Initial setup of gitea actions

This commit is contained in:
2026-07-05 18:36:41 +02:00
parent 040f7a382f
commit ebbb1254fb
13 changed files with 468 additions and 2 deletions
@@ -0,0 +1,99 @@
name: Setup Ansible Environment
description: Prepare the environment for A13labs CI/CD pipelines
inputs:
access-token:
description: "Bitwarden access token"
required: true
project-id:
description: "Bitwarden project ID"
required: true
organization-id:
description: "Bitwarden organization ID"
required: true
ansible-user:
description: "The user to use for Ansible"
required: true
ssh-auth-socket:
description: "The SSH_AUTH_SOCK environment variable"
default: "/tmp/ssh_agent.sock"
host-group:
description: "The host group to setup the Ansible environment"
default: "public"
outputs:
ssh-auth-sock:
description: "The SSH_AUTH_SOCK environment variable"
value: ${{ steps.start-ssh-agent.outputs.ssh-auth-sock }}
hosts:
description: "The list of hosts in the host group"
value: ${{ steps.read-hosts.outputs.hosts }}
runs:
using: "composite"
steps:
- name: Install required python packages
shell: bash
run: |
python3 -m pip install -r requirements/ansible.txt
- name: Prepare SSH key
shell: bash
env:
BW_ACCESS_TOKEN: ${{ inputs.access-token }}
BW_PROJECT_ID: ${{ inputs.project-id }}
BW_ORGANIZATION_ID: ${{ inputs.organization-id }}
run: |
sectool ssh unlock ansible
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cp ssh-keys/ansible/id_ecdsa ~/.ssh/id_ecdsa
chmod 600 ~/.ssh/id_ecdsa
- name: Read hosts from inventory
id: read-hosts
shell: bash
env:
HOST_GROUP: ${{ inputs.host-group }}
run: |
ansible-inventory -i inventory/hosts --list --yaml --limit $HOST_GROUP | grep -oE '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | sort -u > /tmp/ansible_hosts
echo "hosts=$(cat /tmp/ansible_hosts)" >> $GITEA_OUTPUT
- name: Read SSH host keys from remote hosts
shell: bash
run: |
mkdir -p ~/.ssh
for HOST in $(cat /tmp/ansible_hosts); do
ssh-keyscan "$HOST" >> ~/.ssh/known_hosts
done
chmod 600 ~/.ssh/known_hosts
- name: Enable SSH host key algorithms
shell: bash
run: |
echo "Host *" >> ~/.ssh/config
echo " HostKeyAlgorithms +sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com"
chmod 600 ~/.ssh/config
- name: Start SSH agent and add SSH key
id: start-ssh-agent
shell: bash
env:
BW_ACCESS_TOKEN: ${{ inputs.access-token }}
BW_PROJECT_ID: ${{ inputs.project-id }}
BW_ORGANIZATION_ID: ${{ inputs.organization-id }}
SSH_AUTH_SOCK: ${{ inputs.ssh-auth-socket }}
run: |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
echo 'sectool vault get SSH_PASSWORD' > ~/.ssh_askpass && chmod +x ~/.ssh_askpass
DISPLAY=None SSH_ASKPASS=~/.ssh_askpass ssh-add ~/.ssh/id_ecdsa < /dev/null
rm ~/.ssh_askpass
echo "ssh-auth-sock=$SSH_AUTH_SOCK" >> $GITEA_OUTPUT
- name: Check SSH Connection to remote hosts
shell: bash
env:
ANSIBLE_USER: ${{ inputs.ansible-user }}
SSH_AUTH_SOCK: ${{ inputs.ssh-auth-socket }}
run: |
for HOST in $(cat /tmp/ansible_hosts); do
ssh "$ANSIBLE_USER@$HOST" echo "SSH connection to "$HOST" successful"
done
+24
View File
@@ -0,0 +1,24 @@
name: Setup Environment
description: Prepare the environment for A13labs CI/CD pipelines
outputs:
changed_files:
description: The list of changed files in the current pull request
value: ${{ steps.get_changed_files.outputs.changed_files }}
runs:
using: "composite"
steps:
- name: Get changed files
id: get_changed_files
shell: bash
run: |
CHANGED_FILES=$(git diff --name-only ${{ gitea.event.before }} ${{ gitea.sha }})
echo "changed_files=$CHANGED_FILES" >> $GITEA_OUTPUT
