73 lines
2.8 KiB
YAML
73 lines
2.8 KiB
YAML
# Build validation for pull requests (and pushes to main).
|
|
#
|
|
# Builds the full multi-arch image but does NOT push it anywhere — it only
|
|
# proves the Dockerfile still builds for every supported architecture. This is
|
|
# the gate Renovate automerge waits on: a dependency bump that breaks the build
|
|
# fails this check and will NOT be automerged (and therefore never reaches
|
|
# :stable or the routers).
|
|
#
|
|
# Reports pass/fail status back to Gitea, so it shows up as a required check on
|
|
# the PR.
|
|
#
|
|
# Registry credentials are fetched from OpenBao (same AppRole as release.yaml)
|
|
# solely to read and write the build cache image. The build itself is still
|
|
# dry-run (nothing is published as a release image).
|
|
|
|
# Changes that can't affect the image don't trigger the build: docs and the
|
|
# RouterOS-side script (routeros/**: lives on the router, not in the image).
|
|
# NOTE: if Gitea is ever configured to REQUIRE this check for merging, a
|
|
# PR touching only excluded files will have no check at all — exempt such PRs
|
|
# or merge manually. Renovate PRs always touch the Dockerfile or pipeline
|
|
# files, so the automerge gate is unaffected by these exclusions.
|
|
when:
|
|
- event: pull_request
|
|
path:
|
|
exclude: &non_image_paths
|
|
- '**/*.md'
|
|
- 'docs/**'
|
|
- 'routeros/**'
|
|
- 'renovate.json'
|
|
- event: push
|
|
branch: main
|
|
path:
|
|
exclude: *non_image_paths
|
|
|
|
steps:
|
|
- name: Get registry creds from OpenBao
|
|
image: quay.io/openbao/openbao:2.5.4
|
|
environment:
|
|
VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
|
|
ROLE_ID:
|
|
from_secret: renovate_role_id
|
|
SECRET_ID:
|
|
from_secret: renovate_secret_id
|
|
commands:
|
|
- bao write -field token auth/approle/login
|
|
role_id=$ROLE_ID
|
|
secret_id=$SECRET_ID > /woodpecker/.vault_id
|
|
- export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
|
|
- 'printf "PLUGIN_USERNAME=%s\n" "$(bao kv get -mount secret -field REGISTRY_USERNAME container-registry)" > /woodpecker/registry.env'
|
|
- 'printf "PLUGIN_PASSWORD=%s\n" "$(bao kv get -mount secret -field REGISTRY_PASSWORD container-registry)" >> /woodpecker/registry.env'
|
|
|
|
- name: Build all arches (no push)
|
|
image: woodpeckerci/plugin-docker-buildx:6.1.0
|
|
privileged: true
|
|
settings:
|
|
registry: gitea.lumpiasty.xyz
|
|
repo: mikrotik-tailscale
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7
|
|
dry_run: true
|
|
build_args:
|
|
- OCI_VERSION=ci-${CI_COMMIT_SHA}
|
|
cache_images:
|
|
- gitea.lumpiasty.xyz/lumpiasty/mikrotik-tailscale:buildcache
|
|
env_file: /woodpecker/registry.env
|
|
|
|
- name: Invalidate OpenBao token
|
|
image: quay.io/openbao/openbao:2.5.4
|
|
environment:
|
|
VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
|
|
commands:
|
|
- export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
|
|
- bao write -f auth/token/revoke-self
|