ubuntu-latest
name: "prune old releases"
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
with:
fetch-depth: 0
- uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5
with:
min-versions-to-keep: 200