From f4c9422f77f8396dc3c10c2ed004bbf46e56a700 Mon Sep 17 00:00:00 2001 From: Mathieu Virbel Date: Fri, 13 Feb 2026 12:20:32 -0600 Subject: [PATCH] feat: migrate CI and releases from GitHub Actions to Gitea Actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Retarget GoReleaser to publish to Gitea (gitea_urls, release.gitea, changelog.use: gitea). Add Gitea Actions workflows for build/test, release, and benchmarks — adapted from GitHub equivalents with macOS jobs and SLSA provenance dropped. Old .github/workflows/ kept in place. --- .gitea/workflows/benchmark.yml | 101 +++++++++++++++++++++++++++++ .gitea/workflows/main.yml | 115 +++++++++++++++++++++++++++++++++ .gitea/workflows/release.yml | 62 ++++++++++++++++++ .goreleaser.yaml | 9 ++- scripts/release.sh | 2 +- 5 files changed, 286 insertions(+), 3 deletions(-) create mode 100644 .gitea/workflows/benchmark.yml create mode 100644 .gitea/workflows/main.yml create mode 100644 .gitea/workflows/release.yml diff --git a/.gitea/workflows/benchmark.yml b/.gitea/workflows/benchmark.yml new file mode 100644 index 0000000..787c38e --- /dev/null +++ b/.gitea/workflows/benchmark.yml @@ -0,0 +1,101 @@ +name: Benchmarks + +on: + workflow_dispatch: + inputs: + min_runs: + description: "Minimum benchmark runs" + required: false + default: "30" + quick: + description: "Quick mode (fewer runs)" + required: false + default: "false" + type: boolean + +jobs: + benchmark-linux: + name: Benchmark (Linux) + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Set up Node + uses: actions/setup-node@v4 + with: + node-version: "20" + + - name: Download dependencies + run: go mod download + + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y \ + bubblewrap \ + socat \ + uidmap \ + curl \ + netcat-openbsd \ + ripgrep \ + hyperfine \ + jq \ + bc + # Configure subuid/subgid + echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid + echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid + sudo chmod u+s $(which bwrap) + + - name: Install benchstat + run: go install golang.org/x/perf/cmd/benchstat@latest + + - name: Build greywall + run: make build-ci + + - name: Run Go microbenchmarks + run: | + mkdir -p benchmarks + go test -run=^$ -bench=. -benchmem -count=10 ./internal/sandbox/... | tee benchmarks/go-bench-linux.txt + + - name: Run CLI benchmarks + run: | + MIN_RUNS="${{ github.event.inputs.min_runs || '30' }}" + QUICK="${{ github.event.inputs.quick || 'false' }}" + + if [[ "$QUICK" == "true" ]]; then + ./scripts/benchmark.sh -q -o benchmarks + else + ./scripts/benchmark.sh -n "$MIN_RUNS" -o benchmarks + fi + + - name: Upload benchmark results + uses: actions/upload-artifact@v4 + with: + name: benchmark-results-linux + path: benchmarks/ + retention-days: 30 + + - name: Display results + run: | + echo "=== Linux Benchmark Results ===" + echo "" + + for f in benchmarks/*.md; do + [[ -f "$f" ]] && cat "$f" + done + + echo "" + echo "=== Go Microbenchmarks ===" + grep -E '^Benchmark|^ok|^PASS' benchmarks/go-bench-linux.txt | head -50 || true diff --git a/.gitea/workflows/main.yml b/.gitea/workflows/main.yml new file mode 100644 index 0000000..2743798 --- /dev/null +++ b/.gitea/workflows/main.yml @@ -0,0 +1,115 @@ +name: Build and test + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Download dependencies + run: go mod download + + - name: Build + run: make build-ci + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Download dependencies + run: go mod download + + - name: Lint + uses: golangci/golangci-lint-action@v6 + with: + install-mode: goinstall + version: v1.64.8 + + test-linux: + name: Test (Linux) + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Set up Node + uses: actions/setup-node@v4 + with: + node-version: "20" + + - name: Download dependencies + run: go mod download + + - name: Install Linux sandbox dependencies + run: | + sudo apt-get update + sudo apt-get install -y \ + bubblewrap \ + socat \ + uidmap \ + curl \ + netcat-openbsd \ + ripgrep + # Configure subuid/subgid for the runner user (required for unprivileged user namespaces) + echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid + echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid + # Make bwrap setuid so it can create namespaces as non-root user + sudo chmod u+s $(which bwrap) + + - name: Verify sandbox dependencies + run: | + echo "=== Checking sandbox dependencies ===" + bwrap --version + socat -V | head -1 + echo "User namespaces enabled: $(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null || echo 'check not available')" + echo "Kernel version: $(uname -r)" + echo "uidmap installed: $(which newuidmap 2>/dev/null && echo yes || echo no)" + echo "subuid configured: $(grep $(whoami) /etc/subuid 2>/dev/null || echo 'not configured')" + echo "bwrap setuid: $(ls -la $(which bwrap) | grep -q '^-rws' && echo yes || echo no)" + echo "=== Testing bwrap basic functionality ===" + bwrap --ro-bind / / -- /bin/echo "bwrap works!" + echo "=== Testing bwrap with user namespace ===" + bwrap --ro-bind / / --unshare-user --uid 0 --gid 0 -- /bin/echo "bwrap user namespace works!" + + - name: Run unit and integration tests + run: make test-ci + + - name: Build binary for smoke tests + run: make build-ci + + - name: Run smoke tests + run: GREYWALL_TEST_NETWORK=1 ./scripts/smoke_test.sh ./greywall diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml new file mode 100644 index 0000000..6bef79a --- /dev/null +++ b/.gitea/workflows/release.yml @@ -0,0 +1,62 @@ +name: Release + +on: + push: + tags: + - "v*" + +run-name: "Release ${{ github.ref_name }}" + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + distribution: goreleaser + version: "~> v2" + args: release --clean + env: + GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + GORELEASER_FORCE_TOKEN: gitea + + publish-version: + needs: [goreleaser] + runs-on: ubuntu-latest + steps: + - name: Checkout gh-pages + uses: actions/checkout@v4 + with: + ref: gh-pages + + - name: Update latest version + run: | + echo "${{ github.ref_name }}" > latest.txt + + cat > latest.json << EOF + { + "version": "${{ github.ref_name }}", + "published_at": "$(date -u +%Y-%m-%dT%H:%M:%SZ)", + "url": "https://gitea.app.monadical.io/monadical/greywall/releases/tag/${{ github.ref_name }}" + } + EOF + + - name: Commit and push to gh-pages + run: | + git config user.name "gitea-actions[bot]" + git config user.email "gitea-actions[bot]@noreply.gitea.app.monadical.io" + git add latest.txt latest.json + git commit -m "Update latest version to ${{ github.ref_name }}" || echo "No changes to commit" + git push origin gh-pages diff --git a/.goreleaser.yaml b/.goreleaser.yaml index bbec1d3..8dbf109 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,5 +1,10 @@ version: 2 +gitea_urls: + api: https://gitea.app.monadical.io/api/v1 + download: https://gitea.app.monadical.io + skip_tls_verify: false + before: hooks: - go mod tidy @@ -42,7 +47,7 @@ checksum: changelog: sort: asc - use: github + use: gitea format: "{{ .SHA }}: {{ .Message }}{{ with .AuthorUsername }} (@{{ . }}){{ end }}" filters: exclude: @@ -76,7 +81,7 @@ changelog: order: 9999 release: - github: + gitea: owner: monadical name: greywall draft: false diff --git a/scripts/release.sh b/scripts/release.sh index c1618d6..b874919 100755 --- a/scripts/release.sh +++ b/scripts/release.sh @@ -149,5 +149,5 @@ git push origin "$NEW_VERSION" echo "" info "✓ Released $NEW_VERSION" -info "GitHub Actions will now build and publish the release." +info "Gitea Actions will now build and publish the release." info "Watch progress at: https://gitea.app.monadical.io/monadical/greywall/actions"