From 062c5f45d00eab5ec45123201f9b61a9ff074b42 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 26 Jun 2025 17:30:34 -0700 Subject: [PATCH 01/19] Add mount cache for docker building --- Dockerfile | 17 +++++++++++++++-- Dockerfile.rootless | 17 +++++++++++++++-- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 78a556497a..5837ccbd6e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,12 @@ ARG TAGS="sqlite sqlite_unlock_notify" ENV TAGS="bindata timetzdata $TAGS" ARG CGO_EXTRA_CFLAGS +ARG GOCACHE +ENV GOCACHE=${GOCACHE:-/root/.cache/go-build} + +ARG GOMODCACHE +ENV GOMODCACHE=${GOMODCACHE:-/go/pkg/mod} + # Build deps RUN apk --no-cache add \ build-base \ @@ -24,10 +30,17 @@ WORKDIR ${GOPATH}/src/code.gitea.io/gitea # Checkout version if set RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make clean-all build + && make clean-all + +RUN --mount=type=cache,target=/root/.npm \ + --mount=type=cache,target=/go/pkg/mod/ \ + --mount=type=cache,target="/root/.cache/go-build" \ + make build # Begin env-to-ini build -RUN go build contrib/environment-to-ini/environment-to-ini.go +RUN --mount=type=cache,target=/go/pkg/mod/ \ + --mount=type=cache,target="/root/.cache/go-build" \ + go build contrib/environment-to-ini/environment-to-ini.go # Copy local files COPY docker/root /tmp/local diff --git a/Dockerfile.rootless b/Dockerfile.rootless index e83c1af33b..be8c4653f1 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -9,6 +9,12 @@ ARG TAGS="sqlite sqlite_unlock_notify" ENV TAGS="bindata timetzdata $TAGS" ARG CGO_EXTRA_CFLAGS +ARG GOCACHE +ENV GOCACHE=${GOCACHE:-/root/.cache/go-build} + +ARG GOMODCACHE +ENV GOMODCACHE=${GOMODCACHE:-/go/pkg/mod} + #Build deps RUN apk --no-cache add \ build-base \ @@ -24,10 +30,17 @@ WORKDIR ${GOPATH}/src/code.gitea.io/gitea # Checkout version if set RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make clean-all build + && make clean-all + +RUN --mount=type=cache,target=/root/.npm \ + --mount=type=cache,target=/go/pkg/mod/ \ + --mount=type=cache,target="/root/.cache/go-build" \ + make build # Begin env-to-ini build -RUN go build contrib/environment-to-ini/environment-to-ini.go +RUN --mount=type=cache,target=/go/pkg/mod/ \ + --mount=type=cache,target="/root/.cache/go-build" \ + go build contrib/environment-to-ini/environment-to-ini.go # Copy local files COPY docker/rootless /tmp/local From 48c432ddbcd993d5cb489b98e50d54bef8c9b9fe Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Sun, 29 Jun 2025 22:02:10 -0700 Subject: [PATCH 02/19] experiment --- .github/workflows/pull-docker-dryrun.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index f74277de67..abbf3fa33f 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -21,6 +21,8 @@ jobs: with: push: false tags: gitea/gitea:linux-amd64 + cache-from: type=registry,ref=gitea/gitea:buildcache-pr-amd64 + cache-to: type=registry,ref=gitea/gitea:buildcache-pr-amd64,mode=max rootless: if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true' @@ -33,3 +35,5 @@ jobs: push: false file: Dockerfile.rootless tags: gitea/gitea:linux-amd64 + cache-from: type=registry,ref=gitea/gitea:buildcache-pr-amd64-rootless + cache-to: type=registry,ref=gitea/gitea:buildcache-pr-amd64-rootless,mode=max From afba5ffe0a5d820ddb308fb774d03a0a3ed14797 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 30 Jun 2025 16:41:45 -0700 Subject: [PATCH 03/19] update all cache --- .github/workflows/pull-docker-dryrun.yml | 27 +++++++++++++++++++---- .github/workflows/release-nightly.yml | 4 ++++ .github/workflows/release-tag-rc.yml | 2 ++ .github/workflows/release-tag-version.yml | 2 ++ 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index abbf3fa33f..205fa4e87d 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -16,24 +16,43 @@ jobs: needs: files-changed runs-on: ubuntu-latest steps: + - name: Get cleaned branch name + id: clean_name + run: | + # if main then say nightly otherwise cleanup name + if [ "${{ github.base_ref }}" = "refs/heads/main" ]; then + echo "branch=nightly" >> "$GITHUB_OUTPUT" + exit 0 + fi + REF_NAME=$(echo "${{ github.base_ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') + echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - uses: docker/setup-buildx-action@v3 - uses: docker/build-push-action@v5 with: push: false tags: gitea/gitea:linux-amd64 - cache-from: type=registry,ref=gitea/gitea:buildcache-pr-amd64 - cache-to: type=registry,ref=gitea/gitea:buildcache-pr-amd64,mode=max + platforms: linux/amd64,linux/arm64,linux/riscv64 + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} rootless: if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true' needs: files-changed runs-on: ubuntu-latest steps: + - name: Get cleaned branch name + id: clean_name + run: | + # if main then say nightly otherwise cleanup name + if [ "${{ github.base_ref }}" = "refs/heads/main" ]; then + echo "branch=nightly" >> "$GITHUB_OUTPUT" + exit 0 + fi + REF_NAME=$(echo "${{ github.base_ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') + echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - uses: docker/setup-buildx-action@v3 - uses: docker/build-push-action@v5 with: push: false file: Dockerfile.rootless tags: gitea/gitea:linux-amd64 - cache-from: type=registry,ref=gitea/gitea:buildcache-pr-amd64-rootless - cache-to: type=registry,ref=gitea/gitea:buildcache-pr-amd64-rootless,mode=max + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 3d652e4ad8..f3dcb5c673 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -98,6 +98,8 @@ jobs: tags: |- gitea/gitea:${{ steps.clean_name.outputs.branch }} ghcr.io/go-gitea/gitea:${{ steps.clean_name.outputs.branch }} + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} + cache-to: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }},mode=max nightly-docker-rootless: runs-on: namespace-profile-gitea-release-docker permissions: @@ -141,3 +143,5 @@ jobs: tags: |- gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless ghcr.io/go-gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless + cache-to: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless,mode=max diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index f4776a9ed8..a5228335d6 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -107,6 +107,7 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} docker-rootless: runs-on: namespace-profile-gitea-release-docker permissions: @@ -151,3 +152,4 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index ad0820f31f..0a30ba40ea 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -115,6 +115,7 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} docker-rootless: runs-on: namespace-profile-gitea-release-docker steps: @@ -162,3 +163,4 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless From b9bc1b87c06a58af5ca0aea9550573d762717813 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 30 Jun 2025 16:43:52 -0700 Subject: [PATCH 04/19] improvements --- .github/workflows/release-tag-rc.