From d0da8af26d8de38a4a542f2789a946e2084b7a2e Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 18:43:44 +0100 Subject: [PATCH 01/14] Added auto container upload to ghcr --- .forgejo/workflows/container_upload.yml | 96 +++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 .forgejo/workflows/container_upload.yml diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml new file mode 100644 index 0000000..9ad5e38 --- /dev/null +++ b/.forgejo/workflows/container_upload.yml @@ -0,0 +1,96 @@ +name: Github Container Registry Upload + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + release: + types: [ published ] + push: + branches: ["main"] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ forgejo.repository }} + DOCKER_FILE: ./Wishlist/Dockerfile + + +jobs: + build: + + runs-on: docker + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: forgejo.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.2.4' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: forgejo.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ forgejo.actor }} + password: ${{ secrets.GH_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + file: ${{ env.DOCKER_FILE }} + push: ${{ forgejo.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ forgejo.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} \ No newline at end of file From ae27f9b9013e733828d7e900031949166c67a779 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 18:51:31 +0100 Subject: [PATCH 02/14] Chnaged runner --- .forgejo/workflows/container_upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index 9ad5e38..1838996 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -22,7 +22,7 @@ env: jobs: build: - runs-on: docker + runs-on: alpine-3.23 permissions: contents: read packages: write From 5e4b67ce7552645afa707c48b524690af4e29273 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 20:26:30 +0100 Subject: [PATCH 03/14] revert runner, added automount docker and chnaged image to alpine --- .forgejo/workflows/container_upload.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index 1838996..ffd60ac 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -21,8 +21,11 @@ env: jobs: build: + runs-on: docker + container: + image: alpine:3.20 + docker_host: 'automount' - runs-on: alpine-3.23 permissions: contents: read packages: write From f6ef7f6703d7bf4a7db2161893c84cb2be57471f Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 21:35:38 +0100 Subject: [PATCH 04/14] wrong config file --- .forgejo/workflows/container_upload.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index ffd60ac..e06e7da 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -22,10 +22,6 @@ env: jobs: build: runs-on: docker - container: - image: alpine:3.20 - docker_host: 'automount' - permissions: contents: read packages: write From f569e7a0353e33182048ad49666cac77758cb7f0 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 21:48:33 +0100 Subject: [PATCH 05/14] added debug print --- .forgejo/workflows/container_upload.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index e06e7da..e98349d 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -30,6 +30,9 @@ jobs: id-token: write steps: + - name: check docker host + run: 'echo $DOCKER_HOST' + - name: Checkout repository uses: actions/checkout@v4 From 0646ffcb7c52033149ae4a9f699be3166cde417e Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 21:50:41 +0100 Subject: [PATCH 06/14] hopefully fixed debug print --- .forgejo/workflows/container_upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index e98349d..a173c64 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -31,7 +31,7 @@ jobs: steps: - name: check docker host - run: 'echo $DOCKER_HOST' + run: echo "${DOCKER_HOST}" - name: Checkout repository uses: actions/checkout@v4 From 4916753c50cb1116e704f16822e7b7005482f496 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 22:42:20 +0100 Subject: [PATCH 07/14] Changed label to run on --- .forgejo/workflows/container_upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index a173c64..585c124 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -21,7 +21,7 @@ env: jobs: build: - runs-on: docker + runs-on: ubuntu-latest permissions: contents: read packages: write From 9542fb853f5aeec51f6ef8c98d68117aaefe2d65 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 23:11:11 +0100 Subject: [PATCH 08/14] Changed debug print --- .forgejo/workflows/container_upload.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index 585c124..006e922 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -30,8 +30,9 @@ jobs: id-token: write steps: - - name: check docker host - run: echo "${DOCKER_HOST}" + - name: download docker bin + run: echo "${PATH}" \ + echo "${ls -la /data/docker}" - name: Checkout repository uses: actions/checkout@v4 From fe9367cbf2e5404ca07a8687f1e6ce5e04916a0f Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 23:12:06 +0100 Subject: [PATCH 09/14] chnaged from echo to ls --- .forgejo/workflows/container_upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index 006e922..f3c8981 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -30,9 +30,9 @@ jobs: id-token: write steps: - - name: download docker bin + - name: DEBUG run: echo "${PATH}" \ - echo "${ls -la /data/docker}" + ls -la /data/docker - name: Checkout repository uses: actions/checkout@v4 From 54938a93900a47c95db51a65e52750b975fb6620 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 23:13:17 +0100 Subject: [PATCH 10/14] removed echo --- .forgejo/workflows/container_upload.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index f3c8981..a3e9297 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -31,8 +31,7 @@ jobs: steps: - name: DEBUG - run: echo "${PATH}" \ - ls -la /data/docker + run: ls -la /data/docker - name: Checkout repository uses: actions/checkout@v4 From d721cb354b5052ae5c9bca2192dadc582a485356 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 23:51:12 +0100 Subject: [PATCH 11/14] Changed debug to look for docker --- .forgejo/workflows/container_upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index a3e9297..c1c86c2 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -31,7 +31,7 @@ jobs: steps: - name: DEBUG - run: ls -la /data/docker + run: echo $(whereis docker) - name: Checkout repository uses: actions/checkout@v4 @@ -52,7 +52,7 @@ jobs: # Login against a Docker registry except on PR # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} + - name: Log into registry ghcr if: forgejo.event_name != 'pull_request' uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: From 448e7eaabc7e845cb3155f5b298ad930ae484153 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Tue, 13 Jan 2026 23:52:29 +0100 Subject: [PATCH 12/14] added PATH to debug --- .forgejo/workflows/container_upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index c1c86c2..381fb7a 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -31,7 +31,7 @@ jobs: steps: - name: DEBUG - run: echo $(whereis docker) + run: echo $(whereis docker) && echo $PATH - name: Checkout repository uses: actions/checkout@v4 From cc587f16505f4a6477ac6986ecf4a8a61f8aa13f Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Wed, 14 Jan 2026 00:29:00 +0100 Subject: [PATCH 13/14] removed cosign and cleaned up --- .forgejo/workflows/container_upload.yml | 59 +++---------------------- 1 file changed, 7 insertions(+), 52 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index 381fb7a..5d3a692 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -1,10 +1,4 @@ name: Github Container Registry Upload - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - on: release: types: [ published ] @@ -12,9 +6,7 @@ on: branches: ["main"] env: - # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / IMAGE_NAME: ${{ forgejo.repository }} DOCKER_FILE: ./Wishlist/Dockerfile @@ -25,54 +17,32 @@ jobs: permissions: contents: read packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write steps: - - name: DEBUG - run: echo $(whereis docker) && echo $PATH - - name: Checkout repository uses: actions/checkout@v4 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: forgejo.event_name != 'pull_request' - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 - with: - cosign-release: 'v2.2.4' - - # Set up BuildKit Docker container builder to be able to build - # multi-platform images and export cache - # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + uses: docker/setup-buildx-action@v3 - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - name: Log into registry ghcr if: forgejo.event_name != 'pull_request' - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ forgejo.actor }} password: ${{ secrets.GH_TOKEN }} - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action + - name: Extract Docker metadata id: meta - uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + uses: docker/build-push-action@v5 with: context: . file: ${{ env.DOCKER_FILE }} @@ -80,19 +50,4 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha - cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ forgejo.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} \ No newline at end of file + cache-to: type=gha,mode=max \ No newline at end of file From 59ae4837fb5ca0d6242b8b2c832cd1d62032a2f8 Mon Sep 17 00:00:00 2001 From: ConfuzzedCat Date: Wed, 14 Jan 2026 01:23:52 +0100 Subject: [PATCH 14/14] Chnaged to forgejo instance CR --- .forgejo/workflows/container_upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/container_upload.yml b/.forgejo/workflows/container_upload.yml index 5d3a692..fb19b50 100644 --- a/.forgejo/workflows/container_upload.yml +++ b/.forgejo/workflows/container_upload.yml @@ -6,7 +6,7 @@ on: branches: ["main"] env: - REGISTRY: ghcr.io + REGISTRY: git.markuso.ooo IMAGE_NAME: ${{ forgejo.repository }} DOCKER_FILE: ./Wishlist/Dockerfile @@ -31,7 +31,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ forgejo.actor }} - password: ${{ secrets.GH_TOKEN }} + password: ${{ secrets.CR_TOKEN }} - name: Extract Docker metadata