Merge pull request 'feat(ci): refactor pipelines — hadolint, PR checks, tag releases, nightly rebuild' (#12) from feat/ci-refactor into master

Reviewed-on: #12

.gitea/workflows/cron.yaml

@@ -0,0 +1,45 @@
+name: Nightly Rebuild
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: Dockerfile
+
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          fetch-depth: 0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93b0d3df5 # v4
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: get-latest-tag
+        run: |
+          TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+      - id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        with:
+          images: jcabillot/calibre
+          tags: |
+            type=raw,value=latest
+            type=raw,value=${{ steps.get-latest-tag.outputs.tag }},enable=${{ steps.get-latest-tag.outputs.tag != '' }}
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true

.gitea/workflows/docker-build.yaml

@@ -1,46 +0,0 @@
-name: Docker Build and Push
-
-on:
-  pull_request:
-    branches: [master]
-  push:
-    branches: [master]
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
-
-      - name: Login to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: jcabillot/calibre
-          tags: |
-            #type=ref,event=branch
-            #type=ref,event=pr
-            #type=sha
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          pull: true

.gitea/workflows/main.yaml

@@ -0,0 +1,63 @@
+name: Main Release
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: Dockerfile
+
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93b0d3df5 # v4
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        with:
+          images: jcabillot/calibre
+          tags: |
+            type=raw,value=latest
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93b0d3df5 # v4
+      - run: docker build -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          fetch-depth: 0
+      - name: Configure git auth
+        run: |
+          git remote set-url origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@scm.cabillot.eu/perso/calibre.git"
+      - uses: anothrNick/github-tag-action@4ed44965e0dbdab2b466a16da04aec3cc312fd8 # v1.75.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: patch
+          RELEASE_BRANCHES: master
+          WITH_V: true
+          GIT_API_TAGGING: false

.gitea/workflows/pr.yaml

@@ -0,0 +1,23 @@
+name: PR Checks
+
+on:
+  pull_request:
+    branches: [master]
+
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+        with:
+          dockerfile: Dockerfile
+
+  build-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}

.gitea/workflows/tag.yaml

@@ -0,0 +1,38 @@
+name: Tag Release
+
+on:
+  push:
+    tags: ['*']
+
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: Dockerfile
+
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93b0d3df5 # v4
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        with:
+          images: jcabillot/calibre
+          tags: |
+            type=ref,event=tag
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true

.gitlab-ci.yml

@@ -1,36 +0,0 @@
-image: "docker:latest"
-
-services:
-  - "docker:dind"
-
-before_script:
-  - "docker login -u \"$CI_REGISTRY_USER\" -p \"$CI_REGISTRY_PASSWORD\" $CI_REGISTRY"
-
-build-master:
-  stage: "build"
-  script:
-    - "docker build --pull -t \"$CI_REGISTRY_IMAGE\" ."
-    - "docker push \"$CI_REGISTRY_IMAGE\""
-  only:
-    - "master"
-
-build:
-  stage: "build"
-  script:
-    - "docker build --pull -t \"$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG\" ."
-    - "docker push \"$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG\""
-  except:
-    - "master"
-
-deploy-dockerhub:
-  stage: "deploy"
-  before_script:
-    - "docker login -u \"$DOCKERHUB_USER\" -p \"$DOCKERHUB_PASSWORD\""
-    - "docker login -u \"$CI_REGISTRY_USER\" -p \"$CI_REGISTRY_PASSWORD\" $CI_REGISTRY"
-  script:
-    - "docker pull \"$CI_REGISTRY_IMAGE\""
-    - "docker tag \"$CI_REGISTRY_IMAGE\" \"$DOCKERHUB_USER/$DOCKERHUB_PROJECT\""
-    - "docker push \"$DOCKERHUB_USER/$DOCKERHUB_PROJECT\""
-  only:
-    - "master"
-

