git updates
This commit is contained in:
+29
-91
@@ -44,109 +44,47 @@ jobs:
|
|||||||
docker tag nfoguard:latest nfoguard:${{ github.sha }}
|
docker tag nfoguard:latest nfoguard:${{ github.sha }}
|
||||||
echo "Docker image built and tagged successfully"
|
echo "Docker image built and tagged successfully"
|
||||||
|
|
||||||
- name: Find local Gitea IP
|
- name: Login and Push to Gitea registry (local network)
|
||||||
run: |
|
run: |
|
||||||
echo "Using known local Gitea IP: 192.168.253.221"
|
echo "Using local network connection to avoid Cloudflare tunnel timeouts..."
|
||||||
GITEA_LOCAL_IP="192.168.253.221"
|
|
||||||
|
|
||||||
# Test connectivity to local IP
|
|
||||||
echo "Testing local connectivity..."
|
|
||||||
if timeout 3 curl -s "http://$GITEA_LOCAL_IP:3000" >/dev/null 2>&1; then
|
|
||||||
echo "✅ Local Gitea accessible at $GITEA_LOCAL_IP:3000"
|
|
||||||
else
|
|
||||||
echo "❌ Cannot reach local Gitea at $GITEA_LOCAL_IP:3000"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Test registry endpoint
|
|
||||||
if timeout 3 curl -s "http://$GITEA_LOCAL_IP:3000/v2/" >/dev/null 2>&1; then
|
|
||||||
echo "✅ Registry endpoint accessible"
|
|
||||||
else
|
|
||||||
echo "❌ Registry endpoint not accessible"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Export for other steps
|
|
||||||
echo "GITEA_LOCAL_IP=$GITEA_LOCAL_IP" >> $GITHUB_ENV
|
|
||||||
echo "Using Gitea at: $GITEA_LOCAL_IP"
|
|
||||||
|
|
||||||
- name: Login to Gitea registry
|
|
||||||
run: |
|
|
||||||
echo "Logging into Gitea container registry..."
|
|
||||||
export DOCKER_CONFIG=/tmp/docker-config
|
export DOCKER_CONFIG=/tmp/docker-config
|
||||||
mkdir -p $DOCKER_CONFIG
|
mkdir -p $DOCKER_CONFIG
|
||||||
|
|
||||||
# Test local IP connectivity first
|
# Use local IP directly - no tunnel overhead
|
||||||
REGISTRY="$GITEA_LOCAL_IP:3000"
|
LOCAL_REGISTRY="192.168.253.221:3000"
|
||||||
echo "Testing registry connectivity to: $REGISTRY"
|
echo "Registry: $LOCAL_REGISTRY"
|
||||||
|
|
||||||
# Test if we can reach the registry endpoint
|
# Login to local registry
|
||||||
if curl -s -f "http://$REGISTRY/v2/" >/dev/null 2>&1; then
|
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login "$LOCAL_REGISTRY" -u "${{ secrets.username }}" --password-stdin
|
||||||
echo "✅ Registry endpoint accessible via HTTP"
|
|
||||||
# Try login with local IP
|
|
||||||
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login "$REGISTRY" -u "${{ secrets.username }}" --password-stdin && {
|
|
||||||
echo "REGISTRY_URL=$REGISTRY" >> $GITHUB_ENV
|
|
||||||
echo "✅ Local registry login successful"
|
|
||||||
} || {
|
|
||||||
echo "❌ Local registry login failed, using domain fallback"
|
|
||||||
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login gitea.skalas.org -u "${{ secrets.username }}" --password-stdin
|
|
||||||
echo "REGISTRY_URL=gitea.skalas.org" >> $GITHUB_ENV
|
|
||||||
}
|
|
||||||
else
|
|
||||||
echo "❌ Local registry not accessible, using domain"
|
|
||||||
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login gitea.skalas.org -u "${{ secrets.username }}" --password-stdin
|
|
||||||
echo "REGISTRY_URL=gitea.skalas.org" >> $GITHUB_ENV
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Using registry: ${REGISTRY_URL:-gitea.skalas.org}"
|
# Tag images for local registry
|
||||||
|
docker tag nfoguard:latest "$LOCAL_REGISTRY/jskala/nfoguard:latest"
|
||||||
- name: Push to Gitea registry
|
docker tag nfoguard:latest "$LOCAL_REGISTRY/jskala/nfoguard:${{ github.sha }}"
|
||||||
run: |
|
|
||||||
echo "Pushing to Gitea container registry at: ${REGISTRY_URL:-gitea.skalas.org}"
|
|
||||||
export DOCKER_CONFIG=/tmp/docker-config
|
|
||||||
|
|
||||||
# Use the discovered registry URL or fallback to domain name
|
echo "Pushing to local registry (much faster!)..."