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index a5228335d6..bcd7b37ed3 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -99,6 +99,12 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get cleaned branch name + id: clean_name + run: | + REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') + echo "Cleaned name is ${REF_NAME}" + echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - name: build rootful docker image uses: docker/build-push-action@v5 with: @@ -143,6 +149,12 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get cleaned branch name + id: clean_name + run: | + REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') + echo "Cleaned name is ${REF_NAME}" + echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - name: build rootless docker image uses: docker/build-push-action@v5 with: From efb558acb0a8dc0bb95deb3aa6dfda1b53a1fa85 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 30 Jun 2025 16:44:49 -0700 Subject: [PATCH 05/19] improvements --- .github/workflows/release-tag-version.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index 0a30ba40ea..f3e41df8eb 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -107,6 +107,12 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get cleaned branch name + id: clean_name + run: | + REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') + echo "Cleaned name is ${REF_NAME}" + echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - name: build rootful docker image uses: docker/build-push-action@v5 with: @@ -154,6 +160,12 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get cleaned branch name + id: clean_name + run: | + REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') + echo "Cleaned name is ${REF_NAME}" + echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - name: build rootless docker image uses: docker/build-push-action@v5 with: From 4b70dd9998463e41afbea4cddc191fcb56e9e03b Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Mon, 29 Sep 2025 18:32:39 +0200 Subject: [PATCH 06/19] add mount cache during builds correct permissions on copied files --- Dockerfile | 49 ++++++++++------------------- Dockerfile.rootless | 45 +++++++++----------------- docker/root/usr/local/bin/gitea | 0 docker/rootless/usr/local/bin/gitea | 0 4 files changed, 31 insertions(+), 63 deletions(-) mode change 100644 => 100755 docker/root/usr/local/bin/gitea mode change 100644 => 100755 docker/rootless/usr/local/bin/gitea diff --git a/Dockerfile b/Dockerfile index 5837ccbd6e..60102591f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,46 +20,30 @@ RUN apk --no-cache add \ build-base \ git \ nodejs \ - npm \ - && npm install -g pnpm@10 \ - && rm -rf /var/cache/apk/* + pnpm # Setup repo COPY . ${GOPATH}/src/code.gitea.io/gitea WORKDIR ${GOPATH}/src/code.gitea.io/gitea # Checkout version if set -RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make clean-all - -RUN --mount=type=cache,target=/root/.npm \ - --mount=type=cache,target=/go/pkg/mod/ \ - --mount=type=cache,target="/root/.cache/go-build" \ - make build +RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ + --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target="/root/.cache/go-build" \ + if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ + && make clean-all build # Begin env-to-ini build -RUN --mount=type=cache,target=/go/pkg/mod/ \ - --mount=type=cache,target="/root/.cache/go-build" \ - go build contrib/environment-to-ini/environment-to-ini.go +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target="/root/.cache/go-build" \ + go build contrib/environment-to-ini/environment-to-ini.go -# Copy local files -COPY docker/root /tmp/local - -# Set permissions -RUN chmod 755 /tmp/local/usr/bin/entrypoint \ - /tmp/local/usr/local/bin/gitea \ - /tmp/local/etc/s6/gitea/* \ - /tmp/local/etc/s6/openssh/* \ - /tmp/local/etc/s6/.s6-svscan/* \ - /go/src/code.gitea.io/gitea/gitea \ - /go/src/code.gitea.io/gitea/environment-to-ini - -FROM docker.io/library/alpine:3.22 +FROM docker.io/library/alpine:3.22 AS gitea LABEL maintainer="maintainers@gitea.io" EXPOSE 22 3000 -RUN apk --no-cache add \ +RUN apk add --no-cache \ bash \ ca-certificates \ curl \ @@ -70,8 +54,7 @@ RUN apk --no-cache add \ s6 \ sqlite \ su-exec \ - gnupg \ - && rm -rf /var/cache/apk/* + gnupg RUN addgroup \ -S -g 1000 \ @@ -85,6 +68,10 @@ RUN addgroup \ git && \ echo "git:*" | chpasswd -e +COPY docker/root / +COPY --chmod=755 --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea +COPY --chmod=755 --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini + ENV USER=git ENV GITEA_CUSTOM=/data/gitea @@ -92,7 +79,3 @@ VOLUME ["/data"] ENTRYPOINT ["/usr/bin/entrypoint"] CMD ["/usr/bin/s6-svscan", "/etc/s6"] - -COPY --from=build-env /tmp/local / -COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea -COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini diff --git a/Dockerfile.rootless b/Dockerfile.rootless index be8c4653f1..cb3bfe362c 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -15,44 +15,30 @@ ENV GOCACHE=${GOCACHE:-/root/.cache/go-build} ARG GOMODCACHE ENV GOMODCACHE=${GOMODCACHE:-/go/pkg/mod} -#Build deps +# Build deps RUN apk --no-cache add \ build-base \ git \ nodejs \ - npm \ - && npm install -g pnpm@10 \ - && rm -rf /var/cache/apk/* + pnpm # Setup repo COPY . ${GOPATH}/src/code.gitea.io/gitea WORKDIR ${GOPATH}/src/code.gitea.io/gitea # Checkout version if set -RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make clean-all - -RUN --mount=type=cache,target=/root/.npm \ - --mount=type=cache,target=/go/pkg/mod/ \ - --mount=type=cache,target="/root/.cache/go-build" \ - make build +RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ + --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target="/root/.cache/go-build" \ + if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ + && make clean-all build # Begin env-to-ini build -RUN --mount=type=cache,target=/go/pkg/mod/ \ - --mount=type=cache,target="/root/.cache/go-build" \ - go build contrib/environment-to-ini/environment-to-ini.go +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target="/root/.cache/go-build" \ + go build contrib/environment-to-ini/environment-to-ini.go -# Copy local files -COPY docker/rootless /tmp/local - -# Set permissions -RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \ - /tmp/local/usr/local/bin/docker-setup.sh \ - /tmp/local/usr/local/bin/gitea \ - /go/src/code.gitea.io/gitea/gitea \ - /go/src/code.gitea.io/gitea/environment-to-ini - -FROM docker.io/library/alpine:3.22 +FROM docker.io/library/alpine:3.22 AS gitea-rootless LABEL maintainer="maintainers@gitea.io" EXPOSE 2222 3000 @@ -65,8 +51,7 @@ RUN apk --no-cache add \ git \ curl \ gnupg \ - openssh-keygen \ - && rm -rf /var/cache/apk/* + openssh-keygen RUN addgroup \ -S -g 1000 \ @@ -82,9 +67,9 @@ RUN addgroup \ RUN mkdir -p /var/lib/gitea /etc/gitea RUN chown git:git /var/lib/gitea /etc/gitea -COPY --from=build-env /tmp/local / -COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea -COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini +COPY docker/rootless / +COPY --from=build-env --chmod=755 --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea +COPY --from=build-env --chmod=755 --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini # git:git USER 1000:1000 diff --git a/docker/root/usr/local/bin/gitea b/docker/root/usr/local/bin/gitea old mode 100644 new mode 100755 diff --git a/docker/rootless/usr/local/bin/gitea b/docker/rootless/usr/local/bin/gitea old mode 100644 new mode 100755 From b4fc88b936147d74a3be75c51b97e1712bc5893e Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sun, 5 Oct 2025 17:09:00 +0200 Subject: [PATCH 07/19] trim down build stage Avoid copying .git directory into the container --- Dockerfile | 26 +++++++++++++++----------- Dockerfile.rootless | 26 +++++++++++++++----------- 2 files changed, 30 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 60102591f6..92e07d30d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,13 @@ # Build stage FROM docker.io/library/golang:1.25-alpine3.22 AS build-env -ARG GOPROXY -ENV GOPROXY=${GOPROXY:-direct} +ARG GOPROXY=direct ARG GITEA_VERSION ARG TAGS="sqlite sqlite_unlock_notify" ENV TAGS="bindata timetzdata $TAGS" ARG CGO_EXTRA_CFLAGS -ARG GOCACHE -ENV GOCACHE=${GOCACHE:-/root/.cache/go-build} - -ARG GOMODCACHE -ENV GOMODCACHE=${GOMODCACHE:-/go/pkg/mod} - # Build deps RUN apk --no-cache add \ build-base \ @@ -22,16 +15,28 @@ RUN apk --no-cache add \ nodejs \ pnpm +WORKDIR ${GOPATH}/src/code.gitea.io/gitea + +# Fetch go dependencies +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/go/pkg/mod \ + go mod download + +# Fetch pnpm dependencies +COPY package.json pnpm-lock.yaml ./ +RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ + pnpm install --frozen-lockfile --prod + # Setup repo COPY . ${GOPATH}/src/code.gitea.io/gitea -WORKDIR ${GOPATH}/src/code.gitea.io/gitea # Checkout version if set RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ + --mount=type=bind,source=".git",target="${GOPATH}/src/code.gitea.io/gitea/.git" \ if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make clean-all build + && make build # Begin env-to-ini build RUN --mount=type=cache,target=/go/pkg/mod \ @@ -39,7 +44,6 @@ RUN --mount=type=cache,target=/go/pkg/mod \ go build contrib/environment-to-ini/environment-to-ini.go FROM docker.io/library/alpine:3.22 AS gitea -LABEL maintainer="maintainers@gitea.io" EXPOSE 22 3000 diff --git a/Dockerfile.rootless b/Dockerfile.rootless index cb3bfe362c..9b53d6c0b3 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -1,20 +1,13 @@ # Build stage FROM docker.io/library/golang:1.25-alpine3.22 AS build-env -ARG GOPROXY -ENV GOPROXY=${GOPROXY:-direct} +ARG GOPROXY=direct ARG GITEA_VERSION ARG TAGS="sqlite sqlite_unlock_notify" ENV TAGS="bindata timetzdata $TAGS" ARG CGO_EXTRA_CFLAGS -ARG GOCACHE -ENV GOCACHE=${GOCACHE:-/root/.cache/go-build} - -ARG GOMODCACHE -ENV GOMODCACHE=${GOMODCACHE:-/go/pkg/mod} - # Build deps RUN apk --no-cache add \ build-base \ @@ -22,16 +15,28 @@ RUN apk --no-cache add \ nodejs \ pnpm +WORKDIR ${GOPATH}/src/code.gitea.io/gitea + +# Fetch go dependencies +COPY go.mod go.sum ./ +RUN --mount=type=cache,target=/go/pkg/mod \ + go mod download + +# Fetch pnpm dependencies +COPY package.json pnpm-lock.yaml ./ +RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ + pnpm install --frozen-lockfile --prod + # Setup repo COPY . ${GOPATH}/src/code.gitea.io/gitea -WORKDIR ${GOPATH}/src/code.gitea.io/gitea # Checkout version if set RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ + --mount=type=bind,source=".git",target="${GOPATH}/src/code.gitea.io/gitea/.git" \ if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make clean-all build + && make build # Begin env-to-ini build RUN --mount=type=cache,target=/go/pkg/mod \ @@ -39,7 +44,6 @@ RUN --mount=type=cache,target=/go/pkg/mod \ go build contrib/environment-to-ini/environment-to-ini.go FROM docker.io/library/alpine:3.22 AS gitea-rootless -LABEL maintainer="maintainers@gitea.io" EXPOSE 2222 3000 From da539d8f720fa0a47c5a46941d6ee7b84939934a Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sun, 5 Oct 2025 17:42:10 +0200 Subject: [PATCH 08/19] unify container builds instead of running two jobs compiling the same code, run one and reuse layers --- .github/workflows/release-nightly.yml | 76 +++++++++-------------- .github/workflows/release-tag-rc.yml | 66 +++++--------------- .github/workflows/release-tag-version.yml | 64 +++++-------------- 3 files changed, 63 insertions(+), 143 deletions(-) diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index f3dcb5c673..4e20392702 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -56,7 +56,7 @@ jobs: - name: upload binaries to s3 run: | aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress - nightly-docker-rootful: + nightly-container: runs-on: namespace-profile-gitea-release-docker permissions: packages: write # to publish to ghcr.io @@ -76,6 +76,29 @@ jobs: run: | REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" + - uses: docker/metadata-action@v5 + id: meta + with: + images: |- + gitea/gitea + ghcr.io/go-gitea/gitea + tags: | + type=raw,value=${{ steps.clean_name.outputs.branch }} + annotations: | + org.opencontainers.image.authors="maintainers@gitea.io" + - uses: docker/metadata-action@v5 + id: meta_rootless + with: + images: |- + gitea/gitea + ghcr.io/go-gitea/gitea + # each tag below will have the suffix of -rootless + flavor: | + suffix=-rootless + tags: | + type=raw,value=${{ steps.clean_name.outputs.branch }} + annotations: | + org.opencontainers.image.authors="maintainers@gitea.io" - name: Login to Docker Hub uses: docker/login-action@v3 with: @@ -87,61 +110,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: fetch go modules - run: make vendor - name: build rootful docker image uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 push: true - tags: |- - gitea/gitea:${{ steps.clean_name.outputs.branch }} - ghcr.io/go-gitea/gitea:${{ steps.clean_name.outputs.branch }} - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} - cache-to: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }},mode=max - nightly-docker-rootless: - runs-on: namespace-profile-gitea-release-docker - permissions: - packages: write # to publish to ghcr.io - steps: - - uses: actions/checkout@v4 - # fetch all commits instead of only the last as some branches are long lived and could have many between versions - # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - - run: git fetch --unshallow --quiet --tags --force - - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - check-latest: true - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - name: Get cleaned branch name - id: clean_name - run: | - REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') - echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GHCR using PAT - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: fetch go modules - run: make vendor + tags: ${{ steps.meta_rootless.outputs.tags }} + annotations: ${{ steps.meta_rootless.outputs.annotations }} - name: build rootless docker image uses: docker/build-push-action@v5 with: context: . - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64,linux/arm64,linux/riscv64 push: true file: Dockerfile.rootless - tags: |- - gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless - ghcr.io/go-gitea/gitea:${{ steps.clean_name.outputs.branch }}-rootless - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless - cache-to: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless,mode=max + tags: ${{ steps.meta_rootless.outputs.tags }} + annotations: ${{ steps.meta_rootless.outputs.annotations }} diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index bcd7b37ed3..98a2950e3b 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -66,7 +66,7 @@ jobs: gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/* env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} - docker-rootful: + container: runs-on: namespace-profile-gitea-release-docker permissions: packages: write # to publish to ghcr.io @@ -88,45 +88,10 @@ jobs: # 1.2.3-rc0 tags: | type=semver,pattern={{version}} - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GHCR using PAT - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Get cleaned branch name - id: clean_name - run: | - REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') - echo "Cleaned name is ${REF_NAME}" - echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - - name: build rootful docker image - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64,linux/arm64,linux/riscv64 - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} - docker-rootless: - runs-on: namespace-profile-gitea-release-docker - permissions: - packages: write # to publish to ghcr.io - steps: - - uses: actions/checkout@v4 - # fetch all commits instead of only the last as some branches are long lived and could have many between versions - # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - - run: git fetch --unshallow --quiet --tags --force - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 + annotations: | + org.opencontainers.image.authors="maintainers@gitea.io" - uses: docker/metadata-action@v5 - id: meta + id: meta_rootless with: images: |- gitea/gitea @@ -138,6 +103,8 @@ jobs: # 1.2.3-rc0 tags: | type=semver,pattern={{version}} + annotations: | + org.opencontainers.image.authors="maintainers@gitea.io" - name: Login to Docker Hub uses: docker/login-action@v3 with: @@ -149,19 +116,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Get cleaned branch name - id: clean_name - run: | - REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') - echo "Cleaned name is ${REF_NAME}" - echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - - name: build rootless docker image + - name: build rootful container image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64,linux/riscv64 + push: true + tags: ${{ steps.meta.outputs.tags }} + annotations: ${{ steps.meta.outputs.annotations }} + - name: build rootless container image uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 push: true file: Dockerfile.rootless - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless + tags: ${{ steps.meta_rootless.outputs.tags }} + annotations: ${{ steps.meta_rootless.outputs.annotations }} diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index f3e41df8eb..58c95458ea 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -70,7 +70,7 @@ jobs: gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/* env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} - docker-rootful: + container: runs-on: namespace-profile-gitea-release-docker permissions: packages: write # to publish to ghcr.io @@ -96,43 +96,10 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}} type=semver,pattern={{major}}.