jv
/
my-homelab-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove non-Gitea Actions guardrails
Homelab Main / deploy (push) Failing after 2s Details

This commit is contained in:
juvdiaz 2026-05-27 14:21:58 -06:00
parent e59e3258fc
commit 041e607fed
2 changed files with 8 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
.gitea/workflows/homelab-main.yml
View File

@ -6,7 +6,7 @@ name: Homelab Main
- main - main
jobs: jobs:
validate-and-deploy: deploy:
runs-on: homelab-debian runs-on: homelab-debian
steps: steps:
@ -21,132 +21,6 @@ jobs:
git checkout --force "${{ gitea.sha }}" git checkout --force "${{ gitea.sha }}"
git config --global --add safe.directory "$PWD" git config --global --add safe.directory "$PWD"
- name: Verify Debian runner guardrails
run: |
set -euo pipefail
test "$(uname -s)" = "Linux"
. /etc/os-release
test "${ID}" = "debian"
sudo -n true
- name: Scan for leaked secrets with Gitleaks
run: |
set -euo pipefail
gitleaks_version="8.30.1"
case "$(uname -m)" in
x86_64|amd64)
gitleaks_platform="linux_x64"
gitleaks_sha256="551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
;;
aarch64|arm64)
gitleaks_platform="linux_arm64"
gitleaks_sha256="e4a487ee7ccd7d3a7f7ec08657610aa3606637dab924210b3aee62570fb4b080"
;;
*)
echo "Unsupported runner architecture: $(uname -m)" >&2
exit 1
;;
esac
tool_dir="${HOME}/.cache/homelab-tools/gitleaks/${gitleaks_version}/${gitleaks_platform}"
gitleaks_bin="${tool_dir}/gitleaks"
if [[ ! -x "${gitleaks_bin}" ]] || [[ "$("${gitleaks_bin}" version)" != "${gitleaks_version}" ]]; then
archive="gitleaks_${gitleaks_version}_${gitleaks_platform}.tar.gz"
tmpdir="$(mktemp -d)"
trap 'rm -rf "${tmpdir}"' EXIT
curl -fsSL -o "${tmpdir}/${archive}" \
"https://github.com/gitleaks/gitleaks/releases/download/v${gitleaks_version}/${archive}"
printf '%s %s\n' "${gitleaks_sha256}" "${tmpdir}/${archive}" | sha256sum -c -
mkdir -p "${tool_dir}"
tar -xzf "${tmpdir}/${archive}" -C "${tmpdir}" gitleaks
install -m 0755 "${tmpdir}/gitleaks" "${gitleaks_bin}"
fi
"${gitleaks_bin}" git --redact=100 --verbose --exit-code 1 .
- name: Scan for vulnerabilities and misconfigurations with Trivy
run: |
set -euo pipefail
trivy_version="0.70.0"
case "$(uname -m)" in
x86_64|amd64)
trivy_platform="Linux-64bit"
trivy_sha256="8b4376d5d6befe5c24d503f10ff136d9e0c49f9127a4279fd110b727929a5aa9"
;;
aarch64|arm64)
trivy_platform="Linux-ARM64"
trivy_sha256="2f6bb988b553a1bbac6bdd1ce890f5e412439564e17522b88a4541b4f364fc8d"
;;
*)
echo "Unsupported runner architecture: $(uname -m)" >&2
exit 1
;;
esac
tool_dir="${HOME}/.cache/homelab-tools/trivy/${trivy_version}/${trivy_platform}"
trivy_bin="${tool_dir}/trivy"
installed_version=""
if [[ -x "${trivy_bin}" ]]; then
installed_version="$("${trivy_bin}" --version | awk '/^Version:/ {print $2; exit}')"
fi
if [[ "${installed_version}" != "${trivy_version}" ]]; then
archive="trivy_${trivy_version}_${trivy_platform}.tar.gz"
tmpdir="$(mktemp -d)"
trap 'rm -rf "${tmpdir}"' EXIT
curl -fsSL -o "${tmpdir}/${archive}" \
"https://github.com/aquasecurity/trivy/releases/download/v${trivy_version}/${archive}"
printf '%s %s\n' "${trivy_sha256}" "${tmpdir}/${archive}" | sha256sum -c -
mkdir -p "${tool_dir}"
tar -xzf "${tmpdir}/${archive}" -C "${tmpdir}" trivy
install -m 0755 "${tmpdir}/trivy" "${trivy_bin}"
fi
trivy_cache="${HOME}/.cache/homelab-tools/trivy/cache"
trivy_docker_config="${HOME}/.cache/homelab-tools/trivy/docker-config"
mkdir -p "${trivy_cache}" "${trivy_docker_config}"
printf '{}\n' > "${trivy_docker_config}/config.json"
export DOCKER_CONFIG="${trivy_docker_config}"
trivy_ignore_args=()
if [[ -f .trivyignore.yaml ]]; then
trivy_ignore_args=(--ignorefile .trivyignore.yaml)
fi
"${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \
--exit-code 0 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
"${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \
--exit-code 1 --no-progress --cache-dir "${trivy_cache}" "${trivy_ignore_args[@]}" .
- name: Validate shell, Kubernetes manifests, and OpenTofu stacks
run: |
set -euo pipefail
bash -n lab.sh
docker compose -f infra/gitea/docker-compose.yml config >/dev/null
kubectl --kubeconfig "${KUBECONFIG:-/home/jv/.kube/config}" apply --dry-run=server --recursive -f apps
set +e
kubectl --kubeconfig "${KUBECONFIG:-/home/jv/.kube/config}" diff --recursive -f apps
diff_status="$?"
set -e
if (( diff_status > 1 )); then
exit "${diff_status}"
fi
for stack in bootstrap/provisioning bootstrap/cluster bootstrap/platform bootstrap/apps bootstrap/edge; do
tofu -chdir="${stack}" init -input=false
tofu -chdir="${stack}" fmt -check
tofu -chdir="${stack}" validate
done
- name: Block automatic deploy for Raspberry Pi Gitea changes - name: Block automatic deploy for Raspberry Pi Gitea changes
run: | run: |
set -euo pipefail set -euo pipefail
@ -245,7 +119,7 @@ jobs:
exit 1 exit 1
fi fi
- name: Deploy validated main branch - name: Deploy main branch
run: | run: |
set -euo pipefail set -euo pipefail
@ -264,4 +138,3 @@ jobs:
git -C "${deploy_dir}" push local-bootstrap HEAD:main git -C "${deploy_dir}" push local-bootstrap HEAD:main
"${deploy_dir}/lab.sh" apps "${deploy_dir}/lab.sh" apps
kubectl --kubeconfig "${KUBECONFIG:-/home/jv/.kube/config}" -n argocd get applications

