Mirror/gitea-mirror
1
0
Fork 0
mirror of https://github.com/RayLabsHQ/gitea-mirror.git synced 2026-03-13 22:12:54 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
5aa0f3260d8fb966cfd4deaafd7a41f9f99e0e3e
gitea-mirror/.github/workflows
History
ARUNAVO RAY 5aa0f3260d fix(nix): enable sandboxed builds with bun2nix (#199) 
* fix(nix): enable sandboxed builds with bun2nix

The Nix package was broken on Linux because `bun install` requires
network access, which is blocked by Nix sandboxing (enabled by default
on Linux).

This switches to bun2nix for dependency management:
- Add bun2nix flake input to pre-fetch all npm dependencies
- Generate bun.nix lockfile for reproducible dependency resolution
- Copy bun cache to writable location during build to avoid EACCES
  errors from bunx writing to the read-only Nix store
- Add nanoid as an explicit dependency (was imported directly but only
  available as a transitive dep, which breaks with isolated linker)
- Update CI workflow to perform a full sandboxed build
- Add bun2nix to devShell for easy lockfile regeneration

Closes #197

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(nix): create writable workdir for database access

The app uses process.cwd()/data for the database path, but when running
from the Nix store the cwd is read-only. Create a writable working
directory with symlinks to app files and a real data directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 12:43:37 +05:30
..
astro-build-test.yml
fix(github): keep disabled repos from cleanup while skipping new imports (#191)
2026-02-26 10:19:28 +05:30
docker-build.yml
Skip GHCR push for fork PRs
2026-02-24 08:46:05 +05:30
helm-test.yml
Potential fix for code scanning alert no. 33: Workflow does not contain permissions
2025-10-01 07:06:06 +05:30
nix-build.yml
fix(nix): enable sandboxed builds with bun2nix (#199)
2026-02-27 12:43:37 +05:30
README.md
Skip GHCR push for fork PRs
2026-02-24 08:46:05 +05:30

README.md

GitHub Workflows for Gitea Mirror

This directory contains GitHub Actions workflows that automate the build, test, and deployment processes for the Gitea Mirror application.

Workflow Overview

Workflow File Purpose
Astro Build and Test astro-build-test.yml Builds and tests the Astro application for all branches and PRs
Docker Build and Push docker-build.yml Builds and pushes Docker images only for the main branch
Docker Security Scan docker-scan.yml Scans Docker images for security vulnerabilities

Workflow Details

Astro Build and Test (astro-build-test.yml)

This workflow runs on all branches and pull requests. It:

  • Builds the Astro project
  • Runs all tests
  • Uploads build artifacts for potential use in other workflows

When it runs:

  • On push to any branch (except changes to README.md and docs)

  • On pull requests to any branch (except changes to README.md and docs)

  • Uses Bun for dependency installation

  • Caches dependencies to speed up builds

  • Uploads build artifacts for 7 days

Docker Build and Push (docker-build.yml)

This workflow builds Docker images on pushes and pull requests, and pushes to GitHub Container Registry (ghcr.io) when permissions allow (main/tags and same-repo PRs).

When it runs:

  • On push to the main branch
  • On tag creation (v*)
  • On pull requests (build + scan; push only for same-repo PRs)

Key features:

  • Builds multi-architecture images (amd64 and arm64)
  • Pushes images for main/tags and same-repo PRs
  • Skips registry push for fork PRs (avoids package write permission failures)
  • Uses build caching to speed up builds
  • Creates multiple tags for each image (latest, semver, sha)

Docker Security Scan (docker-scan.yml)

This workflow scans Docker images for security vulnerabilities using Trivy.

When it runs:

  • On push to the main branch that affects Docker-related files
  • Weekly on Sunday at midnight (scheduled)

Key features:

  • Scans for critical and high severity vulnerabilities
  • Fails the build if vulnerabilities are found
  • Ignores unfixed vulnerabilities

CI/CD Pipeline Philosophy

Our CI/CD pipeline follows these principles:

  1. Fast feedback for developers: The Astro build and test workflow runs on all branches and PRs to provide quick feedback.
  2. Efficient resource usage: Docker images are only built when changes are merged to main, not for every PR.
  3. Security first: Regular security scanning ensures our Docker images are free from known vulnerabilities.
  4. Multi-architecture support: All Docker images are built for both amd64 and arm64 architectures.

Adding or Modifying Workflows

When adding or modifying workflows:

  1. Ensure the workflow follows the existing patterns
  2. Test the workflow on a branch before merging to main
  3. Update this README if you add a new workflow or significantly change an existing one
  4. Consider the impact on CI resources and build times

Troubleshooting

If a workflow fails:

  1. Check the workflow logs in the GitHub Actions tab
  2. Common issues include:
    • Test failures
    • Build errors
    • Docker build issues
    • Security vulnerabilities

For persistent issues, consider opening an issue in the repository.

Helm Test (helm-test.yml)

This workflow run on the main branch and pull requests. it:

  • Run yamllint to keep the formating unified
  • Run helm template with different value files