10 Commits

Author SHA1 Message Date
Chris Farhood c3227c3dcd chore: rename helm chart from hightower to trebuchet
CI / Type-check & lint (pull_request) Successful in 16s
CI / Build & push worker image (pull_request) Has been skipped
CI / Build & push API image (pull_request) Has been skipped
- Rename charts/hightower → charts/trebuchet
- Update Chart.yaml name field to 'trebuchet'
- Rename all helm template helpers from 'hightower.*' to 'trebuchet.*'
- Update all template files to reference trebuchet helpers
- Update values.yaml credentials secret names to use trebuchet prefix
- Update helm-release.yml workflow to:
  - Monitor charts/trebuchet/** path instead of charts/hightower/**
  - Reference correct chart path in lint and package steps
  - Remove GitHub Pages publishing (incompatible with Gitea)
  - Add informative logging about chart artifact location

This completes the rename from Hightower to Trebuchet branding. The helm
chart is now properly named and the CI workflow is compatible with Gitea.

Ref: FAR-132
2026-05-18 15:56:05 +00:00
Chris Farhood ff32ec85c5 chore: move .github folder to .gitea for Gitea compatibility
CI / Type-check & lint (pull_request) Successful in 15s
CI / Build & push worker image (pull_request) Has been skipped
CI / Build & push API image (pull_request) Has been skipped
Gitea prefers .gitea/ISSUE_TEMPLATE/ and .gitea/workflows/ over the
GitHub-convention .github/ equivalents. Moves all issue templates and
workflow files to the Gitea-native paths and updates CLAUDE.md references.

Cosign certificate identity paths in release/rollback workflows are
intentionally left unchanged — they reference the signing identity from
prior workflow runs and will need a separate update when the CI signing
infrastructure migrates.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-18 15:56:05 +00:00
Chris Farhood 48c0351be3 ci: switch back to REGISTRY_TOKEN PAT for registry auth
CI / Type-check & lint (push) Successful in 15s
CI / Build & push API image (push) Successful in 1m2s
CI / Build & push worker image (push) Successful in 3m6s
Even on Gitea 1.26 the auto-token still hits the registry with 401
in this environment. Use the gitea-admin PAT stored as REGISTRY_TOKEN.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 21:09:46 -04:00
Chris Farhood 5c7e4d45d4 ci: revert to auto GITEA_TOKEN for registry auth
CI / Type-check & lint (push) Successful in 15s
CI / Build & push worker image (push) Failing after 8s
CI / Build & push API image (push) Failing after 8s
Gitea 1.26 (PR #36173) honors permissions.packages: write on the
auto-provided GITEA_TOKEN, so the PAT workaround is no longer needed.
You can delete the REGISTRY_TOKEN org secret.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 21:02:41 -04:00
Chris Farhood 8fe637e0e2 ci: pin registry login username to gitea-admin
CI / Type-check & lint (push) Successful in 15s
CI / Build & push worker image (push) Failing after 7s
CI / Build & push API image (push) Failing after 8s
REGISTRY_TOKEN was created under the gitea-admin user, so the
docker/helm registry username must match. Using github.actor
would fail for any other workflow-triggering user.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 20:40:28 -04:00
Chris Farhood f3d73c9160 ci: use REGISTRY_TOKEN PAT for container registry auth
CI / Type-check & lint (push) Successful in 52s
CI / Build & push worker image (push) Failing after 1m50s
CI / Build & push API image (push) Failing after 1m50s
The auto-provided GITEA_TOKEN doesn't grant write:package scope
in Gitea 1.25 even when permissions.packages: write is declared.
Switch registry logins to a dedicated PAT stored as REGISTRY_TOKEN.