14
README.md
View File

@ -355,7 +355,7 @@ The Debian bare repo remains the GitOps mirror:
``` ```
Argo CD consumes that Debian mirror through the default `gitops_repo_url`. Argo CD consumes that Debian mirror through the default `gitops_repo_url`.
Gitea Actions pushes the validated `main` commit into the mirror before running Gitea Actions pushes the `main` commit into the mirror before running
`./lab.sh apps`. `./lab.sh apps`.
Deploy or refresh the external Gitea container from the Debian host with: Deploy or refresh the external Gitea container from the Debian host with:
@ -406,12 +406,10 @@ This repo includes a Gitea Actions workflow at
`.gitea/workflows/homelab-main.yml`. It runs only on pushes to `main` and targets `.gitea/workflows/homelab-main.yml`. It runs only on pushes to `main` and targets
a repository-scoped Debian host runner with the label `homelab-debian`. a repository-scoped Debian host runner with the label `homelab-debian`.
The workflow validates shell syntax, Kubernetes manifests, and all OpenTofu The workflow only blocks automatic deploy for Raspberry Pi Gitea service
stacks before deployment. Automatic deploy is blocked only for Raspberry Pi changes: files under `infra/gitea/`, or edits inside the `deploy_gitea`,
Gitea service changes: files under `infra/gitea/`, or edits inside the `install_gitea_backup_timer`, `backup_gitea`, or `drill_gitea_restore`
`deploy_gitea`, `install_gitea_backup_timer`, `backup_gitea`, or functions in `lab.sh`. Other changes proceed directly to `./lab.sh apps`.
`drill_gitea_restore` functions in `lab.sh`. Other changes proceed to
`./lab.sh apps` after validation passes.
`./lab.sh bootstrap-gitea-repo` also registers the Debian host SSH public key `./lab.sh bootstrap-gitea-repo` also registers the Debian host SSH public key
with the Gitea repository and switches the Debian working copy's `gitea` remote with the Gitea repository and switches the Debian working copy's `gitea` remote
@ -440,7 +438,7 @@ uses a host label instead of a Docker job container because deployment needs the
Debian host's Docker, OpenTofu, kubeconfig, SSH keys, and local state. Debian host's Docker, OpenTofu, kubeconfig, SSH keys, and local state.
The deployment job is non-interactive. User `jv` must be able to run `sudo -n The deployment job is non-interactive. User `jv` must be able to run `sudo -n
true` on the Debian host or the workflow will fail before deployment. true` on the Debian host for deployment commands that require sudo.
Useful checks: Useful checks: