From 9ceb562b81539d83fb4bcd53eb1501e17e8d1b42 Mon Sep 17 00:00:00 2001
From: Sagent <sage@cabillot.eu>
Date: Mon, 29 Jun 2026 13:45:50 +0000
Subject: [PATCH] ci: align workflows with mydl + fix Alpine SHELL

---
 .gitea/workflows/cron.yaml | 25 +++++++++++++------
 .gitea/workflows/main.yaml | 48 +++++++++++++++++++++----------------
 .gitea/workflows/pr.yaml   | 11 ++++++---
 .gitea/workflows/tag.yaml  | 49 ++++++++++++++++++++++++++++----------
 Dockerfile                 |  8 +++----
 5 files changed, 93 insertions(+), 48 deletions(-)

diff --git a/.gitea/workflows/cron.yaml b/.gitea/workflows/cron.yaml
index 79c8da9..32dca11 100644
--- a/.gitea/workflows/cron.yaml
+++ b/.gitea/workflows/cron.yaml
@@ -1,38 +1,49 @@
 name: Nightly Rebuild
-
 on:
   schedule:
     - cron: '0 0 * * *'
-
 jobs:
   hadolint:
     runs-on: ubuntu-latest
-    continue-on-error: true
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
         with:
           dockerfile: Dockerfile
-
-  build-push:
+  test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build --load -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+  build-push:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+        with:
+          fetch-depth: 0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
       - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: get-latest-tag
+        run: |
+          TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
       - id: meta
         uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
         with:
           images: jcabillot/rssbridge
           tags: |
-            type=raw,value=nightly
-            type=sha
+            type=raw,value=${{ steps.get-latest-tag.outputs.tag }}-latest,enable=${{ steps.get-latest-tag.outputs.tag != '' }}
       - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          pull: true
diff --git a/.gitea/workflows/main.yaml b/.gitea/workflows/main.yaml
index c02ac01..a6a75d4 100644
--- a/.gitea/workflows/main.yaml
+++ b/.gitea/workflows/main.yaml
@@ -1,38 +1,44 @@
 name: Main Release
-
 on:
   push:
     branches: [master]
-
 jobs:
   hadolint:
     runs-on: ubuntu-latest
-    continue-on-error: true
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
         with:
           dockerfile: Dockerfile
-
-  build-push:
+  test:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
-      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+      - run: docker build --load -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+  build:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build -t jcabillot/rssbridge:${{ github.sha }} .
+  tag:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
-        with:
-          images: jcabillot/rssbridge
-          tags: |
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
-            type=sha
-      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          fetch-depth: 0
+      - name: Configure git auth
+        run: |
+          git remote set-url origin "https://x-access-token:${{ secrets.SA_TOKEN_ACTION_PUSH_TAGS }}@scm.cabillot.eu/web/rssbridge.git"
+      - uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # v1.75.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.SA_TOKEN_ACTION_PUSH_TAGS }}
+          DEFAULT_BUMP: patch
+          RELEASE_BRANCHES: master
+          WITH_V: true
+          GIT_API_TAGGING: false
diff --git a/.gitea/workflows/pr.yaml b/.gitea/workflows/pr.yaml
index 8af7455..9b392bc 100644
--- a/.gitea/workflows/pr.yaml
+++ b/.gitea/workflows/pr.yaml
@@ -1,15 +1,20 @@
 name: PR Checks
-
 on:
   pull_request:
     branches: [master]
-
 jobs:
   hadolint:
     runs-on: ubuntu-latest
-    continue-on-error: true
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
       - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
         with:
           dockerfile: Dockerfile
+  build-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build --load -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
diff --git a/.gitea/workflows/tag.yaml b/.gitea/workflows/tag.yaml
index 432b19c..a10bc77 100644
--- a/.gitea/workflows/tag.yaml
+++ b/.gitea/workflows/tag.yaml
@@ -1,21 +1,44 @@
 name: Tag Release
-
 on:
   push:
-    branches: [master]
-
+    tags: ['*']
 jobs:
-  tag:
+  hadolint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+      - uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        continue-on-error: true
         with:
-          fetch-depth: 0
-      - name: Bump version and push tag
-        uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DEFAULT_BUMP: patch
-          RELEASE_BRANCHES: master
-          WITH_V: true
-          GIT_API_TAGGING: false
+          dockerfile: Dockerfile
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - run: docker build --load -t ci-image:${{ github.sha }} .
+      - run: bash tests/test.sh ci-image:${{ github.sha }}
+  build-push:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        with:
+          images: jcabillot/rssbridge
+          tags: |
+            type=ref,event=tag
+            type=ref,event=tag,suffix=-latest
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true
diff --git a/Dockerfile b/Dockerfile
index 7e0de39..675ce48 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,6 @@
 FROM dunglas/frankenphp:1-php8.5-alpine
 LABEL maintainer="Julien Cabillot <dockerimages@cabillot.eu>"
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
 WORKDIR /app
 
 # Install required PHP extensions for RSS-Bridge
@@ -10,8 +8,10 @@ RUN install-php-extensions mbstring simplexml curl json iconv
 
 COPY Caddyfile /etc/frankenphp/Caddyfile
 
-# Download RSS-Bridge
-RUN curl -s -L "https://github.com/RSS-Bridge/rss-bridge/tarball/master/" | tar -zx --strip=1 -C /app/public
+# Download RSS-Bridge (two-step to avoid pipefail dependency)
+RUN curl -s -L "https://github.com/RSS-Bridge/rss-bridge/tarball/master/" -o /tmp/rssbridge.tar && \
+    tar -zx --strip=1 -C /app/public -f /tmp/rssbridge.tar && \
+    rm /tmp/rssbridge.tar
 
 # Configure RSS-Bridge
 RUN echo "*" > "/app/public/whitelist.txt" && \