Keep GITEA_TOKEN for semantic-release-gitea API calls.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 20:35:51 -04:00
Chris Farhood a6da45f6bf ci: trigger workflow re-run
CI / Type-check & lint (push) Successful in 1m8s
CI / Build & push worker image (push) Failing after 2m11s
CI / Build & push API image (push) Failing after 2m11s
2026-05-16 19:49:54 -04:00
Chris Farhood 547d8ae314 ci: trigger workflow re-run
CI / Build & push API image (push) Failing after 1m39s
CI / Type-check & lint (push) Successful in 1m10s
CI / Build & push worker image (push) Failing after 1m38s
2026-05-16 19:36:42 -04:00
Chris Farhood 1a874724c2 ci: trigger workflow re-run
CI / Type-check & lint (push) Successful in 1m12s
CI / Build & push API image (push) Failing after 2m15s
CI / Build & push worker image (push) Failing after 2m15s
2026-05-16 19:11:59 -04:00
Chris Farhood 262a8be326 ci: migrate from GitHub Actions to Gitea Actions
Helm Chart Release / Lint, package & push OCI (push) Failing after 12s
CI / Type-check & lint (push) Failing after 37s
CI / Build & push API image (push) Has been skipped
CI / Build & push worker image (push) Has been skipped
Move workflows to .gitea/workflows and adapt for git.farh.net:
- Push container images to git.farh.net instead of GHCR/Docker Hub
- Publish Helm chart as OCI artifact (no gh-pages, Gitea lacks Pages)
- Replace cosign keyless signing with key-based (COSIGN_PRIVATE_KEY/PASSWORD/PUBLIC_KEY)
- Swap @semantic-release/github for semantic-release-gitea
- Drop gh CLI from rollback workflow
- Use GITEA_TOKEN for registry auth and release creation
- Add Artifact Hub annotations to Chart.yaml
- Run on ubuntu-latest

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 18:55:32 -04:00
8 changed files with 154 additions and 118 deletions
+15 -15
View File
@@ -16,7 +16,7 @@ concurrency:
jobs: jobs:
check: check:
name: Type-check & lint name: Type-check & lint
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -43,7 +43,7 @@ jobs:
name: Build & push worker image name: Build & push worker image
needs: check needs: check
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -55,12 +55,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to GHCR - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: ghcr.io registry: git.farh.net
username: ${{ github.actor }} username: gitea-admin
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -68,14 +68,14 @@ jobs:
context: . context: .
push: true push: true
tags: | tags: |
ghcr.io/farhoodlabs/trebuchet:latest git.farh.net/farhoodlabs/trebuchet:latest
ghcr.io/farhoodlabs/trebuchet:sha-${{ github.sha }} git.farh.net/farhoodlabs/trebuchet:sha-${{ github.sha }}
build-api: build-api:
name: Build & push API image name: Build & push API image
needs: check needs: check
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write packages: write
@@ -87,12 +87,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to GHCR - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: ghcr.io registry: git.farh.net
username: ${{ github.actor }} username: gitea-admin
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -102,5 +102,5 @@ jobs:
push: true push: true
no-cache: true no-cache: true
tags: | tags: |
ghcr.io/farhoodlabs/trebuchet-api:latest git.farh.net/farhoodlabs/trebuchet-api:latest
ghcr.io/farhoodlabs/trebuchet-api:sha-${{ github.sha }} git.farh.net/farhoodlabs/trebuchet-api:sha-${{ github.sha }}
+42 -33
View File
@@ -13,7 +13,7 @@ concurrency:
jobs: jobs:
preflight: preflight:
name: Preflight name: Preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
outputs: outputs:
version: ${{ steps.version.outputs.version }} version: ${{ steps.version.outputs.version }}
@@ -35,7 +35,6 @@ jobs:
if [[ -z "$LATEST" ]]; then if [[ -z "$LATEST" ]]; then
echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT" echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT"
else else
# Extract N from 1.0.0-beta.N and increment
N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+') N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+')
NEXT=$((N + 1)) NEXT=$((N + 1))
echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT" echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT"
@@ -47,9 +46,10 @@ jobs:
build-docker: build-docker:
name: Build Docker (worker) name: Build Docker (worker)
needs: preflight needs: preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -58,11 +58,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -71,14 +72,15 @@ jobs:
push: true push: true
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} tags: git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
build-docker-api: build-docker-api:
name: Build Docker (API) name: Build Docker (API)
needs: preflight needs: preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -87,11 +89,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -101,15 +104,15 @@ jobs:
push: true push: true
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} tags: git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
sign-docker: sign-docker:
name: Sign Docker images name: Sign Docker images
needs: [preflight, build-docker, build-docker-api] needs: [preflight, build-docker, build-docker-api]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write packages: write
outputs: outputs:
worker_digest: ${{ steps.inspect-worker.outputs.digest }} worker_digest: ${{ steps.inspect-worker.outputs.digest }}
api_digest: ${{ steps.inspect-api.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -118,57 +121,63 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Inspect worker image - name: Inspect worker image
id: inspect-worker id: inspect-worker
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Inspect API image - name: Inspect API image
id: inspect-api id: inspect-api
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Sign worker image - name: Sign worker image
run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Sign API image - name: Sign API image
run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
- name: Verify worker image signature - name: Verify worker image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
sleep 10 sleep 10
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Verify API image signature - name: Verify API image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
"farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
publish-npm: publish-npm:
name: Publish npm (beta) name: Publish npm (beta)
needs: [preflight, sign-docker] needs: [preflight, sign-docker]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
+53 -41
View File
@@ -13,7 +13,7 @@ concurrency:
jobs: jobs:
preflight: preflight:
name: Preflight name: Preflight
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
outputs: outputs:
@@ -42,11 +42,12 @@ jobs:
id: probe id: probe
shell: bash shell: bash
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITEA_URL: https://git.farh.net
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: | run: |
set -euo pipefail set -euo pipefail
npx semantic-release@25 --dry-run --no-ci 2>&1 | tee semantic-release.log npx -p semantic-release@25 -p semantic-release-gitea semantic-release --dry-run --no-ci 2>&1 | tee semantic-release.log
if grep -qi "the next release version is" semantic-release.log; then if grep -qi "the next release version is" semantic-release.log; then
echo "should_release=true" >> "$GITHUB_OUTPUT" echo "should_release=true" >> "$GITHUB_OUTPUT"
@@ -60,9 +61,10 @@ jobs:
name: Build Docker (worker) name: Build Docker (worker)
needs: preflight needs: preflight
if: needs.preflight.outputs.should_release == 'true' if: needs.preflight.outputs.should_release == 'true'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -71,11 +73,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push worker image - name: Build and push worker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -85,16 +88,17 @@ jobs:
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: | tags: |
farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
farhoodlabs/trebuchet:latest git.farh.net/farhoodlabs/trebuchet:latest
build-docker-api: build-docker-api:
name: Build Docker (API) name: Build Docker (API)
needs: preflight needs: preflight
if: needs.preflight.outputs.should_release == 'true' if: needs.preflight.outputs.should_release == 'true'
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
packages: write
steps: steps:
- name: Checkout - name: Checkout
@@ -103,11 +107,12 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and push API image - name: Build and push API image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -118,16 +123,16 @@ jobs:
provenance: mode=max provenance: mode=max
sbom: true sbom: true
tags: | tags: |
farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
farhoodlabs/trebuchet-api:latest git.farh.net/farhoodlabs/trebuchet-api:latest
sign-docker: sign-docker:
name: Sign Docker images name: Sign Docker images
needs: [preflight, build-docker, build-docker-api] needs: [preflight, build-docker, build-docker-api]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write packages: write
outputs: outputs:
worker_digest: ${{ steps.inspect-worker.outputs.digest }} worker_digest: ${{ steps.inspect-worker.outputs.digest }}
api_digest: ${{ steps.inspect-api.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -136,57 +141,63 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Inspect worker image - name: Inspect worker image
id: inspect-worker id: inspect-worker
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Inspect API image - name: Inspect API image
id: inspect-api id: inspect-api
run: | run: |
docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Sign worker image - name: Sign worker image
run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Sign API image - name: Sign API image
run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
- name: Verify worker image signature - name: Verify worker image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
sleep 10 sleep 10
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
"farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
- name: Verify API image signature - name: Verify API image signature
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
"farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