{{minor}} - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GHCR using PAT - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Get cleaned branch name - id: clean_name - run: | - REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') - echo "Cleaned name is ${REF_NAME}" - echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - - name: build rootful docker image - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64,linux/arm64,linux/riscv64 - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} - docker-rootless: - runs-on: namespace-profile-gitea-release-docker - steps: - - uses: actions/checkout@v4 - # fetch all commits instead of only the last as some branches are long lived and could have many between versions - # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - - run: git fetch --unshallow --quiet --tags --force - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 + annotations: | + org.opencontainers.image.authors="maintainers@gitea.io" - uses: docker/metadata-action@v5 - id: meta + id: meta_rootless with: images: |- gitea/gitea @@ -149,6 +116,8 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}} type=semver,pattern={{major}}.{{minor}} + annotations: | + org.opencontainers.image.authors="maintainers@gitea.io" - name: Login to Docker Hub uses: docker/login-action@v3 with: @@ -160,19 +129,20 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Get cleaned branch name - id: clean_name - run: | - REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//') - echo "Cleaned name is ${REF_NAME}" - echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT" - - name: build rootless docker image + - name: build rootful container image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64,linux/riscv64 + push: true + tags: ${{ steps.meta.outputs.tags }} + annotations: ${{ steps.meta.outputs.annotations }} + - name: build rootless container image uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 push: true file: Dockerfile.rootless - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless + tags: ${{ steps.meta_rootless.outputs.tags }} + annotations: ${{ steps.meta_rootless.outputs.annotations }} From 24215386777d59d65d641ceef52c198e2875e253 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 11 Oct 2025 13:51:10 +0200 Subject: [PATCH 09/19] add cache-to and from directives --- .github/workflows/release-nightly.yml | 8 ++++---- .github/workflows/release-tag-rc.yml | 2 ++ .github/workflows/release-tag-version.yml | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 4e20392702..e6a2017068 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -65,10 +65,6 @@ jobs: # fetch all commits instead of only the last as some branches are long lived and could have many between versions # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - run: git fetch --unshallow --quiet --tags --force - - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - check-latest: true - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 - name: Get cleaned branch name @@ -118,6 +114,8 @@ jobs: push: true tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} + cache-to: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache,mode=max + cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache - name: build rootless docker image uses: docker/build-push-action@v5 with: @@ -127,3 +125,5 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} + cache-to: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache,mode=max + cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index 98a2950e3b..73551628b1 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -124,6 +124,7 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache - name: build rootless container image uses: docker/build-push-action@v5 with: @@ -133,3 +134,4 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} + cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index 58c95458ea..eb16867150 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -137,6 +137,7 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache - name: build rootless container image uses: docker/build-push-action@v5 with: @@ -146,3 +147,4 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} + cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache From 2f9e04745d30e076fe61bf3cde878ca8bc12702f Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 11 Oct 2025 13:56:26 +0200 Subject: [PATCH 10/19] avoid copying all files to trim down the build stage --- Dockerfile | 29 ++++++++++++++++++++++++----- Dockerfile.rootless | 29 ++++++++++++++++++++++++----- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 92e07d30d9..d069f8a4da 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,8 @@ RUN apk --no-cache add \ WORKDIR ${GOPATH}/src/code.gitea.io/gitea +COPY Makefile . + # Fetch go dependencies COPY go.mod go.sum ./ RUN --mount=type=cache,target=/go/pkg/mod \ @@ -27,16 +29,33 @@ COPY package.json pnpm-lock.yaml ./ RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ pnpm install --frozen-lockfile --prod -# Setup repo -COPY . ${GOPATH}/src/code.gitea.io/gitea +COPY ./webpack.config.ts tailwind.config.ts ./ +COPY ./assets ./assets +COPY ./public ./public +COPY ./web_src ./web_src + +RUN make frontend + +# Copy source files +COPY ./build ./build +COPY ./cmd ./cmd +COPY ./models ./models +COPY ./modules ./modules +COPY ./options ./options +COPY ./routers ./routers +COPY ./services ./services +COPY ./templates ./templates +COPY ./build.go . +COPY ./main.go . +COPY contrib/environment-to-ini/environment-to-ini.go contrib/environment-to-ini/environment-to-ini.go +COPY ./custom ./custom # Checkout version if set -RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ - --mount=type=cache,target=/go/pkg/mod \ +RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=bind,source=".git",target="${GOPATH}/src/code.gitea.io/gitea/.git" \ if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make build + && make backend # Begin env-to-ini build RUN --mount=type=cache,target=/go/pkg/mod \ diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 9b53d6c0b3..637c529abd 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -17,6 +17,8 @@ RUN apk --no-cache add \ WORKDIR ${GOPATH}/src/code.gitea.io/gitea +COPY Makefile . + # Fetch go dependencies COPY go.mod go.sum ./ RUN --mount=type=cache,target=/go/pkg/mod \ @@ -27,16 +29,33 @@ COPY package.json pnpm-lock.yaml ./ RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ pnpm install --frozen-lockfile --prod -# Setup repo -COPY . ${GOPATH}/src/code.gitea.io/gitea +COPY ./webpack.config.ts tailwind.config.ts ./ +COPY ./assets ./assets +COPY ./public ./public +COPY ./web_src ./web_src + +RUN make frontend + +# Copy source files +COPY ./build ./build +COPY ./cmd ./cmd +COPY ./models ./models +COPY ./modules ./modules +COPY ./options ./options +COPY ./routers ./routers +COPY ./services ./services +COPY ./templates ./templates +COPY ./build.go . +COPY ./main.go . +COPY contrib/environment-to-ini/environment-to-ini.go contrib/environment-to-ini/environment-to-ini.go +COPY ./custom ./custom # Checkout version if set -RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ - --mount=type=cache,target=/go/pkg/mod \ +RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=bind,source=".git",target="${GOPATH}/src/code.gitea.io/gitea/.git" \ if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make build + && make backend # Begin env-to-ini build RUN --mount=type=cache,target=/go/pkg/mod \ From db78470cae79b666672f3f0823caec07cb5f69fa Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 18 Oct 2025 16:34:54 +0200 Subject: [PATCH 11/19] drop remote cache fully --- .github/workflows/pull-docker-dryrun.yml | 39 ++++------------------- .github/workflows/release-nightly.yml | 4 --- .github/workflows/release-tag-rc.yml | 2 -- .github/workflows/release-tag-version.yml | 2 -- 4 files changed, 6 insertions(+), 41 deletions(-) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index 205fa4e87d..7c7227bae1 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -11,48 +11,21 @@ jobs: files-changed: uses: ./.github/workflows/files-changed.yml - regular: + contianer: if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true' needs: files-changed runs-on: ubuntu-latest steps: - - name: Get cleaned branch name - id: clean_name - run: | - # if main then say nightly otherwise cleanup name - if [ "${{ github.base_ref }}" = "refs/heads/main" ]; then - echo "branch=nightly" >> "$GITHUB_OUTPUT" - exit 0 - fi - REF_NAME=$(echo "${{ github.base_ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') - echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - uses: docker/setup-buildx-action@v3 - - uses: docker/build-push-action@v5 + - name: Build regular variant + uses: docker/build-push-action@v5 with: push: false tags: gitea/gitea:linux-amd64 platforms: linux/amd64,linux/arm64,linux/riscv64 - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }} - - rootless: - if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true' - needs: files-changed - runs-on: ubuntu-latest - steps: - - name: Get cleaned branch name - id: clean_name - run: | - # if main then say nightly otherwise cleanup name - if [ "${{ github.base_ref }}" = "refs/heads/main" ]; then - echo "branch=nightly" >> "$GITHUB_OUTPUT" - exit 0 - fi - REF_NAME=$(echo "${{ github.base_ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//') - echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT" - - uses: docker/setup-buildx-action@v3 - - uses: docker/build-push-action@v5 + - name: Build rootless variant + uses: docker/build-push-action@v5 with: push: false file: Dockerfile.rootless - tags: gitea/gitea:linux-amd64 - cache-from: type=registry,ref=gitea/gitea:buildcache-${{ steps.clean_name.outputs.branch }}-rootless + tags: gitea/gitea:linux-amd64,linux/arm64,linux/riscv64 diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index e6a2017068..2a9344c2b7 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -114,8 +114,6 @@ jobs: push: true tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} - cache-to: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache,mode=max - cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache - name: build rootless docker image uses: docker/build-push-action@v5 with: @@ -125,5 +123,3 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} - cache-to: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache,mode=max - cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index 73551628b1..98a2950e3b 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -124,7 +124,6 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} annotations: ${{ steps.meta.outputs.annotations }} - cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache - name: build rootless container image uses: docker/build-push-action@v5 with: @@ -134,4 +133,3 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} - cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index eb16867150..58c95458ea 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -137,7 +137,6 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} annotations: ${{ steps.meta.outputs.annotations }} - cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache - name: build rootless container image uses: docker/build-push-action@v5 with: @@ -147,4 +146,3 @@ jobs: file: Dockerfile.rootless tags: ${{ steps.meta_rootless.outputs.tags }} annotations: ${{ steps.meta_rootless.outputs.annotations }} - cache-from: type=registry,ref=ghcr.io/thefox0x7/gitea-buildcache From 1c08d25c0397cb10a57c65c769908e38c06346b2 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 18 Oct 2025 16:47:54 +0200 Subject: [PATCH 12/19] rename jobs --- .github/workflows/pull-docker-dryrun.yml | 2 +- .github/workflows/release-tag-rc.yml | 2 +- .github/workflows/release-tag-version.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index 7c7227bae1..5206455741 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -11,7 +11,7 @@ jobs: files-changed: uses: ./.github/workflows/files-changed.yml - contianer: + container: if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true' needs: files-changed runs-on: ubuntu-latest diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index 9f69495325..e0311abf77 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -66,7 +66,7 @@ jobs: gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/* env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} - docker-rootful: + container: runs-on: namespace-profile-gitea-release-docker permissions: packages: write # to publish to ghcr.io diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index 42d48b38ae..f851a59243 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -70,7 +70,7 @@ jobs: gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/* env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} - docker-rootful: + container: runs-on: namespace-profile-gitea-release-docker permissions: packages: write # to publish to ghcr.io From c8abefbfcac644e1a5e81981b1ecce9a3c3f1ab5 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 18 Oct 2025 18:42:55 +0200 Subject: [PATCH 13/19] unify naming --- .github/workflows/pull-docker-dryrun.yml | 4 ++-- .github/workflows/release-nightly.yml | 6 +++--- .github/workflows/release-tag-rc.yml | 2 +- .github/workflows/release-tag-version.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index 5206455741..13f9b6aa21 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -17,13 +17,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: docker/setup-buildx-action@v3 - - name: Build regular variant + - name: Build regular container image uses: docker/build-push-action@v5 with: push: false tags: gitea/gitea:linux-amd64 platforms: linux/amd64,linux/arm64,linux/riscv64 - - name: Build rootless variant + - name: Build rootless container image uses: docker/build-push-action@v5 with: push: false diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index fa35b1c83a..ada4c18d33 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -106,14 +106,14 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: build rootful docker image + - name: build regular docker image uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64,linux/riscv64 push: true - tags: ${{ steps.meta_rootless.outputs.tags }} - annotations: ${{ steps.meta_rootless.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} + annotations: ${{ steps.meta.outputs.annotations }} - name: build rootless docker image uses: docker/build-push-action@v5 with: diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index e0311abf77..5797947be5 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -116,7 +116,7 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: build rootful container image + - name: build regular container image uses: docker/build-push-action@v5 with: context: . diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index f851a59243..2d1dea0865 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -129,7 +129,7 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: build rootful container image + - name: build regular container image uses: docker/build-push-action@v5 with: context: . From 37cf5db22971c62193c09e001e45f02baaff971f Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 18 Oct 2025 19:28:41 +0200 Subject: [PATCH 14/19] add checkout so .git is avalible for bind drop platforms from dryrun --- .github/workflows/pull-docker-dryrun.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index 13f9b6aa21..7da7e904d1 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -16,16 +16,16 @@ jobs: needs: files-changed runs-on: ubuntu-latest steps: + - uses: actions/checkout@v5 - uses: docker/setup-buildx-action@v3 - name: Build regular container image uses: docker/build-push-action@v5 with: push: false tags: gitea/gitea:linux-amd64 - platforms: linux/amd64,linux/arm64,linux/riscv64 - name: Build rootless container image uses: docker/build-push-action@v5 with: push: false file: Dockerfile.rootless - tags: gitea/gitea:linux-amd64,linux/arm64,linux/riscv64 + tags: gitea/gitea:linux-amd64 From fe925c16a92e7483739ff3fe6df1b07932e603d3 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 18 Oct 2025 19:29:54 +0200 Subject: [PATCH 15/19] fix bad merge choice --- .github/workflows/release-tag-rc.yml | 2 +- .github/workflows/release-tag-version.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index 5797947be5..35558933e0 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -71,7 +71,7 @@ jobs: permissions: packages: write # to publish to ghcr.io steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 # fetch all commits instead of only the last as some branches are long lived and could have many between versions # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - run: git fetch --unshallow --quiet --tags --force diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index 2d1dea0865..56426d3bc3 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -75,7 +75,7 @@ jobs: permissions: packages: write # to publish to ghcr.io steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 # fetch all commits instead of only the last as some branches are long lived and could have many between versions # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567 - run: git fetch --unshallow --quiet --tags --force From 1218db2867d393a5ebb456452366ef05d765cda4 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sat, 18 Oct 2025 19:36:15 +0200 Subject: [PATCH 16/19] bypass dockers git context --- .github/workflows/pull-docker-dryrun.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pull-docker-dryrun.yml b/.github/workflows/pull-docker-dryrun.yml index 7da7e904d1..9c9dd2ffe6 100644 --- a/.github/workflows/pull-docker-dryrun.yml +++ b/.github/workflows/pull-docker-dryrun.yml @@ -21,11 +21,13 @@ jobs: - name: Build regular container image uses: docker/build-push-action@v5 with: + context: . push: false tags: gitea/gitea:linux-amd64 - name: Build rootless container image uses: docker/build-push-action@v5 with: + context: . push: false file: Dockerfile.rootless tags: gitea/gitea:linux-amd64 From 1aa245f372dc4a70e1d17d2c6234e97dc951fbf7 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Thu, 23 Oct 2025 20:39:10 +0200 Subject: [PATCH 17/19] exclude git from container build It's not required and grows over time. Also exclude containerfiles from the copy so changes in them won't trigger layer invalidation if it's not needed --- .dockerignore | 3 ++- Dockerfile | 40 +++++----------------------------------- Dockerfile.rootless | 40 +++++----------------------------------- 3 files changed, 12 insertions(+), 71 deletions(-) diff --git a/.dockerignore b/.dockerignore index 8e0d6b3666..16a13794bf 100644 --- a/.dockerignore +++ b/.dockerignore @@ -74,7 +74,8 @@ cpu.out /VERSION /.air /.go-licenses - +Dockerfile +Dockerfile.rootless # Files and folders that were previously generated /public/assets/img/webpack diff --git a/Dockerfile b/Dockerfile index d069f8a4da..a8415e8a18 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,4 @@ +# syntax=docker/dockerfile:1 # Build stage FROM docker.io/library/golang:1.25-alpine3.22 AS build-env @@ -16,46 +17,15 @@ RUN apk --no-cache add \ pnpm WORKDIR ${GOPATH}/src/code.gitea.io/gitea - -COPY Makefile . - -# Fetch go dependencies -COPY go.mod go.sum ./ -RUN --mount=type=cache,target=/go/pkg/mod \ - go mod download - -# Fetch pnpm dependencies -COPY package.json pnpm-lock.yaml ./ -RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ - pnpm install --frozen-lockfile --prod - -COPY ./webpack.config.ts tailwind.config.ts ./ -COPY ./assets ./assets -COPY ./public ./public -COPY ./web_src ./web_src - -RUN make frontend - -# Copy source files -COPY ./build ./build -COPY ./cmd ./cmd -COPY ./models ./models -COPY ./modules ./modules -COPY ./options ./options -COPY ./routers ./routers -COPY ./services ./services -COPY ./templates ./templates -COPY ./build.go . -COPY ./main.go . -COPY contrib/environment-to-ini/environment-to-ini.go contrib/environment-to-ini/environment-to-ini.go -COPY ./custom ./custom +COPY --exclude=.git/ . . # Checkout version if set RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ - --mount=type=bind,source=".git",target="${GOPATH}/src/code.gitea.io/gitea/.git" \ + --mount=type=cache,target=/root/.local/share/pnpm/store \ + --mount=type=bind,source=".git/",target=".git/" \ if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make backend + && make # Begin env-to-ini build RUN --mount=type=cache,target=/go/pkg/mod \ diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 637c529abd..2360c0741e 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -1,3 +1,4 @@ +# syntax=docker/dockerfile:1 # Build stage FROM docker.io/library/golang:1.25-alpine3.22 AS build-env @@ -16,46 +17,15 @@ RUN apk --no-cache add \ pnpm WORKDIR ${GOPATH}/src/code.gitea.io/gitea - -COPY Makefile . - -# Fetch go dependencies -COPY go.mod go.sum ./ -RUN --mount=type=cache,target=/go/pkg/mod \ - go mod download - -# Fetch pnpm dependencies -COPY package.json pnpm-lock.yaml ./ -RUN --mount=type=cache,target=/root/.local/share/pnpm/store \ - pnpm install --frozen-lockfile --prod - -COPY ./webpack.config.ts tailwind.config.ts ./ -COPY ./assets ./assets -COPY ./public ./public -COPY ./web_src ./web_src - -RUN make frontend - -# Copy source files -COPY ./build ./build -COPY ./cmd ./cmd -COPY ./models ./models -COPY ./modules ./modules -COPY ./options ./options -COPY ./routers ./routers -COPY ./services ./services -COPY ./templates ./templates -COPY ./build.go . -COPY ./main.go . -COPY contrib/environment-to-ini/environment-to-ini.go contrib/environment-to-ini/environment-to-ini.go -COPY ./custom ./custom +COPY --exclude=.git/ . . # Checkout version if set RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ - --mount=type=bind,source=".git",target="${GOPATH}/src/code.gitea.io/gitea/.git" \ + --mount=type=cache,target=/root/.local/share/pnpm/store \ + --mount=type=bind,source=".git/",target=".git/" \ if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make backend + && make # Begin env-to-ini build RUN --mount=type=cache,target=/go/pkg/mod \ From 449d2b4c7e7197d1ecafc928c2fcf494fa2a71c8 Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Wed, 29 Oct 2025 19:06:48 +0100 Subject: [PATCH 18/19] remove checkout from container --- Dockerfile | 5 ++--- Dockerfile.rootless | 6 ++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index d093aed46f..31959d42c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,13 +19,12 @@ RUN apk --no-cache add \ WORKDIR ${GOPATH}/src/code.gitea.io/gitea COPY --exclude=.git/ . . -# Checkout version if set +# Build gitea, .git mount is required for version data RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target=/root/.local/share/pnpm/store \ --mount=type=bind,source=".git/",target=".git/" \ - if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make + make FROM docker.io/library/alpine:3.22 AS gitea diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 4b806c776c..ec9a91d611 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -19,14 +19,12 @@ RUN apk --no-cache add \ WORKDIR ${GOPATH}/src/code.gitea.io/gitea COPY --exclude=.git/ . . -# Checkout version if set +# Build gitea, .git mount is required for version data RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target="/root/.cache/go-build" \ --mount=type=cache,target=/root/.local/share/pnpm/store \ --mount=type=bind,source=".git/",target=".git/" \ - if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \ - && make - + make FROM docker.io/library/alpine:3.22 AS gitea-rootless From 1d5345d029dde42e0508c3ad5a6279e1bfe9827d Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Wed, 29 Oct 2025 23:08:39 +0100 Subject: [PATCH 19/19] restore chmod for windows based builds --- .dockerignore | 1 + Dockerfile | 12 +++++++++++- Dockerfile.rootless | 8 +++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.dockerignore b/.dockerignore index 16a13794bf..944b62eb98 100644 --- a/.dockerignore +++ b/.dockerignore @@ -76,6 +76,7 @@ cpu.out /.go-licenses Dockerfile Dockerfile.rootless + # Files and folders that were previously generated /public/assets/img/webpack diff --git a/Dockerfile b/Dockerfile index 31959d42c2..774084ba82 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,6 +26,16 @@ RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=bind,source=".git/",target=".git/" \ make +COPY docker/root /tmp/local + +# Set permissions for builds that made under windows which strips the executable bit from file +RUN chmod 755 /tmp/local/usr/bin/entrypoint \ + /tmp/local/usr/local/bin/* \ + /tmp/local/etc/s6/gitea/* \ + /tmp/local/etc/s6/openssh/* \ + /tmp/local/etc/s6/.s6-svscan/* \ + /go/src/code.gitea.io/gitea/gitea + FROM docker.io/library/alpine:3.22 AS gitea EXPOSE 22 3000 @@ -55,7 +65,7 @@ RUN addgroup \ git && \ echo "git:*" | chpasswd -e -COPY docker/root / +COPY --from=build-env /tmp/local / COPY --chmod=755 --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea ENV USER=git diff --git a/Dockerfile.rootless b/Dockerfile.rootless index ec9a91d611..d709d99b59 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -26,6 +26,12 @@ RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=bind,source=".git/",target=".git/" \ make +COPY docker/rootless /tmp/local + +# Set permissions for builds that made under windows which strips the executable bit from file +RUN chmod 755 /tmp/local/usr/local/bin/* \ + /go/src/code.gitea.io/gitea/gitea + FROM docker.io/library/alpine:3.22 AS gitea-rootless EXPOSE 2222 3000 @@ -54,7 +60,7 @@ RUN addgroup \ RUN mkdir -p /var/lib/gitea /etc/gitea RUN chown git:git /var/lib/gitea /etc/gitea -COPY docker/rootless / +COPY --from=build-env /tmp/local / COPY --from=build-env --chmod=755 --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea # git:git