Dockerfile

@@ -1,17 +1,13 @@
-FROM "ubuntu:18.04"
+FROM ubuntu:26.04
 # Il n'est pas possible d'utiliser alpine,
 # cela pose problème avec le script de post-install qui dépends vraiment de glibc.
 # Il faudrait alors partir sur une full recompilation de calibre (sans certitudes sur le bon fonctionnement).
 LABEL maintainer="Julien Cabillot <dockerimages@cabillot.eu>"
 
 RUN export DEBIAN_FRONTEND="noninteractive" && \
-    export BUILD_PACKAGES="wget xz-utils" && \
-    export RUNTIME_PACKAGES="python xvfb libfontconfig libxrender1 libxcomposite1" && \
     apt-get -qq update && \
-    apt-get -qq --yes install ${BUILD_PACKAGES} ${RUNTIME_PACKAGES} && \
+    apt-get -qq --yes install python3 xvfb libfontconfig1 libxrender1 libxcomposite1 libegl1 libopengl0 libxcb-cursor0 calibre && \
-    wget -nv -O- https://download.calibre-ebook.com/linux-installer.py | python -c "import sys; main=lambda:sys.stderr.write('Download failed\n'); exec(sys.stdin.read()); main()" && \
+    ln -sf /usr/bin/python3 /usr/bin/python && \
-    apt-get -qq --yes remove --purge ${BUILD_PACKAGES} && \
-    apt-get -qq --yes autoremove --purge && \
     apt-get -qq --yes clean all && \
     rm -rf "/usr/share/doc/"* \
            "/usr/src/"* \

Jenkinsfile

@@ -1,38 +0,0 @@
-pipeline {
-  environment {
-    registry = 'https://registry.hub.docker.com'
-    registryCredential = 'dockerhub_jcabillot'
-    dockerImage = 'jcabillot/calibre'
-  }
-
-  agent any
-
-  triggers {
-    cron('@midnight')
-  }
-
-  stages {
-    stage('Clone repository') {
-      steps{
-        checkout scm
-      }
-    }
-
-    stage('Build image') {
-      steps{
-        sh 'docker build --force-rm=true --no-cache=true --pull -t ${dockerImage} .'
-      }
-    }
-
-    stage('Deploy Image') {
-      steps{
-        script {
-          withCredentials([usernamePassword(credentialsId: 'dockerhub_jcabillot', usernameVariable: 'DOCKER_USER', passwordVariable: 'DOCKER_PASS')]) {
-            sh 'docker login --username ${DOCKER_USER} --password ${DOCKER_PASS}'
-            sh 'docker push ${dockerImage}'
-          }
-        }
-      }
-    }
-  }
-}

renovate.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "gitlabci": {
+    "enabled": true
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Track Tini version from ENV-based ADD download URL",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": ["TINI_VERSION\\s+\"(?<currentValue>[^\"]+)\""],
+      "depNameTemplate": "krallin/tini",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver"
+    }
+  ]
+}

tests/test.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+set -euo pipefail
+
+IMAGE="$1"
+FAILED=0
+PASSED=0
+
+assert_eq() {
+  local desc="$1" expected="$2" actual="$3"
+  if [ "$expected" = "$actual" ]; then
+    echo "PASS: $desc"
+    PASSED=$((PASSED + 1))
+  else
+    echo "FAIL: $desc (expected $expected, got $actual)"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT
+
+docker run --rm "$IMAGE" calibre --version > "$TMPDIR/output" 2>&1 && RC=0 || RC=$?
+assert_eq "calibre --version exits cleanly" "0" "$RC"
+
+if [ -s "$TMPDIR/output" ]; then
+  echo "PASS: calibre --version produces output"
+  PASSED=$((PASSED + 1))
+else
+  echo "FAIL: calibre --version produces no output"
+  FAILED=$((FAILED + 1))
+fi
+
+echo ""
+echo "$PASSED/$((PASSED + FAILED)) tests passed"
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi