Lumpiasty/mikrotik-tailscale
1
0
Fork 0
Code Issues 1 Pull Requests 2 Packages Projects Releases Wiki Activity
Files
01057e78b83bd9d336a87ec2aeb422b2329ac73b
mikrotik-tailscale/.woodpecker/release.yaml
T
Lumpiasty 864859a5a0
ci/woodpecker/push/release-tag Pipeline was successful
Details
invalidate openbao token at the end of ci run
2026-05-29 01:07:06 +02:00

66 lines
2.8 KiB
YAML
Raw Blame History

# Build and publish a multi-arch release to the Gitea container registry.
#
# Triggered by pushing a v<ts>-mt.<N> tag:
# - v<ts>-mt.1 is created automatically by .woodpecker/release-tag.yaml on a
# Tailscale bump.
# - v<ts>-mt.2, mt.3, ... are created manually for fixes/changes.
#
# Publishes a SINGLE multi-arch manifest (amd64 + arm64 + arm/v7) so RouterOS
# pulls the right arch automatically. Tags pushed:
# :<full tag> e.g. v1.98.3-mt.1 (immutable, for rollback/audit)
# :stable (moving; what the router tracks)
#
# The image is stamped with org.opencontainers.image.version=<full tag> via the
# OCI_VERSION build arg; the router compares that label to decide updates.
#
# Registry credentials live in OpenBao (secret/container-registry, keys
# REGISTRY_USERNAME / REGISTRY_PASSWORD). The first step fetches them with the
# same AppRole used by Renovate and writes them as PLUGIN_USERNAME /
# PLUGIN_PASSWORD into an env file that the buildx plugin loads via env_file.
# This keeps all secrets in OpenBao (no Woodpecker secret duplication).
when:
- event: tag
ref: refs/tags/v*-mt.*
steps:
- name: Get registry creds from OpenBao
image: quay.io/openbao/openbao:2.5.4
environment:
VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
ROLE_ID:
from_secret: renovate_role_id
SECRET_ID:
from_secret: renovate_secret_id
commands:
- bao write -field token auth/approle/login
role_id=$ROLE_ID
secret_id=$SECRET_ID > /woodpecker/.vault_id
- export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
# Write creds in the env-file format the buildx plugin understands.
# PLUGIN_USERNAME / PLUGIN_PASSWORD map to the plugin's username/password.
- 'printf "PLUGIN_USERNAME=%s\n" "$(bao kv get -mount secret -field REGISTRY_USERNAME container-registry)" > /woodpecker/registry.env'
- 'printf "PLUGIN_PASSWORD=%s\n" "$(bao kv get -mount secret -field REGISTRY_PASSWORD container-registry)" >> /woodpecker/registry.env'
- name: Build and push multi-arch image
image: woodpeckerci/plugin-docker-buildx:5.2.2
privileged: true
settings:
registry: gitea.lumpiasty.xyz
repo: gitea.lumpiasty.xyz/lumpiasty/mikrotik-tailscale
platforms: linux/amd64,linux/arm64,linux/arm/v7
tags:
- ${CI_COMMIT_TAG}
- stable
build_args:
- OCI_VERSION=${CI_COMMIT_TAG}
# Credentials (PLUGIN_USERNAME / PLUGIN_PASSWORD) come from OpenBao.
env_file: /woodpecker/registry.env
- name: Invalidate OpenBao token
image: quay.io/openbao/openbao:2.5.4
environment:
VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
commands:
- export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
- bao write -f auth/token/revoke-self
Reference in New Issue View Git Blame Copy Permalink