# Gitea Actions Migration Plan — Validate-Only Phase ## Overview Migrate validate-only workflows from `.github/workflows/` (all `.disabled`) to `.gitea/workflows/` on the `alexpires.me/a13labs.infra` repo. Runs on `cicd-base` runner label. Terraform removed entirely — OpenTofu only. ## Status: IMPLEMENTED All files created, secrets configured as placeholders. Ready for push and testing. ## Scope ### Workflows In Scope (6) | Workflow | Trigger | Path Filter | What It Does | |---|---|---|---| | `ansible-validate-on-pr` | PR (opened/synchronize/reopened) → `main` | `ansible/**` | ansible-lint + syntax-check | | `aws-validate-on-pr` | PR → `main` | `terraform/iac/aws/**` | tofu init, validate, fmt -check, plan | | `cloudns-validate-on-pr` | PR → `main` | `terraform/iac/cloudns/**` | tofu init, validate, fmt -check, plan | | `contabo-validate-on-pr` | PR → `main` | `terraform/iac/contabo/**` | tofu init, validate, fmt -check, plan | | `scaleway-validate-on-pr` | PR → `main` | `terraform/iac/scaleway/**` | tofu init, validate, fmt -check, plan | | `k8s-apps-validate` | PR → `main` | `terraform/apps/**` | ansible+k8s env + tofu validate dev-01 & prod-01 | ### Workflows Deferred (8) All apply workflows, `deploy-websites`, `actions-validate`, `ansible-validate-playbook-on-pr` — out of scope. ## Directory Layout ``` .gitea/ ├── actions/ │ ├── setup-sectool/ │ │ └── action.yml │ ├── setup-env/ │ │ └── action.yml │ ├── setup-ansible-env/ │ │ └── action.yml │ ├── setup-k8s-env/ │ │ └── action.yml │ ├── setup-opentofu-env/ │ │ └── action.yml │ └── setup-scaleway-registry/ │ └── action.yml └── workflows/ ├── ansible-validate-on-pr.yml ├── aws-validate-on-pr.yml ├── build-and-push-images.yml ├── cloudns-validate-on-pr.yml ├── contabo-validate-on-pr.yml ├── k8s-apps-validate.yml ├── scaleway-validate-on-pr.yml └── weekly-image-rebuild.yml ``` ## Action Migration Details ### `setup-sectool` (New) Replaces `uses: a13labs/setup-sectool@v1` (external GitHub action). Local composite action that downloads the sectool binary from `a13labs/sectool` GitHub releases. - Fetches latest release from `https://api.github.com/repos/a13labs/sectool/releases/latest` - Downloads Linux amd64 binary (tar.gz) - Installs to `/usr/local/bin/sectool` - Runs `sectool version` to verify ### `setup-env` (Converted) Changes from `.github/actions/setup-env/action.yml`: - `outputs.changed_files` → uses `$GITEA_OUTPUT` instead of `$GITHUB_OUTPUT` - `git diff --name-only ${{ github.event.before }} ${{ github.sha }}` → `${{ gitea.event.before }} ${{ gitea.sha }}` - `uses: a13labs/setup-sectool@v1` → `uses: ./.gitea/actions/setup-sectool` ### `setup-ansible-env` (Converted) Changes from `.github/actions/setup-ansible-env/action.yml`: - `outputs.ssh-auth-sock` and `outputs.hosts` → use `$GITEA_OUTPUT` - No `github.event` references — minimal conversion needed ### `setup-opentofu-env` (Unchanged) No changes needed. `opentofu/setup-opentofu@v1` stays as-is (Gitea pulls from GitHub). ### `setup-k8s-env` (Unchanged) Carried over as-is. No GitHub-specific variables in this action. ### `setup-terraform-env` (Not Migrated) Dropped entirely. Terraform is no longer used in this project. ### `setup-scaleway-registry` (New) Local composite action for image build workflows. Creates `~/.docker/config.json` with registry auth and configures buildah storage/network settings for rootless operation. - Inputs: `registry-endpoint`, `registry-username`, `registry-password` - Used by: `build-and-push-images.yml`, `weekly-image-rebuild.yml` ## New Workflows (Image Build & Push) ### `build-and-push-images.yml` (New) Builds and pushes runner profile Docker images to Scaleway registry. | Trigger | Tags | Scanning | |---|---|---| | Push to main (dockerfiles changed) | `{sha}` + `latest` | Yes (Trivy, warn only) | | Push tag (`v*`) | `{tag}` + `{sha}` + `latest` | Yes (Trivy, warn only) | | Pull request | `pr-{number}` | No | Jobs: `check-paths` → `auth` → `build-base` → `build-images` (matrix: 6 images) ### `weekly-image-rebuild.yml` (New) Scheduled weekly (Monday 6AM). Rebuilds all images against updated upstream bases, tags only `:latest`, full Trivy scanning. See `plans/image-build-push.md` for full details. ## Path Corrections GitHub workflows referenced stale paths from a previous repo layout: | Source (GitHub) | Actual | Notes | |---|---|---| | `terraform/aws-iac/` | `terraform/iac/aws/` | Restructured | | `terraform/cloudns-iac/` | `terraform/iac/cloudns/` | Restructured | | `terraform/contabo-iac/` | `terraform/iac/contabo/` | Restructured | | `terraform/scaleway-iac/` | `terraform/iac/scaleway/` | Restructured | | `terraform/k8sapps/` | `terraform/apps/dev-01/` + `terraform/apps/prod-01/` | Renamed + split | ## Gitea Syntax Conversions | GitHub | Gitea | |---|---| | `$GITHUB_OUTPUT` | `$GITEA_OUTPUT` | | `${{ github.event.before }}` | `${{ gitea.event.before }}` | | `${{ github.sha }}` | `${{ gitea.sha }}` | | `runs-on: ubuntu-latest` | `runs-on: cicd-base` | | `uses: ./.github/actions/...` | `uses: ./.gitea/actions/...` | ## Repo Secrets | Secret | Used By | Purpose | Status | |---|---|---|---| | `BW_PROJECT_ID` | All workflows | Bitwarden project ID | **Configured** | | `BW_ORGANIZATION_ID` | All workflows | Bitwarden org ID | **Configured** | | `BW_ACCESS_TOKEN` | All workflows | Bitwarden API token | **Configured** | | `ANSIBLE_USER` | Ansible + K8s workflows | SSH user for remote hosts | **Configured** | | `SCALEWAY_REGISTRY_ENDPOINT` | Image build workflows | Scaleway registry endpoint | **Needs setup** | | `SCALEWAY_CI_ACCESS_KEY` | Image build workflows | CI IAM API access key | **Needs setup** | | `SCALEWAY_CI_SECRET_KEY` | Image build workflows | CI IAM API secret key | **Needs setup** | ## Phase B: Scaleway IaC Changes IaC changes in `terraform/iac/scaleway/` add CI IAM application and outputs. See `plans/image-build-push.md` for details. - `iam.tf` — added `ci_app` IAM application, policy, and API key - `outputs.tf` — added `registry_endpoint`, `ci_app_api_access_key`, `ci_app_api_secret_key` - `sectool.env` — no changes needed (CI app resources are hardcoded) ## Next Steps 1. **Push** all changes to `alexpires.me/a13labs.infra` on Gitea (note: `registry.tf` changed `is_public` from `false` to `true` on `a13labs` namespace) 2. **SSH to ci-01** — rebuild `cicd-base` image locally, update Gitea runner container — DONE 3. **Add Bitwarden secrets** — `SCALEWAY_CI_ACCESS_KEY` and `SCALEWAY_CI_SECRET_KEY` (populated after IaC apply) 4. **Apply Scaleway IaC** — `sectool exec tofu apply` in `terraform/iac/scaleway/` 5. **Extract IaC outputs** — `registry_endpoint`, `ci_app_api_access_key`, `ci_app_api_secret_key` 6. **Configure Gitea secrets** — `SCALEWAY_REGISTRY_ENDPOINT`, `SCALEWAY_CI_ACCESS_KEY`, `SCALEWAY_CI_SECRET_KEY` 7. **Test validate workflows** — PR touching `ansible/` or `terraform/iac/` paths 8. **Test build workflow** — PR touching `ansible/files/dockerfiles/linux-runners/`