- name: Setup Sectool
uses: ./.gitea/actions/setup-sectool
- name: Install Python packages
shell: bash
run: |
python3 -m pip install --upgrade pip
+54
View File
@@ -0,0 +1,54 @@
name: Setup K8S Environment
description: Prepare the environment for A13labs CI/CD pipelines
inputs:
access-token:
description: "Bitwarden access token"
required: true
project-id:
description: "Bitwarden project ID"
required: true
organization-id:
description: "Bitwarden organization ID"
required: true
ansible-user:
description: "The user to use for Ansible"
required: true
k8s-target:
description: "The target host to deploy the K8S applications"
default: "microk8s"
ssh-auth-sock:
description: "The SSH_AUTH_SOCK environment variable"
default: "/tmp/ssh_agent.sock"
runs:
using: "composite"
steps:
- name: Copy Kube Config from remote host
shell: bash
env:
BW_ACCESS_TOKEN: ${{ inputs.access-token }}
BW_PROJECT_ID: ${{ inputs.project-id }}
BW_ORGANIZATION_ID: ${{ inputs.organization-id }}
ANSIBLE_USER: ${{ inputs.ansible-user }}
SSH_AUTH_SOCK: ${{ inputs.ssh-auth-sock }}
K8S_TARGET: ${{ inputs.k8s-target }}
run: |
mkdir -p ~/.kube
ansible -i inventory/hosts -u $ANSIBLE_USER -m fetch -a "src=/home/$ANSIBLE_USER/.kube/config dest=~/.kube/config flat=yes" $K8S_TARGET
- name: Forward K8S API Server port
shell: bash
env:
BW_ACCESS_TOKEN: ${{ inputs.access-token }}
BW_PROJECT_ID: ${{ inputs.project-id }}
BW_ORGANIZATION_ID: ${{ inputs.organization-id }}
ANSIBLE_USER: ${{ inputs.ansible-user }}
SSH_AUTH_SOCK: ${{ inputs.ssh-auth-sock }}
K8S_TARGET: ${{ inputs.k8s-target }}
run: |
ANSIBLE_HOST=$(ansible -i inventory/hosts -u $ANSIBLE_USER -m shell -a "hostname" $K8S_TARGET | grep -oE '([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}' | head -1)
IP_ADDR=$(ansible -i inventory/hosts -u $ANSIBLE_USER -m shell -a "curl -s ifconfig.me" $K8S_TARGET | grep -oE '([0-9]+\.){3}[0-9]+')
ssh -f -N -L 16443:localhost:16443 "$ANSIBLE_USER@$ANSIBLE_HOST"
sed -i "s/server: https:\/\/$IP_ADDR:16443/server: https:\/\/localhost:16443/g" ~/.kube/config
@@ -0,0 +1,19 @@
name: Setup OpenTofu Environment
description: Prepare the environment for A13labs CI/CD pipelines
runs:
using: "composite"
steps:
- name: Setup OpenTofu
shell: bash
run: |
TOFU_VERSION="1.9.1"
curl -sL "https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip" -o /tmp/tofu.zip
unzip -o /tmp/tofu.zip -d /usr/local/bin
rm /tmp/tofu.zip
tofu version
- name: Install required python packages
shell: bash
run: |
python3 -m pip install -r requirements/opentofu.txt
+16
View File
@@ -0,0 +1,16 @@
name: Setup Sectool
description: Download and install the sectool binary from GitHub releases
runs:
using: "composite"
steps:
- name: Download sectool binary
shell: bash
run: |
LATEST=$(curl -s https://api.github.com/repos/a13labs/sectool/releases/latest)
ASSET_URL=$(echo "$LATEST" | jq -r '.assets[] | select(.name | test("linux.*x64")) | .browser_download_url')
curl -sL "$ASSET_URL" -o /tmp/sectool.zip
unzip -o /tmp/sectool.zip -d /usr/local/bin
rm /tmp/sectool.zip
chmod +x /usr/local/bin/sectool
sectool version
@@ -0,0 +1,37 @@
name: Ansible Validate On Pull Request
on:
pull_request:
branches:
- main
paths:
- "ansible/**"
types:
- opened
- synchronize
- reopened
jobs:
ansible-validate:
runs-on: cicd-base
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup environment
uses: ./.gitea/actions/setup-env
- name: Install Python packages
run: |
python3 -m pip install -r requirements/ansible.txt
- name: Ansible Lint
run: |
cd ansible
ansible-lint .
- name: Ansible Playbook Syntax Check
run: |
cd ansible
ansible-playbook --syntax-check playbook_*.yml
+39
View File
@@ -0,0 +1,39 @@
name: Terraform AWS IAC Validate on Pull Request
on:
pull_request:
branches:
- main
paths:
- "terraform/iac/aws/**"
types:
- opened
- synchronize
- reopened
jobs:
iac-validate:
runs-on: cicd-base
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup environment
uses: ./.gitea/actions/setup-env
- name: Setup OpenTofu environment
uses: ./.gitea/actions/setup-opentofu-env
- name: OpenTofu Init and Validate
env:
BW_PROJECT_ID: ${{ secrets.BW_PROJECT_ID }}
BW_ORGANIZATION_ID: ${{ secrets.BW_ORGANIZATION_ID }}
BW_ACCESS_TOKEN: ${{ secrets.BW_ACCESS_TOKEN }}
run: |
cd terraform/iac/aws
sectool -f ../../sectool.json exec tofu init
sectool -f ../../sectool.json exec tofu validate
sectool -f ../../sectool.json exec tofu fmt -check
sectool -f ../../sectool.json exec tofu plan
@@ -0,0 +1,39 @@
name: Terraform ClouDNS IAC Validate on Pull Request
on:
pull_request:
branches:
- main
paths:
- "terraform/iac/cloudns/**"
types:
- opened
- synchronize
- reopened
jobs:
iac-validate:
runs-on: cicd-base
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup environment
uses: ./.gitea/actions/setup-env
- name: Setup OpenTofu environment
uses: ./.gitea/actions/setup-opentofu-env
- name: OpenTofu Init and Validate
env:
BW_PROJECT_ID: ${{ secrets.BW_PROJECT_ID }}
BW_ORGANIZATION_ID: ${{ secrets.BW_ORGANIZATION_ID }}
BW_ACCESS_TOKEN: ${{ secrets.BW_ACCESS_TOKEN }}
run: |
cd terraform/iac/cloudns
sectool -f ../../sectool.json exec tofu init
sectool -f ../../sectool.json exec tofu validate
sectool -f ../../sectool.json exec tofu fmt -check
sectool -f ../../sectool.json exec tofu plan
@@ -0,0 +1,39 @@
name: Terraform Contabo IAC Validate on Pull Request
on:
pull_request:
branches:
- main
paths:
- "terraform/iac/contabo/**"
types:
- opened
- synchronize
- reopened
jobs:
iac-validate:
runs-on: cicd-base
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup environment
uses: ./.gitea/actions/setup-env
- name: Setup OpenTofu environment
uses: ./.gitea/actions/setup-opentofu-env
- name: OpenTofu Init and Validate
env:
BW_PROJECT_ID: ${{ secrets.BW_PROJECT_ID }}
BW_ORGANIZATION_ID: ${{ secrets.BW_ORGANIZATION_ID }}
BW_ACCESS_TOKEN: ${{ secrets.BW_ACCESS_TOKEN }}
run: |
cd terraform/iac/contabo
sectool -f ../../sectool.json exec tofu init
sectool -f ../../sectool.json exec tofu validate
sectool -f ../../sectool.json exec tofu fmt -check
sectool -f ../../sectool.json exec tofu plan
+63
View File
@@ -0,0 +1,63 @@
name: OpenTofu K8s Apps Validate on Pull Request
on:
pull_request:
branches:
- main
paths:
- "terraform/apps/**"
types:
- opened
- synchronize
- reopened
jobs:
iac-validate:
runs-on: cicd-base
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup environment
uses: ./.gitea/actions/setup-env
- name: Setup Ansible Environment
id: setup_ansible_env
uses: ./.gitea/actions/setup-ansible-env
with:
project-id: ${{ secrets.BW_PROJECT_ID }}
organization-id: ${{ secrets.BW_ORGANIZATION_ID }}
access-token: ${{ secrets.BW_ACCESS_TOKEN }}
ansible-user: ${{ secrets.ANSIBLE_USER }}
host-group: microk8s
- name: Setup OpenTofu Environment
uses: ./.gitea/actions/setup-opentofu-env
- name: Setup Kubernetes Environment
uses: ./.gitea/actions/setup-k8s-env
with:
project-id: ${{ secrets.BW_PROJECT_ID }}
organization-id: ${{ secrets.BW_ORGANIZATION_ID }}
access-token: ${{ secrets.BW_ACCESS_TOKEN }}
ansible-user: ${{ secrets.ANSIBLE_USER }}
- name: OpenTofu Init and Validate
env:
BW_PROJECT_ID: ${{ secrets.BW_PROJECT_ID }}
BW_ORGANIZATION_ID: ${{ secrets.BW_ORGANIZATION_ID }}
BW_ACCESS_TOKEN: ${{ secrets.BW_ACCESS_TOKEN }}
run: |
cd terraform/apps/dev-01
sectool -f ../../sectool.json exec tofu init
sectool -f ../../sectool.json exec tofu validate
sectool -f ../../sectool.json exec tofu fmt -check
sectool -f ../../sectool.json exec tofu plan
cd terraform/apps/prod-01
sectool -f ../../sectool.json exec tofu init
sectool -f ../../sectool.json exec tofu validate
sectool -f ../../sectool.json exec tofu fmt -check
sectool -f ../../sectool.json exec tofu plan
@@ -0,0 +1,39 @@
name: Terraform Scaleway IAC Validate on Pull Request
on:
pull_request:
branches:
- main
paths:
- "terraform/iac/scaleway/**"
types:
- opened
- synchronize
- reopened
jobs:
iac-validate:
runs-on: cicd-base
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup environment
uses: ./.gitea/actions/setup-env
- name: Setup OpenTofu environment
uses: ./.gitea/actions/setup-opentofu-env
- name: OpenTofu Init and Validate
env:
BW_PROJECT_ID: ${{ secrets.BW_PROJECT_ID }}
BW_ORGANIZATION_ID: ${{ secrets.BW_ORGANIZATION_ID }}
BW_ACCESS_TOKEN: ${{ secrets.BW_ACCESS_TOKEN }}
run: |
cd terraform/iac/scaleway
sectool -f ../../sectool.json exec tofu init
sectool -f ../../sectool.json exec tofu validate
sectool -f ../../sectool.json exec tofu fmt -check
sectool -f ../../sectool.json exec tofu plan
@@ -29,7 +29,6 @@ jobs:
organization-id: ${{ secrets.BW_ORGANIZATION_ID }} organization-id: ${{ secrets.BW_ORGANIZATION_ID }}
access-token: ${{ secrets.BW_ACCESS_TOKEN }} access-token: ${{ secrets.BW_ACCESS_TOKEN }}
ansible-user: ${{ secrets.ANSIBLE_USER }} ansible-user: ${{ secrets.ANSIBLE_USER }}
trusted-hosts: ${{ secrets.TRUSTED_HOSTS }}
- name: Apply the playbook that triggered the workflow - name: Apply the playbook that triggered the workflow
env: env:
@@ -37,7 +37,6 @@ jobs:
organization-id: ${{ secrets.BW_ORGANIZATION_ID }} organization-id: ${{ secrets.BW_ORGANIZATION_ID }}
access-token: ${{ secrets.BW_ACCESS_TOKEN }} access-token: ${{ secrets.BW_ACCESS_TOKEN }}
ansible-user: ${{ secrets.ANSIBLE_USER }} ansible-user: ${{ secrets.ANSIBLE_USER }}
trusted-hosts: ${{ secrets.TRUSTED_HOSTS }}
- name: Run hugo_build command - name: Run hugo_build command
run: bin/hugo_build run: bin/hugo_build