Merge pull request 'feat(ci): refactor pipelines — hadolint, PR checks, tag releases, nightly rebuild' (#10) from fix/refactor-ci-pipelines into master

Reviewed-on: #10

.gitea/workflows/cron.yaml

@@ -0,0 +1,60 @@
+name: Nightly Rebuild
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+      - name: Save image
+        run: docker save ci-image:${{ github.sha }} > image.tar
+      - name: Upload artifact
+        uses: ChristopherHX/gitea-upload-artifact@62ac910c5d3dfa85c7cb2df15afe2e342b2407c2 # main
+        with:
+          name: docker-image
+          path: image.tar
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Download artifact
+        uses: ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7 # main
+        with:
+          name: docker-image
+      - name: Load image
+        run: docker load < image.tar
+      - name: Run tests
+        run: bash tests/test.sh ci-image:${{ github.sha }}
+
+  push:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+      - name: Download artifact
+        uses: ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7 # main
+        with:
+          name: docker-image
+      - name: Load image
+        run: docker load < image.tar
+      - name: Login to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Tag and push latest
+        run: |
+          docker tag ci-image:${{ github.sha }} jcabillot/crond:latest
+          docker push jcabillot/crond:latest

.gitea/workflows/docker-build.yaml

@@ -1,46 +0,0 @@
-name: Docker Build and Push
-
-on:
-  pull_request:
-    branches: [master]
-  push:
-    branches: [master]
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
-
-      - name: Login to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: jcabillot/crond
-          tags: |
-            #type=ref,event=branch
-            #type=ref,event=pr
-            #type=sha
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          pull: true

.gitea/workflows/main.yaml

@@ -0,0 +1,80 @@
+name: Main Branch
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Hadolint
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+
+  build:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+      - name: Save image
+        run: docker save ci-image:${{ github.sha }} > image.tar
+      - name: Upload artifact
+        uses: ChristopherHX/gitea-upload-artifact@62ac910c5d3dfa85c7cb2df15afe2e342b2407c2 # main
+        with:
+          name: docker-image
+          path: image.tar
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Download artifact
+        uses: ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7 # main
+        with:
+          name: docker-image
+      - name: Load image
+        run: docker load < image.tar
+      - name: Run tests
+        run: bash tests/test.sh ci-image:${{ github.sha }}
+
+  push:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+      - name: Download artifact
+        uses: ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7 # main
+        with:
+          name: docker-image
+      - name: Load image
+        run: docker load < image.tar
+      - name: Login to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Tag and push latest
+        run: |
+          docker tag ci-image:${{ github.sha }} jcabillot/crond:latest
+          docker push jcabillot/crond:latest
+      - name: Bump version and push tag
+        if: github.event_name == 'push'
+        uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: patch
+          RELEASE_BRANCHES: master
+          WITH_V: true
+          GIT_API_TAGGING: false

.gitea/workflows/pr.yaml

@@ -0,0 +1,34 @@
+name: PR Checks
+
+on:
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Hadolint
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+
+  build:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+      - name: Run tests
+        run: bash tests/test.sh ci-image:${{ github.sha }}

.gitea/workflows/tag.yaml

@@ -0,0 +1,65 @@
+name: Tag Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+      - name: Save image
+        run: docker save ci-image:${{ github.sha }} > image.tar
+      - name: Upload artifact
+        uses: ChristopherHX/gitea-upload-artifact@62ac910c5d3dfa85c7cb2df15afe2e342b2407c2 # main
+        with:
+          name: docker-image
+          path: image.tar
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Download artifact
+        uses: ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7 # main
+        with:
+          name: docker-image
+      - name: Load image
+        run: docker load < image.tar
+      - name: Run tests
+        run: bash tests/test.sh ci-image:${{ github.sha }}
+
+  push:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+      - name: Download artifact
+        uses: ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7 # main
+        with:
+          name: docker-image
+      - name: Load image
+        run: docker load < image.tar
+      - name: Login to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Extract tag name
+        run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+      - name: Tag and push with version
+        run: |
+          docker tag ci-image:${{ github.sha }} jcabillot/crond:${{ env.TAG }}
+          docker tag ci-image:${{ github.sha }} jcabillot/crond:latest
+          docker push jcabillot/crond:${{ env.TAG }}
+          docker push jcabillot/crond:latest

Dockerfile

@@ -1,16 +1,16 @@
-FROM "alpine:3.23"
+FROM alpine:3.24
 LABEL maintainer="Julien Cabillot <dockerimages@cabillot.eu>"
 
-# Ce projet tourne en root, mais je ne voit pas encore comment l'en empecher.
+# Ce projet tourne en root, mais je ne vois pas encore comment l'en empecher.
 # Par défaut cron doit pouvoir changer de user pour lire chaque crontab.
-# En forcant un user comme guest, même avec un shell cela ne fonctionne pas.
+# En forçant un user comme guest, même avec un shell cela ne fonctionne pas.
 
+# hadolint ignore=DL3018
 RUN apk add --no-cache tini curl
 
 COPY "run.sh" "/"
 
 #ENTRYPOINT [ "/sbin/tini", "--" ]
 CMD [ "/run.sh" ]
-
+HEALTHCHECK --interval=10s \
-HEALTHCHECK --interval="10s" \
+    CMD pgrep crond || exit 1
-    CMD pgrep crond || exit 1

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "gitlabci": {
+    "enabled": false
+  }
+}

run.sh

@@ -2,5 +2,5 @@
 
 set -o pipefail -o nounset -o errexit
 
-echo "${crond_line}" > "/etc/crontabs/root"
+echo "${crond_line:-}" > "/etc/crontabs/root"
 crond -f -L /dev/stdout

tests/test.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -euo pipefail
+
+IMAGE="$1"
+FAILED=0
+PASSED=0
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT
+CONTAINER_NAME="test-crond-$$"
+
+# Test 1: Container starts and crond is running
+docker run -d --name "$CONTAINER_NAME" "$IMAGE"
+sleep 4
+if [ "$(docker inspect "$CONTAINER_NAME" --format='{{.State.Running}}')" != "true" ]; then
+  echo "FAIL: container exited prematurely"
+  echo "=== Container logs ==="
+  docker logs "$CONTAINER_NAME" 2>&1 || true
+  FAILED=$((FAILED + 1))
+elif docker exec "$CONTAINER_NAME" pgrep crond > /dev/null 2>&1; then
+  echo "PASS: crond is running"
+  PASSED=$((PASSED + 1))
+else
+  echo "FAIL: crond is not running"
+  FAILED=$((FAILED + 1))
+fi
+
+docker rm -f "$CONTAINER_NAME" > /dev/null 2>&1 || true
+
+echo ""
+echo "$PASSED/$((PASSED + FAILED)) tests passed"
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi