git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity
Files
20cb6dfaeef58e85bd38791da85eca2e3b8cdcdf
linux_patch_api/.gitea/workflows/ci.yml
Echo 20cb6dfaee fix: SSH checkout bypasses Gitea secret encryption issue 
Gitea logs show: "decrypt secret giteatoken: failed to decrypt by secret,
the key might be incorrect" - secrets must be encrypted with Gitea
SECRET_KEY, not plaintext in DB.

Solution: Use SSH git clone for checkout which requires no secrets.
Runners are already registered with Gitea and have SSH access.
2026-04-26 23:29:39 +00:00

240 lines
9.0 KiB
YAML
Raw Blame History

name: CI/CD Pipeline
"on":
push:
branches: [ master, develop ]
tags: [ 'v*' ]
pull_request:
branches: [ master ]
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
fmt:
name: Code Format
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
rustup component add rustfmt
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Check formatting
run: cargo fmt --all -- --check
clippy:
name: Clippy Lints
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
rustup component add clippy
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libsystemd-dev pkg-config
- name: Run clippy
run: cargo clippy --all-targets --all-features -- -D warnings
test:
name: Unit Tests
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libsystemd-dev pkg-config
- name: Run tests
run: cargo test --all-features
audit:
name: Security Audit
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libsystemd-dev pkg-config
- name: Run cargo-audit
run: |
cargo install cargo-audit
cargo audit --ignore RUSTSEC-2025-0134
build-deb:
name: Build Debian Package
needs: [fmt, clippy, test]
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install build dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential debhelper pkg-config libsystemd-dev
- name: Build Debian package
run: sudo dpkg-buildpackage -us -uc -b
- name: Upload to Gitea Release
if: startsWith(github.ref, 'refs/tags/')
env:
GITEA_TOKEN: ${{ secrets.giteatoken }}
run: |
TAG_NAME=${GITHUB_REF#refs/tags/}
FILE=$(ls ../linux-patch-api_*.deb 2>/dev/null | head -1)
chmod +x scripts/upload-release.sh
./scripts/upload-release.sh "$TAG_NAME" "$FILE"
build-rpm:
name: Build RPM Package
needs: [fmt, clippy, test]
runs-on: fedora
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install build dependencies
run: sudo dnf install -y rpm-build gcc systemd-devel pkg-config
- name: Build release binary
run: cargo build --release
- name: Build RPM package
run: |
chmod +x build-rpm.sh
./build-rpm.sh
- name: Upload to Gitea Release
if: startsWith(github.ref, 'refs/tags/')
env:
GITEA_TOKEN: ${{ secrets.giteatoken }}
run: |
TAG_NAME=${GITHUB_REF#refs/tags/}
FILE=$(ls ~/rpmbuild/RPMS/x86_64/*.rpm 2>/dev/null | head -1)
chmod +x scripts/upload-release.sh
./scripts/upload-release.sh "$TAG_NAME" "$FILE"
build-apk:
name: Build Alpine Package
needs: [fmt, clippy, test]
runs-on: alpine
steps:
- name: Checkout repository
run: |
apk add --no-cache git openssh-client
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
apk add --no-cache curl bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
rustup target add x86_64-unknown-linux-musl
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install build dependencies
run: |
apk add --no-cache alpine-sdk rust cargo openssl-dev elogind-dev musl-dev abuild gcc
- name: Build release binary
run: cargo build --release --target x86_64-unknown-linux-musl
- name: Build Alpine package
run: |
chmod +x build-alpine.sh
SKIP_CARGO_BUILD=1 ./build-alpine.sh
- name: Upload to Gitea Release
if: startsWith(github.ref, 'refs/tags/')
env:
GITEA_TOKEN: ${{ secrets.giteatoken }}
run: |
TAG_NAME=${GITHUB_REF#refs/tags/}
FILE=$(ls releases/*.apk 2>/dev/null | head -1)
chmod +x scripts/upload-release.sh
./scripts/upload-release.sh "$TAG_NAME" "$FILE"
build-arch:
name: Build Arch Package
needs: [fmt, clippy, test]
runs-on: arch
steps:
- name: Checkout repository
run: |
mkdir -p ~/.ssh
ssh-keyscan -H gitea-lxc.moon-dragon.us >> ~/.ssh/known_hosts 2>/dev/null || true
git clone --depth 1 git@gitea-lxc.moon-dragon.us:echo/linux_patch_api.git .
git config --global --add safe.directory "$(pwd)"
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
. "$HOME/.cargo/env"
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Install build dependencies
run: sudo pacman -Syu --noconfirm rust cargo systemd git base-devel
- name: Build release binary
run: cargo build --release
- name: Build Arch package
run: |
chmod +x build-arch.sh
SKIP_CARGO_BUILD=1 ./build-arch.sh
- name: Upload to Gitea Release
if: startsWith(github.ref, 'refs/tags/')
env:
GITEA_TOKEN: ${{ secrets.giteatoken }}
run: |
TAG_NAME=${GITHUB_REF#refs/tags/}
FILE=$(ls releases/*.pkg.tar.zst 2>/dev/null | head -1)
chmod +x scripts/upload-release.sh
./scripts/upload-release.sh "$TAG_NAME" "$FILE"
View Git Blame Copy Permalink