|
||||||
REGISTRY=${REGISTRY_URL:-gitea.skalas.org}
|
|
||||||
|
|
||||||
# Retag images for the correct registry
|
# Push to local network - should be very fast
|
||||||
docker tag nfoguard:latest "$REGISTRY/jskala/nfoguard:latest"
|
|
||||||
docker tag nfoguard:latest "$REGISTRY/jskala/nfoguard:${{ github.sha }}"
|
|
||||||
|
|
||||||
echo "Pushing to $REGISTRY..."
|
|
||||||
echo "Image 1: $REGISTRY/jskala/nfoguard:latest"
|
|
||||||
echo "Image 2: $REGISTRY/jskala/nfoguard:${{ github.sha }}"
|
|
||||||
|
|
||||||
# Push first image with detailed output
|
|
||||||
echo "=== Pushing latest tag ==="
|
echo "=== Pushing latest tag ==="
|
||||||
timeout 600 docker --config $DOCKER_CONFIG push "$REGISTRY/jskala/nfoguard:latest" 2>&1 | tee /tmp/push1.log && {
|
if docker --config $DOCKER_CONFIG push "$LOCAL_REGISTRY/jskala/nfoguard:latest"; then
|
||||||
echo "✅ First image pushed successfully"
|
echo "✅ Latest tag pushed successfully"
|
||||||
FIRST_SUCCESS=true
|
|
||||||
} || {
|
echo "=== Pushing SHA tag ==="
|
||||||
echo "❌ First push failed"
|
if docker --config $DOCKER_CONFIG push "$LOCAL_REGISTRY/jskala/nfoguard:${{ github.sha }}"; then
|
||||||
cat /tmp/push1.log
|
echo "✅ SHA tag pushed successfully"
|
||||||
FIRST_SUCCESS=false
|
else
|
||||||
}
|
echo "⚠️ SHA tag push failed but latest succeeded"
|
||||||
|
fi
|
||||||
# Push second image
|
|
||||||
echo "=== Pushing SHA tag ==="
|
|
||||||
timeout 600 docker --config $DOCKER_CONFIG push "$REGISTRY/jskala/nfoguard:${{ github.sha }}" 2>&1 | tee /tmp/push2.log && {
|
|
||||||
echo "✅ Second image pushed successfully"
|
|
||||||
SECOND_SUCCESS=true
|
|
||||||
} || {
|
|
||||||
echo "❌ Second push failed"
|
|
||||||
cat /tmp/push2.log
|
|
||||||
SECOND_SUCCESS=false
|
|
||||||
}
|
|
||||||
|
|
||||||
# Verify what actually made it
|
|
||||||
echo "=== Verifying push results ==="
|
|
||||||
curl -s "$REGISTRY/v2/jskala/nfoguard/tags/list" || echo "Could not verify tags"
|
|
||||||
|
|
||||||
if [ "$FIRST_SUCCESS" = "true" ]; then
|
|
||||||
echo "🎉 At least one image pushed successfully!"
|
|
||||||
exit 0
|
|
||||||
else
|
else
|
||||||
echo "💥 Push failed"
|
echo "❌ Local registry push failed"
|
||||||
|
docker images | grep nfoguard
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Verify the push worked
|
||||||
|
echo "=== Verifying push ==="
|
||||||
|
curl -s "http://$LOCAL_REGISTRY/v2/jskala/nfoguard/tags/list" || echo "Could not verify (but push likely succeeded)"
|
||||||
|
|
||||||
|
echo "🎉 Local registry push completed!"
|
||||||
|
|
||||||
deploy:
|
deploy:
|
||||||
needs: build
|
needs: build
|
||||||
|
|||||||
+40
-5
@@ -1,25 +1,60 @@
|
|||||||
FROM python:3.11-slim
|
FROM python:3.11-slim
|
||||||
|
|
||||||
|
# Set working directory
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# deps (curl for healthcheck; gosu only needed when running as root)
|
# Install system dependencies in a single layer and clean up
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
sqlite3 curl gosu \
|
sqlite3 curl gosu \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/* \
|
||||||
|
&& apt-get clean
|
||||||
|
|
||||||
# Create a default appuser (will be ignored if process isn’t root)
|
# Create user early
|
||||||
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
|
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
|
||||||
|
|
||||||
|
# Copy and install Python dependencies first (for better caching)
|
||||||
COPY requirements.txt .
|
COPY requirements.txt .
|
||||||
RUN pip install --no-cache-dir -r requirements.txt
|
RUN pip install --no-cache-dir -r requirements.txt \
|
||||||
|
&& pip cache purge
|
||||||
|
|
||||||
# Copy new modular structure
|
# Copy application files
|
||||||
COPY nfoguard.py .
|
COPY nfoguard.py .
|
||||||
COPY core/ ./core/
|
COPY core/ ./core/
|
||||||
COPY clients/ ./clients/
|
COPY clients/ ./clients/
|
||||||
COPY VERSION .
|
COPY VERSION .
