CI: tests obligatoires avant push, abandon du tag :latest sur master

Merge pull request 'CI: tests obligatoires avant push, abandon du tag :latest sur master' (#14 ) from fix/workflow-test-before-push into master
Reviewed-on: #14
2026-06-13 18:38:15 +00:00 · 2026-06-13 14:28:56 -04:00 · 2026-06-13 14:25:55 -04:00 · 2026-06-13 14:25:53 -04:00 · 2026-06-13 14:25:50 -04:00 · 2026-06-13 14:13:57 -04:00
8 changed files with 199 additions and 49 deletions
@@ -0,0 +1,49 @@
+name: Nightly Rebuild
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+        with:
+          dockerfile: Dockerfile
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+  build-push:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          fetch-depth: 0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: get-latest-tag
+        run: |
+          TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+      - id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        with:
+          images: jcabillot/offlineimap
+          tags: |
+            type=raw,value=${{ steps.get-latest-tag.outputs.tag }}-latest,enable=${{ steps.get-latest-tag.outputs.tag != '' }}
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true
@@ -1,46 +0,0 @@
-name: Docker Build and Push
-
-on:
-  pull_request:
-    branches: [master]
-  push:
-    branches: [master]
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
-
-      - name: Login to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: jcabillot/offlineimap
-          tags: |
-            #type=ref,event=branch
-            #type=ref,event=pr
-            #type=sha
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          pull: true
@@ -0,0 +1,44 @@
+name: Main Release
+on:
+  push:
+    branches: [master]
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+        with:
+          dockerfile: Dockerfile
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+  build:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t jcabillot/offlineimap:${{ github.sha }} .
+  tag:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          fetch-depth: 0
+      - name: Configure git auth
+        run: |
+          git remote set-url origin "https://x-access-token:${{ secrets.SA_TOKEN_ACTION_PUSH_TAGS }}@scm.cabillot.eu/perso/offlineimap.git"
+      - uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # v1.75.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.SA_TOKEN_ACTION_PUSH_TAGS }}
+          DEFAULT_BUMP: patch
+          RELEASE_BRANCHES: master
+          WITH_V: true
+          GIT_API_TAGGING: false
@@ -0,0 +1,20 @@
+name: PR Checks
+on:
+  pull_request:
+    branches: [master]
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+        with:
+          dockerfile: Dockerfile
+  build-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
@@ -0,0 +1,44 @@
+name: Tag Release
+on:
+  push:
+    tags: ['*']
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
+        with:
+          dockerfile: Dockerfile
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+  build-push:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        with:
+          images: jcabillot/offlineimap
+          tags: |
+            type=ref,event=tag
+            type=ref,event=tag,suffix=-latest
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true
@@ -1,4 +1,4 @@
-image: "docker:latest"
+image: docker:latest

 services:
  - "docker:dind"
@@ -1,9 +1,10 @@
-FROM "alpine:3.23"
+FROM alpine:3.23
 LABEL maintainer="Cabillot Julien <dockerimages@cabillot.eu>"

 COPY entrypoint.sh /entrypoint.sh
 COPY patch.py /tmp/patch.py

+# hadolint ignore=DL3018
 RUN apk add --no-cache offlineimap openssl && \
    adduser -D offlineimap && \
    # Force SECLEVEL=1 in imaplib2 to allow connecting to servers with weak DH keys (DH_KEY_TOO_SMALL)
@@ -15,7 +16,7 @@ RUN apk add --no-cache offlineimap openssl && \
 COPY --chown=offlineimap offlineimaprc.*.tmpl /home/offlineimap/

 # Add Tini
-#ENV "TINI_VERSION" "v0.16.1"
+ENV "TINI_VERSION" "v0.16.1"
 #ADD "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini" "/tini"
 #RUN chmod +x "/tini"
 #ENTRYPOINT ["/tini", "--"]
@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+IMAGE="$1"
+FAILED=0
+PASSED=0
+
+TMPDIR="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR"' EXIT
+
+assert_eq() {
+  local desc="$1" expected="$2" actual="$3"
+  if [ "$expected" = "$actual" ]; then
+    echo "PASS: $desc"
+    PASSED=$((PASSED + 1))
+  else
+    echo "FAIL: $desc (expected '$expected', got '$actual')"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+RC=0
+docker run --rm "$IMAGE" offlineimap --version > "$TMPDIR/output" 2>&1 || RC=$?
