Files
a13labs.infra/.opencode/plans/gitea-actions-migration.md
T
alexandre.pires 8724360fb2 Enhance infrastructure and application configurations
- Updated AGENTS.md to include new directories for execution plans and implemented feature reports.
- Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway.
- Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port.
- Added OAuth2 proxy configurations to gpu-01 for enhanced security.
- Removed deprecated open-webui module from Terraform app configurations.
- Updated Terraform configurations to reflect changes in local variables and removed unused secrets.
- Created a new sectool.json file for CloudNS integration with Bitwarden.
- Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
2026-07-12 16:28:45 -04:00

7.1 KiB

Gitea Actions Migration Plan — Validate-Only Phase

Overview

Migrate validate-only workflows from .github/workflows/ (all .disabled) to .gitea/workflows/ on the alexpires.me/a13labs.infra repo. Runs on cicd-base runner label. Terraform removed entirely — OpenTofu only.

Status: IMPLEMENTED

All files created, secrets configured as placeholders. Ready for push and testing.

Scope

Workflows In Scope (6)

Workflow Trigger Path Filter What It Does
ansible-validate-on-pr PR (opened/synchronize/reopened) → main ansible/** ansible-lint + syntax-check
aws-validate-on-pr PR → main terraform/iac/aws/** tofu init, validate, fmt -check, plan
cloudns-validate-on-pr PR → main terraform/iac/cloudns/** tofu init, validate, fmt -check, plan
contabo-validate-on-pr PR → main terraform/iac/contabo/** tofu init, validate, fmt -check, plan
scaleway-validate-on-pr PR → main terraform/iac/scaleway/** tofu init, validate, fmt -check, plan
k8s-apps-validate PR → main terraform/apps/** ansible+k8s env + tofu validate dev-01 & prod-01

Workflows Deferred (8)

All apply workflows, deploy-websites, actions-validate, ansible-validate-playbook-on-pr — out of scope.

Directory Layout

.gitea/
├── actions/
│   ├── setup-sectool/
│   │   └── action.yml
│   ├── setup-env/
│   │   └── action.yml
│   ├── setup-ansible-env/
│   │   └── action.yml
│   ├── setup-k8s-env/
│   │   └── action.yml
│   ├── setup-opentofu-env/
│   │   └── action.yml
│   └── setup-scaleway-registry/
│       └── action.yml
└── workflows/
    ├── ansible-validate-on-pr.yml
    ├── aws-validate-on-pr.yml
    ├── build-and-push-images.yml
    ├── cloudns-validate-on-pr.yml
    ├── contabo-validate-on-pr.yml
    ├── k8s-apps-validate.yml
    ├── scaleway-validate-on-pr.yml
    └── weekly-image-rebuild.yml

Action Migration Details

setup-sectool (New)

Replaces uses: a13labs/setup-sectool@v1 (external GitHub action). Local composite action that downloads the sectool binary from a13labs/sectool GitHub releases.

  • Fetches latest release from https://api.github.com/repos/a13labs/sectool/releases/latest
  • Downloads Linux amd64 binary (tar.gz)
  • Installs to /usr/local/bin/sectool
  • Runs sectool version to verify

setup-env (Converted)

Changes from .github/actions/setup-env/action.yml:

  • outputs.changed_files → uses $GITEA_OUTPUT instead of $GITHUB_OUTPUT
  • git diff --name-only ${{ github.event.before }} ${{ github.sha }}${{ gitea.event.before }} ${{ gitea.sha }}
  • uses: a13labs/setup-sectool@v1uses: ./.gitea/actions/setup-sectool

setup-ansible-env (Converted)

Changes from .github/actions/setup-ansible-env/action.yml:

  • outputs.ssh-auth-sock and outputs.hosts → use $GITEA_OUTPUT
  • No github.event references — minimal conversion needed

setup-opentofu-env (Unchanged)

No changes needed. opentofu/setup-opentofu@v1 stays as-is (Gitea pulls from GitHub).

setup-k8s-env (Unchanged)

Carried over as-is. No GitHub-specific variables in this action.

setup-terraform-env (Not Migrated)

Dropped entirely. Terraform is no longer used in this project.

setup-scaleway-registry (New)

Local composite action for image build workflows. Creates ~/.docker/config.json with registry auth and configures buildah storage/network settings for rootless operation.

  • Inputs: registry-endpoint, registry-username, registry-password
  • Used by: build-and-push-images.yml, weekly-image-rebuild.yml

New Workflows (Image Build & Push)

build-and-push-images.yml (New)

Builds and pushes runner profile Docker images to Scaleway registry.

Trigger Tags Scanning
Push to main (dockerfiles changed) {sha} + latest Yes (Trivy, warn only)
Push tag (v*) {tag} + {sha} + latest Yes (Trivy, warn only)
Pull request pr-{number} No

Jobs: check-pathsauthbuild-basebuild-images (matrix: 6 images)

weekly-image-rebuild.yml (New)

Scheduled weekly (Monday 6AM). Rebuilds all images against updated upstream bases, tags only :latest, full Trivy scanning.

See plans/image-build-push.md for full details.

Path Corrections

GitHub workflows referenced stale paths from a previous repo layout:

Source (GitHub) Actual Notes
terraform/aws-iac/ terraform/iac/aws/ Restructured
terraform/cloudns-iac/ terraform/iac/cloudns/ Restructured
terraform/contabo-iac/ terraform/iac/contabo/ Restructured
terraform/scaleway-iac/ terraform/iac/scaleway/ Restructured
terraform/k8sapps/ terraform/apps/dev-01/ + terraform/apps/prod-01/ Renamed + split

Gitea Syntax Conversions

GitHub Gitea
$GITHUB_OUTPUT $GITEA_OUTPUT
${{ github.event.before }} ${{ gitea.event.before }}
${{ github.sha }} ${{ gitea.sha }}
runs-on: ubuntu-latest runs-on: cicd-base
uses: ./.github/actions/... uses: ./.gitea/actions/...

Repo Secrets

Secret Used By Purpose Status
BW_PROJECT_ID All workflows Bitwarden project ID Configured
BW_ORGANIZATION_ID All workflows Bitwarden org ID Configured
BW_ACCESS_TOKEN All workflows Bitwarden API token Configured
ANSIBLE_USER Ansible + K8s workflows SSH user for remote hosts Configured
SCALEWAY_REGISTRY_ENDPOINT Image build workflows Scaleway registry endpoint Needs setup
SCALEWAY_CI_ACCESS_KEY Image build workflows CI IAM API access key Needs setup
SCALEWAY_CI_SECRET_KEY Image build workflows CI IAM API secret key Needs setup

Phase B: Scaleway IaC Changes

IaC changes in terraform/iac/scaleway/ add CI IAM application and outputs. See plans/image-build-push.md for details.

  • iam.tf — added ci_app IAM application, policy, and API key
  • outputs.tf — added registry_endpoint, ci_app_api_access_key, ci_app_api_secret_key
  • sectool.env — no changes needed (CI app resources are hardcoded)

Next Steps

  1. Push all changes to alexpires.me/a13labs.infra on Gitea (note: registry.tf changed is_public from false to true on a13labs namespace)
  2. SSH to ci-01 — rebuild cicd-base image locally, update Gitea runner container — DONE
  3. Add Bitwarden secretsSCALEWAY_CI_ACCESS_KEY and SCALEWAY_CI_SECRET_KEY (populated after IaC apply)
  4. Apply Scaleway IaCsectool exec tofu apply in terraform/iac/scaleway/
  5. Extract IaC outputsregistry_endpoint, ci_app_api_access_key, ci_app_api_secret_key
  6. Configure Gitea secretsSCALEWAY_REGISTRY_ENDPOINT, SCALEWAY_CI_ACCESS_KEY, SCALEWAY_CI_SECRET_KEY
  7. Test validate workflows — PR touching ansible/ or terraform/iac/ paths
  8. Test build workflow — PR touching ansible/files/dockerfiles/linux-runners/