|
||||||
|
|
||||||
|
# Set permissions
|
||||||
RUN mkdir -p /app/data && chown -R appuser:appuser /app
|
RUN mkdir -p /app/data && chown -R appuser:appuser /app
|
||||||
|
|
||||||
|
# Root-aware entrypoint
|
||||||
|
RUN echo '#!/bin/bash' > /entrypoint.sh && \
|
||||||
|
echo 'set -euo pipefail' >> /entrypoint.sh && \
|
||||||
|
echo '' >> /entrypoint.sh && \
|
||||||
|
echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \
|
||||||
|
echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \
|
||||||
|
echo '' >> /entrypoint.sh && \
|
||||||
|
echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \
|
||||||
|
echo ' # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \
|
||||||
|
echo ' groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \
|
||||||
|
echo ' id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \
|
||||||
|
echo ' usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \
|
||||||
|
echo ' chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \
|
||||||
|
echo ' exec gosu appuser "$@"' >> /entrypoint.sh && \
|
||||||
|
echo 'else' >> /entrypoint.sh && \
|
||||||
|
echo ' # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \
|
||||||
|
echo ' exec "$@"' >> /entrypoint.sh && \
|
||||||
|
echo 'fi' >> /entrypoint.sh
|
||||||
|
|
||||||
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
|
# Health check
|
||||||
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
||||||
|
CMD curl -f http://localhost:8080/health || exit 1
|
||||||
|
|
||||||
|
EXPOSE 8080
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
CMD ["python", "nfoguard.py"]
|
||||||
|
|
||||||
# Root-aware entrypoint
|
# Root-aware entrypoint
|
||||||
RUN echo '#!/bin/bash' > /entrypoint.sh && \
|
RUN echo '#!/bin/bash' > /entrypoint.sh && \
|
||||||
echo 'set -euo pipefail' >> /entrypoint.sh && \
|
echo 'set -euo pipefail' >> /entrypoint.sh && \
|
||||||
|
|||||||
@@ -0,0 +1,33 @@
|
|||||||
|
# Test image size optimization
|
||||||
|
|
||||||
|
FROM python:3.11-slim
|
||||||
|
|
||||||
|
WORKDIR /app
|
||||||
|
|
||||||
|
# Single layer for all dependencies to reduce image size
|
||||||
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
|
sqlite3 curl gosu \
|
||||||
|
&& rm -rf /var/lib/apt/lists/* \
|
||||||
|
&& apt-get clean \
|
||||||
|
&& groupadd -g 1000 appuser \
|
||||||
|
&& useradd -u 1000 -g appuser -m appuser
|
||||||
|
|
||||||
|
# Install Python deps with cleanup
|
||||||
|
COPY requirements.txt .
|
||||||
|
RUN pip install --no-cache-dir -r requirements.txt && pip cache purge
|
||||||
|
|
||||||
|
# Copy app files
|
||||||
|
COPY nfoguard.py core/ clients/ VERSION ./
|
||||||
|
|
||||||
|
# Set permissions and create entrypoint in single layer
|
||||||
|
RUN mkdir -p /app/data \
|
||||||
|
&& chown -R appuser:appuser /app \
|
||||||
|
&& echo '#!/bin/bash\nset -euo pipefail\nPUID=${PUID:-1000}\nPGID=${PGID:-1000}\nif [ "$(id -u)" -eq 0 ]; then\n groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser\n id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser\n usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true\n chown -R "$PUID:$PGID" /app || true\n exec gosu appuser "$@"\nelse\n exec "$@"\nfi' > /entrypoint.sh \
|
||||||
|
&& chmod +x /entrypoint.sh
|
||||||
|
|
||||||
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
||||||
|
CMD curl -f http://localhost:8080/health || exit 1
|
||||||
|
|
||||||
|
EXPOSE 8080
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
CMD ["python", "nfoguard.py"]
|
||||||
+14
-1
@@ -40,4 +40,17 @@ docker tag hello-world gitea.skalas.org/jskala/test:latest
|
|||||||
docker push gitea.skalas.org/jskala/test:latest
|
docker push gitea.skalas.org/jskala/test:latest
|
||||||
```
|
```
|
||||||
|
|
||||||
After enabling packages, your workflow should work!
|
After enabling packages, your workflow should work!
|
||||||
|
|
||||||
|
## 5. Performance tip: Use local network for same-host setups
|
||||||
|
|
||||||
|
If your runner and Gitea are on the same host, use the local IP to avoid Cloudflare tunnel overhead:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Much faster for same-host setups
|
||||||
|
docker login 192.168.253.221:3000
|
||||||
|
docker tag hello-world 192.168.253.221:3000/jskala/test:latest
|
||||||
|
docker push 192.168.253.221:3000/jskala/test:latest
|
||||||
|
```
|
||||||
|
|
||||||
|
This bypasses the tunnel completely and should be very fast!
|
||||||
Reference in New Issue
Block a user