+assert_eq "Command exits cleanly" "0" "$RC"
+
+if [ -s "$TMPDIR/output" ]; then
+  echo "PASS: Command produces output"
+  PASSED=$((PASSED + 1))
+else
+  echo "FAIL: Command produces no output"
+  FAILED=$((FAILED + 1))
+fi
+
+echo ""
+echo "$PASSED/$((PASSED + FAILED)) tests passed"
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi
Author	SHA1	Message	Date
Sagent	a8eb823120	CI: tests obligatoires avant push, abandon du tag :latest sur master	2026-06-13 18:38:15 +00:00
jcabillot	7d37ef7bcb	Merge pull request 'CI: tests obligatoires avant push, abandon du tag :latest sur master' (#14 ) from fix/workflow-test-before-push into master Reviewed-on: #14	2026-06-13 14:28:56 -04:00
cloudix_mcp_server	88cac8d90c	tag: add test job before build-push PR Checks / hadolint (pull_request) Successful in 7s Details PR Checks / build-test (pull_request) Successful in 13s Details - Add test job (build + run tests) - build-push now needs: [test] - Tests must pass before pushing tagged release to DockerHub	2026-06-13 14:25:55 -04:00
cloudix_mcp_server	ae49ab2f80	cron: add test job before build-push, remove :latest tag - Add test job (build + run tests) - build-push now needs: [test] - Remove type=raw,value=latest tag - Keep type=raw,value=$TAG-latest for the latest versioned tag	2026-06-13 14:25:53 -04:00
cloudix_mcp_server	ceb840bfe5	main: remove Docker push, keep only build+test+tag - Remove docker/login-action, docker/metadata-action, docker/build-push-action - Rename build-push to build (just docker build, no push) - Tag job now depends on build - Push to DockerHub is handled solely by tag.yaml now	2026-06-13 14:25:50 -04:00
jcabillot	2e9cb26503	Merge pull request 'tweak: tag strategy (stable + -latest) and sequential job deps on main' (#13 ) from tweak/tag-strategy-and-job-deps into master Main Release / hadolint (push) Successful in 6s Details Main Release / test (push) Successful in 12s Details Main Release / build-push (push) Successful in 36s Details Main Release / tag (push) Successful in 10s Details Tag Release / hadolint (push) Successful in 6s Details Tag Release / build-push (push) Successful in 36s Details Reviewed-on: #13	2026-06-13 14:13:57 -04:00
cloudix_mcp_server	0cf0060855	feat(main): sequential job deps — test → build-push → tag (mandatory) PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 12s Details	2026-06-13 14:12:37 -04:00
cloudix_mcp_server	58db03ad49	feat(cron): rebuild :vx.y.z-latest instead of :vx.y.z (stable stays at tag time)	2026-06-13 14:12:34 -04:00
cloudix_mcp_server	6acb8f0302	feat(tag): push both :vx.y.z and :vx.y.z-latest on tag event	2026-06-13 14:12:31 -04:00
jcabillot	a907089ed5	Merge pull request 'fix: correct anothrNick/github-tag-action checksum (d0→da)' (#12 ) from fix/github-tag-action-checksum into master Main Release / hadolint (push) Successful in 7s Details Main Release / tag (push) Successful in 9s Details Main Release / test (push) Successful in 13s Details Tag Release / hadolint (push) Successful in 8s Details Main Release / build-push (push) Successful in 38s Details Tag Release / build-push (push) Successful in 42s Details Reviewed-on: #12	2026-06-13 14:04:16 -04:00
cloudix_mcp_server	65f8e4b5f0	fix: correct anothrNick/github-tag-action SHA (d0→da, corrupted since PR #8 ) PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 11s Details Verified with git ls-remote: Tag 1.75.0 → 4ed44965e0db8dab2b466a16da04aec3cc312fd8 File had: 4ed44965e0db8dab2b466a16d04aec3cc312fd8 (wrong)	2026-06-13 14:02:48 -04:00
