🎉 Gitea Mirror: Added

.github/workflows/README.md

@@ -0,0 +1,88 @@
+# GitHub Workflows for Gitea Mirror
+
+This directory contains GitHub Actions workflows that automate the build, test, and deployment processes for the Gitea Mirror application.
+
+## Workflow Overview
+
+| Workflow | File | Purpose |
+|----------|------|---------|
+| Astro Build and Test | `astro-build-test.yml` | Builds and tests the Astro application for all branches and PRs |
+| Docker Build and Push | `docker-build.yml` | Builds and pushes Docker images only for the main branch |
+| Docker Security Scan | `docker-scan.yml` | Scans Docker images for security vulnerabilities |
+
+## Workflow Details
+
+### Astro Build and Test (`astro-build-test.yml`)
+
+This workflow runs on all branches and pull requests. It:
+
+- Builds the Astro project
+- Runs all tests
+- Uploads build artifacts for potential use in other workflows
+
+**When it runs:**
+- On push to any branch (except changes to README.md and docs)
+- On pull requests to any branch (except changes to README.md and docs)
+
+**Key features:**
+- Uses pnpm for faster dependency installation
+- Caches dependencies to speed up builds
+- Uploads build artifacts for 7 days
+
+### Docker Build and Push (`docker-build.yml`)
+
+This workflow builds and pushes Docker images to GitHub Container Registry (ghcr.io), but only when changes are merged to the main branch.
+
+**When it runs:**
+- On push to the main branch
+- On tag creation (v*)
+
+**Key features:**
+- Builds multi-architecture images (amd64 and arm64)
+- Pushes images only on main branch, not for PRs
+- Uses build caching to speed up builds
+- Creates multiple tags for each image (latest, semver, sha)
+
+### Docker Security Scan (`docker-scan.yml`)
+
+This workflow scans Docker images for security vulnerabilities using Trivy.
+
+**When it runs:**
+- On push to the main branch that affects Docker-related files
+- Weekly on Sunday at midnight (scheduled)
+
+**Key features:**
+- Scans for critical and high severity vulnerabilities
+- Fails the build if vulnerabilities are found
+- Ignores unfixed vulnerabilities
+
+## CI/CD Pipeline Philosophy
+
+Our CI/CD pipeline follows these principles:
+
+1. **Fast feedback for developers**: The Astro build and test workflow runs on all branches and PRs to provide quick feedback.
+2. **Efficient resource usage**: Docker images are only built when changes are merged to main, not for every PR.
+3. **Security first**: Regular security scanning ensures our Docker images are free from known vulnerabilities.
+4. **Multi-architecture support**: All Docker images are built for both amd64 and arm64 architectures.
+
+## Adding or Modifying Workflows
+
+When adding or modifying workflows:
+
+1. Ensure the workflow follows the existing patterns
+2. Test the workflow on a branch before merging to main
+3. Update this README if you add a new workflow or significantly change an existing one
+4. Consider the impact on CI resources and build times
+
+## Troubleshooting
+
+If a workflow fails:
+
+1. Check the workflow logs in the GitHub Actions tab
+2. Common issues include:
+   - Test failures
+   - Build errors
+   - Docker build issues
+   - Security vulnerabilities
+
+For persistent issues, consider opening an issue in the repository.

.github/workflows/astro-build-test.yml

@@ -0,0 +1,50 @@
+name: Astro Build and Test
+
+on:
+  push:
+    branches: [ '*' ]
+    paths-ignore:
+      - 'README.md'
+      - 'docs/**'
+  pull_request:
+    branches: [ '*' ]
+    paths-ignore:
+      - 'README.md'
+      - 'docs/**'
+
+jobs:
+  build-and-test:
+    name: Build and Test Astro Project
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          version: 10
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Run tests
+        run: pnpm test
+
+      - name: Build Astro project
+        run: pnpm build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: astro-build
+          path: dist/
+          retention-days: 7

.github/workflows/docker-build-stable.yml

@@ -0,0 +1,45 @@
+name: Build and Push Docker Images (Stable)
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE: ${{ github.repository }}
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+
+    services:
+      redis:
+        image: redis:7-alpine
+        ports: ['6379:6379']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }} # Replace with secrets.GHCR_PAT if using PAT
+
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.sha }}

.github/workflows/docker-scan.yml

@@ -0,0 +1,53 @@
+name: Docker Security Scan
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+  schedule:
+    - cron: '0 0 * * 0'  # Run weekly on Sunday at midnight
+
+jobs:
+  scan:
+    name: Scan Docker Image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: network=host
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          load: true
+          tags: gitea-mirror:scan
+          # Disable GitHub Actions cache for this workflow
+          no-cache: true
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: gitea-mirror:scan
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'