publish-npm: publish-npm:
name: Publish npm name: Publish npm
needs: [preflight, sign-docker] needs: [preflight, sign-docker]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
@@ -226,9 +237,9 @@ jobs:
fi fi
release: release:
name: Create GitHub release name: Create Gitea release
needs: [preflight, publish-npm] needs: [preflight, publish-npm]
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
@@ -250,7 +261,8 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: pnpm install --frozen-lockfile run: pnpm install --frozen-lockfile
- name: Create GitHub release - name: Create Gitea release
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITEA_URL: https://git.farh.net
run: npx semantic-release@25 GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: npx -p semantic-release@25 -p semantic-release-gitea semantic-release
+1 -1
View File
@@ -18,7 +18,7 @@ concurrency:
jobs: jobs:
rollback: rollback:
name: Roll back npm beta dist-tag name: Roll back npm beta dist-tag
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
steps: steps:
- name: Validate target version - name: Validate target version
id: target id: target
+19 -20
View File
@@ -17,8 +17,8 @@ concurrency:
jobs: jobs:
rollback: rollback:
name: Roll back npm, Docker, and GitHub release latest name: Roll back npm and Docker latest
runs-on: runners-farhoodlabs runs-on: ubuntu-latest
steps: steps:
- name: Checkout tags - name: Checkout tags
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -74,48 +74,44 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Docker Hub - name: Log in to Gitea registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} registry: git.farh.net
password: ${{ secrets.DOCKERHUB_TOKEN }} username: gitea-admin
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Verify Docker image tag exists - name: Verify Docker image tag exists
run: docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
- name: Verify Docker image signature before rollback - name: Verify Docker image signature before rollback
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
run: | run: |
cosign verify \ cosign verify --key env://COSIGN_PUBLIC_KEY \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/heads/main" \
"farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Move Docker latest - name: Move Docker latest
run: | run: |
docker buildx imagetools create \ docker buildx imagetools create \
--tag "farhoodlabs/trebuchet:latest" \ --tag "git.farh.net/farhoodlabs/trebuchet:latest" \
"farhoodlabs/trebuchet:${{ steps.target.outputs.version }}" "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
- name: Move npm latest - name: Move npm latest
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest
- name: Mark GitHub release as latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "v${{ steps.target.outputs.version }}" --latest
- name: Show final npm dist-tags - name: Show final npm dist-tags
env: env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm dist-tag ls @trebuchet/cli run: npm dist-tag ls @trebuchet/cli
- name: Verify Docker latest now points to target - name: Verify Docker latest now points to target
run: docker buildx imagetools inspect "farhoodlabs/trebuchet:latest" run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:latest"
- name: Write summary - name: Write summary
run: | run: |
@@ -124,6 +120,9 @@ jobs:
echo "" echo ""
echo "- Target version: \`${{ steps.target.outputs.version }}\`" echo "- Target version: \`${{ steps.target.outputs.version }}\`"
echo "- npm package: \`@trebuchet/cli\`" echo "- npm package: \`@trebuchet/cli\`"
echo "- Docker image: \`farhoodlabs/trebuchet\`" echo "- Docker image: \`git.farh.net/farhoodlabs/trebuchet\`"
echo "- GitHub release: \`v${{ steps.target.outputs.version }}\` marked as latest" echo ""
echo "NOTE: Gitea determines the 'latest' release by date, not a flag."
echo "To re-mark \`v${{ steps.target.outputs.version }}\` as the latest"
echo "release on Gitea, edit the release in the UI to bump its date."
} >> "$GITHUB_STEP_SUMMARY" } >> "$GITHUB_STEP_SUMMARY"
+2
View File
@@ -5,3 +5,5 @@ credentials/
dist/ dist/
repos/ repos/
.turbo/ .turbo/
cosign.key
cosign.pub
+1 -8
View File
@@ -9,13 +9,6 @@
"npmPublish": false "npmPublish": false
} }
], ],
[ "semantic-release-gitea"
"@semantic-release/github",
{
"successCommentCondition": false,
"failCommentCondition": false,
"releasedLabels": false
}
]
] ]
} }
+21
View File
@@ -4,3 +4,24 @@ description: API-driven AI pentester built on Shannon, deployed as a service on
type: application type: application
version: 0.1.1 version: 0.1.1
appVersion: "1.0.0" appVersion: "1.0.0"
home: https://git.farh.net/farhoodlabs/trebuchet
sources:
- https://git.farh.net/farhoodlabs/trebuchet
maintainers:
- name: farhoodlabs
url: https://git.farh.net/farhoodlabs
keywords:
- security
- pentesting
- ai
- kubernetes
annotations:
artifacthub.io/license: AGPL-3.0
artifacthub.io/links: |
- name: source
url: https://git.farh.net/farhoodlabs/trebuchet
artifacthub.io/images: |
- name: worker
image: git.farh.net/farhoodlabs/trebuchet:latest
- name: api
image: git.farh.net/farhoodlabs/trebuchet-api:latest