This is a step towards making Forgejo's binaries (the one listed in the
release tab) reproducible.
In order to make the actual binary reproducible, we have to ensure that
the release workflow has the correct configuration to produce such
reproducible binaries. The release workflow currently uses the
Dockerfile to produce binaries, as this is one of the easiest ways to do
cross-compiling for Go binaries with CGO enabled (due to SQLite). In the
Dockerfile, two new arguments are being given to the build command.
`-trimpath` ensures that the workpath directory doesn't get included in
the binary; this means that file names (such as for panics) are
relative (to the workpath) and not absolute, which shouldn't impact
debugging. `-buildid=` is added to the linker flag; it sets the BuildID
of the Go linker to be empty; the `-buildid` hashes the input actions
and output content; these vary from build to build for unknown reasons,
but likely because of the involvement of temporary file names, this
doesn't have any effect on the behavior of the resulting binary.
The Makefile receives a new command, `reproduce-build#$VERSION` which
can be used by people to produce a reproducible Forgejo binary of a
particular release; it roughly does what the release workflow also does.
Build the Dockerfile and extract the Forgejo binary from it. This
doesn't allow to produce a reproducible version for every release, only
for those that include this patch, as it needs to call the makefile of
that version in order to make a reproducible binary.
There's one thing left to do: the Dockerfile pins the Go version to a
minor level and not to a patch level. This means that if a new Go patch
version is released, that will be used instead and will result in a
different binary that isn't bit to bit the same as the one that Forgejo
has released.
See
https://docs.docker.com/reference/build-checks/legacy-key-value-format/.
Fixes these warnings seen during the docker build:
```
4 warnings found (use --debug to expand):
- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 5)
- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 9)
- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 75)
- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 76)
```
Introduced in: https://github.com/moby/buildkit/pull/4923
(cherry picked from commit 996037fb6a61b1a7f9a0a837fd87bbeab9cad154)
Conflicts:
Dockerfile.rootless
trivial context conflict
It was premature to try to use them, try again later.
https://codeberg.org/forgejo-integration/forgejo/actions/runs/2147
github.com/docker/buildx v0.14.1 59582a88fca7858dbe1886fd1556b2a0d79e43a3
::endgroup::
[command]/usr/bin/docker buildx build --build-arg RELEASE_VERSION=8.0-test --file Dockerfile --iidfile /tmp/docker-actions-toolkit-UzuWxS/iidfile --platform linux/amd64,linux/arm64,linux/arm/v6 --tag codeberg.org/***/forgejo:8.0-test --metadata-file /tmp/docker-actions-toolkit-UzuWxS/metadata-file --push .
------
> [linux/arm/v6 internal] load metadata for code.forgejo.org/oci/golang:1.22-alpine3.20:
------
Dockerfile:3
--------------------
1 | FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
2 |
3 | >>> FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.22-alpine3.20 as build-env
4 |
5 | ARG GOPROXY
--------------------
Dockerfile:1
--------------------
1 | >>> FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
2 |
3 | FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.22-alpine3.20 as build-env
--------------------
Dockerfile:54
--------------------
52 | RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
53 |
54 | >>> FROM code.forgejo.org/oci/golang:1.22-alpine3.20
55 | ARG RELEASE_VERSION
56 | LABEL maintainer="contact@forgejo.org" \
--------------------
ERROR: failed to solve: code.forgejo.org/oci/golang:1.22-alpine3.20: failed to resolve source metadata for code.forgejo.org/oci/golang:1.22-alpine3.20: no match for platform in manifest: not found
::error::buildx failed with: ERROR: failed to solve: code.forgejo.org/oci/golang:1.22-alpine3.20: failed to resolve source metadata for code.forgejo.org/oci/golang:1.22-alpine3.20: no match for platform in manifest: not found
The ARG RELEASE_VERSION set in the build-env image does not propagate
to the images that follow. As a result the value of the version label
is always empty.
This should have been caught by the test in the CI but although it
notified the problem in the output, it did not fail. Upgrade to the
forgejo-build-publish version that fixes this false positive.
The release name, as provided by FORGEJO_RELEASE, is used to build OCI
images and binary files. Although it can be the same as the Forgejo
version, it is not a requirement.
When the FORGEJO_RELEASE environment variable is set, use it as a
default for naming the binary file instead of FORGEJO_VERSION. For
instance, when building from the forgejo branch here is what is desired:
FORGEJO_VERSION=7.0.0-g2343
GITEA_VERSION=1.22.0
VERSION=vforgejo-test
The name of the release is also displayed with forgejo --version
for sanity check purposes.
Before:
FORGEJO_VERSION is the computed version
GITEA_VERSION is set manually
VERSION defaults to FORGEJO_VERSION
forgejo --help does not display VERSION
After:
FORGEJO_VERSION is the computed version
GITEA_VERSION is set manually
RELEASE_VERSION defaults to FORGEJO_VERSION
VERSION defaults to RELEASE_VERSION
forgejo --help displays VERSION
Refs: https://codeberg.org/forgejo/website/pulls/230
(cherry picked from commit 87d56bf6c7)
[CI] Forgejo Actions based release process (squash)
base64 -w0 to avoid wrapping when the doer name is long as it creates
a broken config.json
(cherry picked from commit 9efdc27e49)
[CI] Forgejo Actions based release process (squash) generate .xz files and sources
Generate .xz files
Check .sha256
Generate the source tarbal
(cherry picked from commit 7afec520c4)
[CI] Forgejo Actions based release process (squash) release notes
(cherry picked from commit d8f4f4807b)
[CI] Forgejo Actions based release process (squash) publish and sign release
(cherry picked from commit a52778c747)
(cherry picked from commit cf2ec62740)
[CI] Forgejo Actions based release process (squash) version
use Actions environment variables in Makefile (#25319) (#25318)
uses Actions variable to determine the version. But Forgejo builds
happen in a container where they are not available. Do not use them.
Also verify the version of the binary is as expected for sanity check.
(cherry picked from commit 6decf111a1)
(cherry picked from commit 206d0b3886)
[CI] read STORED_VERSION_FILE if available
(cherry picked from commit af74085ebf)
[CI] backward compatible executable compilation
Add a new static-executable target to use in Dockerfiles and restore
the $(EXECUTABLE) target to what it was before to for backward
compatibility.
The release process now builds static executables instead of
dynamically linked ones which makes them more portable. It changes the
requirements at compile time and is not backward compatible. In
particular it may break packaging that rely on the target that
currently creates a dynamically linked executable.
(cherry picked from commit 84d02a174a)
(cherry picked from commit 854be47328)
[CI] Forgejo Actions based release process (squash) doc / ca / verbosity
- Document workflow
- Increase verbosity if VERBOSE=true
- Download the Certificate Authority if behind the VPN
(cherry picked from commit 168d5d5869)
(cherry picked from commit 8756c9a72a)
(cherry picked from commit 2dad7ef20f)
[CI] Forgejo Actions based release process (squash) add assets sources-tarbal
Refs: https://codeberg.org/forgejo/forgejo/issues/1115
(cherry picked from commit 5531d01f19)
[CI] Forgejo Actions based release process (squash) add assets sources-tarbal
bindata.go is a file, not a directory
Refs: https://codeberg.org/forgejo/forgejo/issues/1115
(cherry picked from commit bd88a44778)
(cherry picked from commit b408085138)
[CI] Forgejo Actions based release process (squash) public/assets moved
(cherry picked from commit d8c921d5a6)
(cherry picked from commit f29e50b1a09b1a22fc2dbdb77e9a1def1196175b)
[CI] Fix release notes link
- Use substitution to replace all dots with dashes.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1163
(cherry picked from commit 96783728f53a072915cace392aa269adfe9a5c73)
(cherry picked from commit c8d8bf8996)
[CI] pin go v1.20 for testing
Refs: https://codeberg.org/forgejo/forgejo/issues/1228
(cherry picked from commit fd4b5a013e)
(cherry picked from commit 00bb15f57f)
Conflicts:
Dockerfile
Dockerfile.rootless
see https://codeberg.org/forgejo/forgejo/pulls/1303
(cherry picked from commit 6e2be54a6d)
(cherry picked from commit 346c418b4a)
(cherry picked from commit 49061f8422)
(cherry picked from commit 8229d59b7e)
(cherry picked from commit 70d45d9193)
[CI] Forgejo Actions based release process (squash) need node 18
(cherry picked from commit 722b1f4590)
(cherry picked from commit a91d786169)
[CI] Forgejo Actions based release process (squash) fix indentation
(cherry picked from commit fbdf9d6abb)
(cherry picked from commit 2deff90a13)
(cherry picked from commit 5710a27fda)
[CI] Forgejo Actions based release process (squash) FQIN for docker
Refs: https://codeberg.org/forgejo/forgejo/issues/1600
(cherry picked from commit f63d38deb6)
[CI] Forgejo Actions based release process (squash) use forgejo-curl.sh
(cherry picked from commit c0c3ef506f)
(cherry picked from commit 933ca7ec5d)
Conflicts:
Dockerfile
Dockerfile.rootless
https://codeberg.org/forgejo/forgejo/pulls/1691
(cherry picked from commit 1068e48805)
[CI] Forgejo Actions based release process (squash) size optimization
(cherry picked from commit 3c653ff742)
(cherry picked from commit 398567fc0c)
(cherry picked from commit e585db9a97)
(cherry picked from commit 17e91c96e3)
[CI] Forgejo Actions based release process (squash) gitea to forgejo
(cherry picked from commit 9c06a318b8)
(cherry picked from commit 95859da3b4)
(cherry picked from commit e3a5f6c1ed)
(cherry picked from commit 7b9b259c75)
(cherry picked from commit c4a152c8dc)
(cherry picked from commit b00bf599ef)
(cherry picked from commit a7836ee2ee)
(cherry picked from commit 3ea7dcbd5b)
(cherry picked from commit 454d705e83)
(cherry picked from commit 35e06c3009)
(cherry picked from commit 904468a38f)
(cherry picked from commit 890e86815a)
(cherry picked from commit bf9f94c63d)
(cherry picked from commit d025d061d1)
(cherry picked from commit 32f209a8e1)
(cherry picked from commit 38ef6802fc)
(cherry picked from commit 8a19bbd2a8)
(cherry picked from commit f352dee786)
(cherry picked from commit b53d9fc090)
(cherry picked from commit 3dae21f4c8)
(cherry picked from commit 8b59e016c7)
(cherry picked from commit 6f54ea6a0e)
(cherry picked from commit ed8d90de6b)
(cherry picked from commit 26ffd3fcac)
(cherry picked from commit 287b3bbfb5)
(cherry picked from commit ab81378d0c)
(cherry picked from commit f6bbe7e875)
(cherry picked from commit 8968f34edf)
(cherry picked from commit d3d914bba2)
(cherry picked from commit 4e4006a990)
(cherry picked from commit edb333569b)
(cherry picked from commit 6c1a4baa15)
(cherry picked from commit 51bda3bfc7)
(cherry picked from commit 6f5f318b8f)
(cherry picked from commit e128da2362)
(cherry picked from commit 3e6735ff23)
(cherry picked from commit 938c444125)
(cherry picked from commit 67f92dc9ab)
(cherry picked from commit ee31df71fb)
(cherry picked from commit 386f232191)
(cherry picked from commit 745785cd7f)
(cherry picked from commit efa8564e76)
Conflicts:
Dockerfile
Dockerfile.rootless
https://codeberg.org/forgejo/forgejo/pulls/2029
(cherry picked from commit f3dfb14321)
(cherry picked from commit 5a0346ee95)
(cherry picked from commit 7a2a6517f2)
(cherry picked from commit 87dcc87da9)
(cherry picked from commit df4099247f)
(cherry picked from commit df23f83545)
* use go1.18 to build gitea& update min go version to 1.17
* bump in a few more places
* add a few simple tests for isipprivate
* update go.mod
* update URL to https://go.dev/dl/
* golangci-lint
* attempt golangci-lint workaround
* change version
* bump fumpt version
* skip strings.title test
* go mod tidy
* update tests as some aren't private??
* update tests
* Upgrade alpine to 3.15
* Add executability test to entrypoint for too old dockers
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update docker/rootless/usr/local/bin/docker-entrypoint.sh
Co-authored-by: zeripath <art27@cantab.net>
Too many docker users are caught out by the default location for the
app.ini file being environment dependent so that when they docker exec
into the container the gitea commands do not work properly and require
additional -c arguments to correctly pick up the configuration.
This PR simply shadows the gitea binary using variants of the FHS
compatible script to make the command gitea have the default locations
by default.
Fix #14468
Reference #17497
Reference #12082
Reference #8941
... amongst others ...
Replace #17501
Signed-off-by: Andrew Thornton <art27@cantab.net>
Run chmod on the executables and the entrypoint when copying them to the
docker in dockerfile.
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Norwin <noerw@users.noreply.github.com>
Co-authored-by: delvh <dev.lh@web.de>
* Add environment-to-app.ini routine
* Call environment-to-ini in docker setup scripts
* Automatically convert section vars to lower case to match documentation
* Remove git patch instructions
* Add env variable documentation to Install Docker
* Dockerfile: Support socat use cases
In some contexts it is necessary to provide access to Gitea via TCP ports and unix sockets.
Gitea (`gitea web`) can be configured to listen for connections via unix-socket or TCP port, but not both.
When Gitea is installed to the host this limitation can be worked around by installing socat on the host.
When running Gitea from a container this limitation cannot be workaround.
Add socat to Gitea container.
* Removed version
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* go1.15
* update makefile xgo version
* fix vet issue
* update docs to version of go in use
* add TODO for asyncpreemptoff
Co-authored-by: Lauris BH <lauris@nix.lv>