jcabillot	085b290a13	Merge pull request 'fix: correct docker/setup-buildx-action SHA (tag v4, 40 chars)' (#11 ) from fix/setup-buildx-checksum-v2 into master Main Release / tag (push) Failing after 2s Details Main Release / hadolint (push) Successful in 6s Details Main Release / test (push) Successful in 15s Details Main Release / build-push (push) Successful in 40s Details Reviewed-on: #11	2026-06-13 14:00:13 -04:00
cloudix_mcp_server	cc637ef241	fix: correct setup-buildx-action SHA (tag v4 is 40 chars, file had 42/45) PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 20s Details The SHA was corrupted since the original pipeline creation (PR #8). Verified with `git ls-remote` that the correct SHA is: d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5	2026-06-13 13:59:33 -04:00
jcabillot	828cc447e0	Merge pull request 'fix: restore correct docker/setup-buildx-action checksum' (#10 ) from fix/restore-setup-buildx-checksum into master Main Release / tag (push) Failing after 3s Details Main Release / hadolint (push) Successful in 6s Details Main Release / test (push) Failing after 24s Details Main Release / build-push (push) Failing after 25s Details Reviewed-on: #10	2026-06-13 13:55:00 -04:00
cloudix_mcp_server	fb3216a876	fix: restore correct setup-buildx-action checksum (was corrupted in PR #9 ) PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 21s Details	2026-06-13 13:54:08 -04:00
jcabillot	9312c89ee9	Merge pull request 'fix(ci): use PAT instead of GITHUB_TOKEN for tag push to trigger tag.yaml' (#9 ) from fix/use-pat-for-tag-push into master Main Release / hadolint (push) Successful in 5s Details Main Release / build-push (push) Failing after 2s Details Main Release / test (push) Failing after 2s Details Main Release / tag (push) Failing after 2s Details Reviewed-on: #9	2026-06-13 13:51:25 -04:00
cloudix_mcp_server	58eb7fa4fb	fix: restore correct action checksums (metadata-action + build-push-action) PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 12s Details	2026-06-13 13:50:51 -04:00
cloudix_mcp_server	b00c43ee2d	fix: DEFAULT_BULB → DEFAULT_BUMP (typo) PR Checks / hadolint (pull_request) Successful in 5s Details PR Checks / build-test (pull_request) Successful in 11s Details	2026-06-13 13:48:00 -04:00
cloudix_mcp_server	594550dc6d	fix(ci): use PAT instead of GITHUB_TOKEN for tag push to trigger tag.yaml workflow PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 12s Details GITHUB_TOKEN is the internal actions runner token — pushes made with it don't trigger new workflow runs (by design, prevents infinite loops). Using a real user PAT (SA_TOKEN_ACTION_PUSH_TAGS) makes the tag push trigger the tag.yaml workflow correctly. Fixes the issue where tag pushes from the 'tag' job didn't launch the 'Tag Release' pipeline (tag.yaml).	2026-06-13 13:46:40 -04:00
jcabillot	d2c073b6d3	Merge pull request 'feat(ci): refactor pipelines — hadolint, PR checks, tag releases, nightly rebuild' (#8 ) from fix/refactor-ci-pipelines into master Main Release / hadolint (push) Successful in 9s Details Main Release / test (push) Successful in 14s Details Main Release / tag (push) Successful in 14s Details Main Release / build-push (push) Successful in 42s Details Reviewed-on: #8	2026-06-12 16:24:15 -04:00
cloudix_mcp_server	0cb2ca3163	ci: add nightly rebuild workflow PR Checks / hadolint (pull_request) Successful in 6s Details PR Checks / build-test (pull_request) Successful in 20s Details	2026-06-12 16:20:16 -04:00
cloudix_mcp_server	98ca71f3d9	ci: add tag release workflow	2026-06-12 16:20:07 -04:00
cloudix_mcp_server	0ba86a9428	ci: add main release workflow	2026-06-12 16:20:02 -04:00
cloudix_mcp_server	23b8130249	ci: add PR checks workflow	2026-06-12 16:19:54 -04:00
cloudix_mcp_server	89d81b0b73	ci: split monolithic workflow into 4 targeted pipelines	2026-06-12 16:19:33 -04:00
jcabillot	0ff64c1aa5	Merge pull request 'ci: add automatic semver tagging on merge to master' (#7 ) from feat/semver-tag-action into master Docker Build and Push / lint (push) Successful in 8s Details Docker Build and Push / build (push) Successful in 17s Details Docker Build and Push / test (push) Successful in 15s Details Docker Build and Push / push (push) Failing after 26s Details Reviewed-on: #7	2026-06-12 13:44:58 -04:00
cloudix_mcp_server	e020bef849	ci: add automatic semver tagging on merge to master Docker Build and Push / lint (pull_request) Successful in 7s Details Docker Build and Push / build (pull_request) Successful in 31s Details Docker Build and Push / test (pull_request) Successful in 12s Details Docker Build and Push / push (pull_request) Has been skipped Details	2026-06-12 13:17:41 -04:00
opencodecabilloteu	86fd90cb0c	Merge pull request 'chore: fix Dockerfile FROM quotes, gitlabci image quotes' (#3 ) from chore/renovate into master Docker Build and Push / lint (push) Successful in 8s Details Docker Build and Push / build (push) Successful in 17s Details Docker Build and Push / test (push) Successful in 10s Details Docker Build and Push / push (push) Successful in 15s Details Reviewed-on: #3	2026-06-10 19:02:18 -04:00
cloudix_mcp_server	be958a214d	chore: remove renovate.json — gitlabci already disabled globally Docker Build and Push / build (pull_request) Successful in 26s Details	2026-06-10 19:01:38 -04:00
jcabillot	155e362a20	Merge pull request 'Migrate CI to 4-job pipeline with SHA-pinned actions' (#4 ) from feat/gitea-actions-v2 into master Docker Build and Push / lint (push) Successful in 7s Details Docker Build and Push / build (push) Successful in 28s Details Docker Build and Push / test (push) Successful in 12s Details Docker Build and Push / push (push) Successful in 25s Details Reviewed-on: #4	2026-06-09 08:35:20 -04:00
cloudix_mcp_server	58c0a69b5b	Fix hadolint: remove FROM quotes, add DL3018 ignore for apk Docker Build and Push / lint (pull_request) Successful in 8s Details Docker Build and Push / build (pull_request) Successful in 51s Details Docker Build and Push / test (pull_request) Successful in 12s Details Docker Build and Push / push (pull_request) Has been skipped Details	2026-06-08 22:28:15 -04:00
cloudix_mcp_server	2b7c12a145	Migrate CI to 4-job pipeline with SHA-pinned actions	2026-06-08 22:27:54 -04:00
cloudix_mcp_server	145ca0f401	Add CLI smoke test for offlineimap	2026-06-08 22:26:31 -04:00
Sagent	217c352c04	chore: fix Dockerfile FROM quotes, gitlabci image quotes, add renovate config Docker Build and Push / build (pull_request) Failing after 12m43s Details	2026-06-09 02:17:24 +00:00
jcabillot	066b365db7	feat: add Gitea Actions workflow Docker Build and Push / build (push) Successful in 36s Details feat: add Gitea Actions workflow	2026-05-29 16:22:33 -04:00