From 69319e972306327ff594c47d4dcf70bfad2d9336 Mon Sep 17 00:00:00 2001
From: "A. Renz" <renz@uuxo.net>
Date: Thu, 11 Dec 2025 20:00:54 +0100
Subject: [PATCH] ci: rewrite workflow for Gitea runner with Docker build

---
 .gitea/workflows/ci.yml | 206 ++++++++++++++++++++--------------------
 1 file changed, 103 insertions(+), 103 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 7cf8fd7..c1fa0e3 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -1,52 +1,55 @@
-name: CI
+# CI/CD Pipeline for hmac-file-server
+name: CI/CD
 
 on:
   push:
     branches: [main, master]
-    tags:
-      - 'v*'
+    tags: ['v*']
   pull_request:
     branches: [main, master]
 
 env:
-  GO_VERSION: '1.24'
+  GITEA_URL: https://git.uuxo.net
 
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    container:
+      image: golang:1.24-bookworm
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Install git
+        run: apt-get update && apt-get install -y git ca-certificates
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Checkout code
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${{ env.GITEA_URL }}/${GITHUB_REPOSITORY}.git .
 
       - name: Download dependencies
         run: go mod download
 
-      - name: Run tests
-        run: go test -v -race -coverprofile=coverage.out ./...
+      - name: Run tests with race detection
+        run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
 
-      - name: Upload coverage
-        uses: actions/upload-artifact@v4
-        with:
-          name: coverage
-          path: coverage.out
+      - name: Generate coverage report
+        run: |
+          go tool cover -func=coverage.out
+          go tool cover -html=coverage.out -o coverage.html
 
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    container:
+      image: golang:1.24-bookworm
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Install git
+        run: apt-get update && apt-get install -y git ca-certificates
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Checkout code
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${{ env.GITEA_URL }}/${GITHUB_REPOSITORY}.git .
 
       - name: Run go vet
         run: go vet ./...
@@ -57,132 +60,129 @@ jobs:
             echo "The following files are not formatted:"
             gofmt -l .
             exit 1
+          fi
 
   build:
     name: Build ${{ matrix.binary }}-${{ matrix.goos }}-${{ matrix.goarch }}
     runs-on: ubuntu-latest
     needs: [test, lint]
+    container:
+      image: golang:1.24-bookworm
     strategy:
       matrix:
         binary: [server, monitor]
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Install git
+        run: apt-get update && apt-get install -y git ca-certificates
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Checkout code
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${{ env.GITEA_URL }}/${GITHUB_REPOSITORY}.git .
 
-
-      - name: Build
+      - name: Build binary
         env:
           GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goarch }}
           CGO_ENABLED: 0
         run: |
-          go build -ldflags="-s -w -X main.Version=${{ github.ref_name }}" \
-            -o hmac-file-${{ matrix.binary }}-${{ matrix.goos }}-${{ matrix.goarch }} \
+          go build -ldflags="-s -w -X main.Version=${GITHUB_REF_NAME}" \
+            -o dist/hmac-file-${{ matrix.binary }}-${{ matrix.goos }}-${{ matrix.goarch }} \
             ./cmd/${{ matrix.binary }}
 
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: hmac-file-${{ matrix.binary }}-${{ matrix.goos }}-${{ matrix.goarch }}
-          path: hmac-file-${{ matrix.binary }}-${{ matrix.goos }}-${{ matrix.goarch }}
-
   sbom:
     name: Generate SBOM
     runs-on: ubuntu-latest
     needs: [test]
+    container:
+      image: golang:1.24-bookworm
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Install git
+        run: apt-get update && apt-get install -y git ca-certificates curl
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
+      - name: Checkout code
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${{ env.GITEA_URL }}/${GITHUB_REPOSITORY}.git .
 
-      - name: Install cyclonedx-gomod
-        run: go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
+      - name: Install Syft
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
       - name: Generate SBOM
-        run: cyclonedx-gomod mod -output sbom.json -json
-
-      - name: Upload SBOM
-        uses: actions/upload-artifact@v4
-        with:
-          name: sbom
-          path: sbom.json
+        run: |
+          syft . -o spdx-json=sbom-spdx.json
+          syft . -o cyclonedx-json=sbom-cyclonedx.json
 
   docker:
-    name: Build Docker Images
+    name: Build & Push Docker Image
     runs-on: ubuntu-latest
     needs: [test, lint]
     if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))
+    container:
+      image: docker:24-cli
+      options: --privileged
+    services:
+      docker:
+        image: docker:24-dind
+        options: --privileged
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Install dependencies
+        run: apk add --no-cache git curl
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Checkout code
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${{ env.GITEA_URL }}/${GITHUB_REPOSITORY}.git .
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        run: |
+          docker buildx create --use --name builder --driver docker-container
+          docker buildx inspect --bootstrap
 
-      - name: Login to Gitea Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.uuxo.net
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: git.uuxo.net/uuxo/hmac-file-server
-          tags: |
-            type=ref,event=branch
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha
+      - name: Login to Gitea Registry
+        run: |
+          echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.uuxo.net -u "${{ secrets.REGISTRY_USER }}" --password-stdin
 
       - name: Build and push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile.multiarch
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+        run: |
+          # Determine tags
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/}
+            TAGS="-t git.uuxo.net/uuxo/hmac-file-server:${VERSION} -t git.uuxo.net/uuxo/hmac-file-server:latest"
+          else
+            TAGS="-t git.uuxo.net/uuxo/hmac-file-server:${GITHUB_SHA::8} -t git.uuxo.net/uuxo/hmac-file-server:main"
+          fi
+          
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --push \
+            --file Dockerfile.multiarch \
+            ${TAGS} \
+            .
 
   release:
     name: Release
     runs-on: ubuntu-latest
     needs: [build, sbom, docker]
-    if: startsWith(github.ref, 'refs/tags/')
+    if: startsWith(github.ref, 'refs/tags/v')
+    container:
+      image: golang:1.24-bookworm
     steps:
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-
-      - name: Create checksums
+      - name: Install tools
         run: |
-          cd artifacts
-          find . -type f -name "hmac-file-*" -exec sha256sum {} \; > checksums.txt
-          cat checksums.txt
+          apt-get update && apt-get install -y git ca-certificates
+          curl -sSfL https://github.com/goreleaser/goreleaser/releases/download/v2.4.8/goreleaser_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin goreleaser
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
-      - name: Create Release
-        uses: softprops/action-gh-release@v1
-        with:
-          files: |
-            artifacts/hmac-file-*/hmac-file-*
-            artifacts/sbom/sbom.json
-            artifacts/checksums.txt
-          generate_release_notes: true
+      - name: Checkout code
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git clone --branch ${GITHUB_REF_NAME} ${{ env.GITEA_URL }}/${GITHUB_REPOSITORY}.git .
+          git fetch --tags
+
+      - name: Run goreleaser
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        run: goreleaser release --clean