fix: cicd

.forgejo/workflows/build.yaml

@@ -38,7 +38,7 @@ jobs:
       - /buildkit-certs:/buildkit-certs
     steps:
       - name: ⏬ Checkout code repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.1.7
      
       - name: 📌 Extract metadata (tags, labels) for Docker
         id: meta

.forgejo/workflows/deploy.yaml

@@ -30,7 +30,7 @@ jobs:
       image: devthefuture/act-runner:latest
     steps:
       - name: 🎡 Check out the Helm chart repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.1.7
         with:
           repository: "${{ github.repository_owner }}/appsets"
           token: ${{ secrets.M8A_ORG_BOT_REPO_TOKEN }}

buildkit/action.yml

@@ -48,6 +48,9 @@ inputs:
   build-args:
     description: 'Build arguments to be passed to the build'
     required: false
+  target:
+    description: 'Build stage to build'
+    required: false
   secrets:
     description: 'Build secrets to be passed to the build'
     required: false
@@ -64,8 +67,26 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
+      env:
+        INPUT_PATH: ${{ inputs.path }}
+        INPUT_SECRET: ${{ inputs.secrets }}
+        INPUT_REGISTRY: ${{ inputs.registry }}
+        INPUT_REGISTRY_USERNAME: ${{ inputs.registry-username }}
+        INPUT_REGISTRY_PASSWORD: ${{ inputs.registry-password }}
+        INPUT_TARGET: ${{ inputs.target }}
+        INPUT_BUILDKIT_DAEMON_ADDRESS: ${{ inputs.buildkit-daemon-address }}
+        INPUT_BUILDKIT_CERT_CA_FILE: ${{ inputs.buildkit-cert-ca-file }}
+        INPUT_BUILDKIT_CERT_FILE: ${{ inputs.buildkit-cert-file }}
+        INPUT_BUILDKIT_CERT_KEY_FILE: ${{ inputs.buildkit-cert-key-file }}
+        INPUT_CONTEXT: ${{ inputs.context }}
+        INPUT_DOCKERFILE: ${{ inputs.dockerfile }}
+        INPUT_PLATFORMS: ${{ inputs.platforms }}
+        INPUT_LABELS: ${{ inputs.labels }}
+        INPUT_BUILD_ARGS: ${{ inputs.build-args }}
+        INPUT_TAGS: ${{ inputs.tags }}
+        INPUT_PUSH: ${{ inputs.push }}
       run: |
-        cd "${{ inputs.path }}"
+        cd "$INPUT_PATH"
 
         # hanlde secrets to args
         declare -a secret_args
@@ -78,29 +99,34 @@ runs:
             export SECRET_ENV_${key}="${val}"
             secret_args+=("--secret id=${key},env=SECRET_ENV_${key}")
           fi
-        done <<< "${{ inputs.secrets }}"
+        done <<< "$INPUT_SECRETS"
 
         # login to docker registry
         export DOCKER_CONFIG=~/.docker
-        if [ -n "${{ inputs.registry }}" ]; then
+        if [ -n "$INPUT_REGISTRY" ]; then
           mkdir -p $DOCKER_CONFIG
-          echo "{\"auths\":{\"${{ inputs.registry }}\":{\"username\":\"${{ inputs.registry-username }}\",\"password\":\"${{ inputs.registry-password }}\"}}}" > $DOCKER_CONFIG/config.json
+          echo "{\"auths\":{\"$INPUT_REGISTRY\":{\"username\":\"$INPUT_REGISTRY_USERNAME\",\"password\":\"$INPUT_REGISTRY_PASSWORD\"}}}" > $DOCKER_CONFIG/config.json
+        fi
+
+        target_args=""
+        if [ -n "$INPUT_TARGET" ]; then
+          target_args="--target=$INPUT_TARGET"
         fi
 
         # build and push using buildkit
         buildctl \
-          --addr ${{ inputs.buildkit-daemon-address }} \
-          --tlscacert ${{ inputs.buildkit-cert-ca-file }} \
-          --tlscert ${{ inputs.buildkit-cert-file }} \
-          --tlskey ${{ inputs.buildkit-cert-key-file }} \
+          --addr $INPUT_BUILDKIT_DAEMON_ADDRESS \
+          --tlscacert $INPUT_BUILDKIT_CERT_CA_FILE \
+          --tlscert $INPUT_BUILDKIT_CERT_FILE \
+          --tlskey $INPUT_BUILDKIT_CERT_KEY_FILE \
           build \
             --frontend dockerfile.v0 \
-            --local context=${{ inputs.context }} \
-            --local dockerfile=${{ inputs.context }} \
-            --opt platform=${{ inputs.platforms }} \
-            $(echo "${{ inputs.build-args }}" | sed -r '/^\s*$/d' - | sed -r 's/(.*)/--opt build-arg:\1 \\/' -) \
-            $(echo "${{ inputs.labels }}" | sed -r '/^\s*$/d' - | sed -r 's/(.*)/--opt label:\1 \\/' -) \
+            --local context=$INPUT_CONTEXT \
+            --local dockerfile=$INPUT_CONTEXT \
+            --opt platform=$INPUT_PLATFORMS \
+            $(echo "$INPUT_BUILD_ARGS" | sed -r '/^\s*$/d' - | sed -r 's/(.*)/--opt build-arg:\1 \\/' -) \
+            $(echo "$INPUT_LABELS" | sed -r '/^\s*$/d' - | sed -r 's/(.*)/--opt label:\1 \\/' -) \
             "${secret_args[@]}" \
-            --target=${{ inputs.target }} \
-            --opt filename=./${{ inputs.dockerfile }} \
-            --output type=image,\"name=$(echo "${{ inputs.tags }}" | paste -sd ',' -)\",push=${{ inputs.push }}
+            "$target_args" \
+            --opt filename=./$INPUT_DOCKERFILE \
+            --output type=image,\"name=$(echo "$INPUT_TAGS" | paste -sd ',' -)\",push=$INPUT_PUSH

minio-upload/Dockerfile

@@ -0,0 +1,5 @@
+FROM minio/mc:RELEASE.2024-06-24T19-40-33Z.fips
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

minio-upload/README.md

@@ -0,0 +1,7 @@
+# minio Action
+
+This action allows you to upload objects to a MinIO server
+
+
+---
+forked from https://github.com/cloudkernels/minio-upload

minio-upload/action.yml

@@ -0,0 +1,35 @@
+# action.yml
+
+name: minio-upload
+description: "Action that lets you upload objects from a MinIO server"
+inputs:
+  url:
+    description: "URL of the MinIO server"
+    required: true
+  access-key:
+    description: "Access Key for the MinIO server"
+    required: true
+  secret-key:
+    description: "Secret Key for the MinIO server"
+    required: true
+  local-path:
+    description: 'Path of the local object'
+    required: true
+    default: './'
+  remote-path:
+    description: 'Path to remote object'
+    required: true
+  policy:
+    description: 'Policy'
+    required: false
+
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.url }}
+    - ${{ inputs.access-key }}
+    - ${{ inputs.secret-key }}
+    - ${{ inputs.local-path }}
+    - ${{ inputs.remote-path }}
+    - ${{ inputs.policy }}

minio-upload/entrypoint.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+LOG_NAME="minio"
+
+info() {
+    [ -t 1 ] && [ -n "$TERM" ] \
+        && echo "$(tput setaf 2)[$LOG_NAME]$(tput sgr0) $*" \
+        || echo "[$LOG_NAME] $*"
+}
+
+err() {
+	[ -t 2 ] && [ -n "$TERM" ] \
+		&& echo -e "$(tput setaf 1)[$LOG_NAME]$(tput sgr0) $*" 1>&2 \
+		|| echo -e "[$LOG_NAME] $*" 1>&2
+}
+
+die() {
+	err "$@"
+	exit 1
+}
+
+ok_or_die() {
+	if [ $? -ne 0 ]; then
+		die $1
+	fi
+}
+
+if [[ $# -lt 5 ]] ; then
+	die "Usage: $0 url access_key secret_key local_path remote_path"
+fi
+
+url=$1
+access_key=$2
+secret_key=$3
+local_path=$4
+remote_path=$5
+
+mc alias set s3 $url $access_key $secret_key
+ok_or_die "Could not set mc alias"
+
+if [[ "$local_path" == */ ]]; then
+  copy_command="mc cp -r"
+else
+  copy_command="mc cp"
+fi
+
+IFS=' ' read -r -a remote_paths <<< "$remote_path"
+for rpath in "${remote_paths[@]}"; do
+  info "Will upload $local_path to $rpath"
+  $copy_command "$local_path" "s3/$rpath"
+	ok_or_die "Could not upload object"
+done
+
+if [[ $# -eq 6 ]] ; then
+	if [[ $6 -eq 1 ]] ; then
+		info "Will make $remote_path public"
+		mc anonymous -r set download s3/$remote_path
+	else
+		info "Will make $remote_path private"
+		mc anonymous -r set private s3/$remote_path || true
+	fi
+fi

uptag/.gitattributes

@@ -0,0 +1,3 @@
+/.yarn/releases/** binary
+/.yarn/plugins/** binary
+/.pnp.cjs

uptag/.gitignore

@@ -0,0 +1,7 @@
+.yarn/*
+!.yarn/cache
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions

uptag/.yarnrc.yml

@@ -0,0 +1,2 @@
+yarnPath: .yarn/releases/yarn-4.0.2.cjs
+enableGlobalCache: false

uptag/action.yaml

@@ -2,10 +2,10 @@ name: Upgrade tag in appsets
 description: "Set image tag in values of an application for appsets of an organization"
 inputs:
   app:
-    description: "The app directory name, default to repository name"
+    description: "The app directory name (support comma separated list or yaml list of objects), default to repository name"
     required: false
   env:
-    description: "The env directory name"
+    description: "The env directory name (support comma separated list)"
     required: true
   tag:
     description: "The tag to set, default to extracted from meta-tags inputs"
@@ -13,6 +13,16 @@ inputs:
   meta-tags:
     description: "The meta-tags inputs, required if inputs.tag is not provided"
     required: false
+  key:
+    description: "The value key to upgrade"
+    required: false
+    default: "image.tag"
+  commit:
+    description: "Enable commit"
+    required: false
+  push:
+    description: "Enable push"
+    required: false
 
 runs:
   using: "composite"
@@ -21,19 +31,33 @@ runs:
     env:
       CD_APP: ${{ inputs.app || github.event.repository.name }}
       CD_ENV: ${{ inputs.env }}
+      CD_COMMIT: ${{ inputs.commit || 'false' }}
+      CD_PUSH: ${{ inputs.push || 'false' }}
+      CD_KEY: ${{ inputs.key }}
     shell: bash
     run: |
-      TAG=${{ inputs.tag }}
+      export TAG=${{ inputs.tag }}
       if [ -z "$TAG" ]; then
         IFS=',' read -ra TAGS_ARRAY <<< "${{ inputs.meta-tags }}"
         IMAGE=${TAGS_ARRAY[0]}
-        TAG=${IMAGE##*:}
+        export TAG=${IMAGE##*:}
       fi
 
       echo "Using tag: $TAG"
-      yq e '.image.tag = "'$TAG'"' -i apps/$CD_APP/envs/$CD_ENV/values.yaml
+
+      export CD_WORKING_DIR="$PWD"
+      cd $GITHUB_ACTION_PATH
+      yarn node index.js
+      cd "$CD_WORKING_DIR"
+      
       git config user.name "forgejo-actions"
       git config user.email "bot@devthefuture.org"
       git add .
-      git commit --allow-empty -m "chore: update image tag to ${GITHUB_REF#refs/tags/}"
-      git push origin HEAD
+      
+      if [ "$CD_COMMIT" != "false" ]; then
+        git commit --allow-empty -m "chore: set $CD_ENV image.tag=$TAG"
+      fi
+
+      if [ "$CD_PUSH" != "false" ]; then
+        git push origin HEAD
+      fi

uptag/index.js

@@ -0,0 +1,62 @@
+const fs = require("fs/promises");
+const yaml = require("yaml");
+const set = require("lodash.set");
+
+const yamlLoadAll = (input) => {
+  const documents = [];
+
+  const append = (arr) => {
+    const doc = arr.join("\n").trim();
+    if (doc.length > 0) {
+      const obj = yaml.parse(doc.toString());
+      if (obj !== null) {
+        documents.push(obj);
+      }
+    }
+  };
+
+  let currentDoc = [];
+  for (const line of input.split("\n")) {
+    if (line.startsWith("---")) {
+      append(currentDoc);
+      currentDoc = [];
+    } else {
+      currentDoc.push(line);
+    }
+  }
+  append(currentDoc);
+
+  return documents;
+};
+
+const main = async () => {
+  const defaultTag = process.env.TAG;
+  const cdApp = process.env.CD_APP;
+  const cdEnv = process.env.CD_ENV;
+  const cdKey = process.env.CD_KEY;
+  const workingDir = process.env.CD_WORKING_DIR;
+  let apps;
+  if (cdApp.includes("\n")) {
+    apps = yamlLoadAll(cdApp);
+  } else {
+    apps = cdApp.split(",").map((name) => ({ name }));
+  }
+  const envs = cdEnv.split(",");
+  for (const app of apps) {
+    for (const env of envs) {
+      const { name, key = cdKey, tag = defaultTag } = app;
+      const valuesFile = `apps/${name}/envs/${env}/values.yaml`;
+      const keys = key.split(",")
+      const valuesFilePath = `${workingDir}/${valuesFile}`;
+      const valuesRaw = await fs.readFile(valuesFilePath, { encoding: "utf-8" })
+      const values = yaml.parse(valuesRaw);
+      for(const k of keys){
+        console.log(`${valuesFile} -> ${k}=${tag}`);
+        set(values, k, tag);
+      }
+      await fs.writeFile(valuesFilePath, yaml.stringify(values));
+    }
+  }
+};
+
+main();

uptag/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "uptag",
+  "main": "index.js",
+  "license": "MIT",
+  "packageManager": "yarn@4.0.2",
+  "dependencies": {
+    "lodash.set": "^4.3.2",
+    "yaml": "^2.3.4"
+  }
+}

uptag/yarn.lock

@@ -0,0 +1,29 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 8
+  cacheKey: 10c0
+
+"lodash.set@npm:^4.3.2":
+  version: 4.3.2
+  resolution: "lodash.set@npm:4.3.2"
+  checksum: c641d31905e51df43170dce8a1d11a1cff11356e2e2e75fe2615995408e9687d58c3e1d64c3c284c2df2bc519f79a98af737d2944d382ff82ffd244ff6075c29
+  languageName: node
+  linkType: hard
+
+"uptag@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "uptag@workspace:."
+  dependencies:
+    lodash.set: "npm:^4.3.2"
+    yaml: "npm:^2.3.4"
+  languageName: unknown
+  linkType: soft
+
+"yaml@npm:^2.3.4":
+  version: 2.3.4
+  resolution: "yaml@npm:2.3.4"
+  checksum: cf03b68f8fef5e8516b0f0b54edaf2459f1648317fc6210391cf606d247e678b449382f4bd01f77392538429e306c7cba8ff46ff6b37cac4de9a76aff33bd9e1
+  languageName: node
+  linkType: hard

yarn-install/action.yml

@@ -0,0 +1,48 @@
+# based on https://gist.github.com/belgattitude/042f9caf10d029badbde6cf9d43e400a
+name: 'Monorepo install (yarn)'
+description: 'Run yarn install with node_modules linker and cache enabled'
+inputs:
+  cwd:
+    description: "Changes node's process.cwd() if the project is not located on the root. Default to process.cwd()"
+    required: false
+    default: '.'
+  cache-prefix:
+    description: 'Add a specific cache-prefix'
+    required: false
+    default: 'default'
+  
+runs:
+  using: 'composite'
+  steps:
+    - name: ⚙️ Expose yarn config as "$GITHUB_OUTPUT"
+      id: yarn-config
+      shell: bash
+      working-directory: ${{ inputs.cwd }}
+      env:
+        YARN_ENABLE_GLOBAL_CACHE: 'false'
+      run: |
+        echo "CACHE_FOLDER=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+        echo "CURRENT_NODE_VERSION="node-$(node --version)"" >> $GITHUB_OUTPUT
+        echo "CURRENT_BRANCH=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's,/,-,g')" >> $GITHUB_OUTPUT
+
+    - name: ♻️ Restore yarn cache
+      uses: actions/cache@v3
+      id: yarn-download-cache
+      with:
+        path: ${{ steps.yarn-config.outputs.CACHE_FOLDER }}
+        key: yarn-download-cache-${{ inputs.cache-prefix }}-${{ hashFiles(format('{0}/yarn.lock', inputs.cwd), format('{0}/.yarnrc.yml', inputs.cwd)) }}
+        restore-keys: |
+          yarn-download-cache-${{ inputs.cache-prefix }}-
+    
+    - name: 📥 Install dependencies
+      shell: bash
+      working-directory: ${{ inputs.cwd }}
+      run: yarn install --immutable --inline-builds
+      env:
+        # Overrides/align yarnrc.yml options (v3, v4) for a CI context
+        YARN_ENABLE_GLOBAL_CACHE: 'false' # Use local cache folder to keep downloaded archives
+        YARN_ENABLE_MIRROR: 'false' # Prevent populating global cache for caches misses (local cache only)
+        YARN_NM_MODE: 'hardlinks-local' # Reduce node_modules size
+        YARN_INSTALL_STATE_PATH: '.yarn/ci-cache/install-state.gz' # Might speed up resolution step when node_modules present
+        # Other environment variables
+        HUSKY: '0' # By default do not run HUSKY install