diff --git a/.gitea/workflows/build-and-push.yaml b/.gitea/workflows/build-and-push.yaml index b5ee633..6622760 100644 --- a/.gitea/workflows/build-and-push.yaml +++ b/.gitea/workflows/build-and-push.yaml @@ -13,6 +13,11 @@ jobs: runs-on: buildx-multiarch if: "!contains(gitea.event.head_commit.message, '[skip ci]')" steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Checkout uses: actions/checkout@v4 with: @@ -22,26 +27,34 @@ jobs: id: prep run: | export TZ=Europe/Berlin - # Env laden um BUILD_TAG und BASE_IMAGE zu bekommen + + # 1. Env laden set -a source <(grep -v '^#' buildargs.env | sed 's/\r$//') set +a + # 2. Hash der BUILD_ Variablen berechnen (für Change-Detection) + # Wir nehmen nur Zeilen, die mit BUILD_ beginnen + ARGS_HASH=$(grep "^BUILD_" buildargs.env | sha256sum | cut -d' ' -f1) + echo "build_args_hash=$ARGS_HASH" >> $GITHUB_OUTPUT + + # ... (Rest deiner Logik für Tags, Owner etc. bleibt gleich) ... echo "event_name=${{ gitea.event_name }}" >> $GITHUB_OUTPUT if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then CLEAN_TAG=${{ gitea.ref_name }} echo "docker_tag=${CLEAN_TAG#v}" >> $GITHUB_OUTPUT else - echo "docker_tag=$BUILD_TAG" >> $GITHUB_OUTPUT + # Fallback falls BUILD_TAG nicht gesetzt ist + echo "docker_tag=${BUILD_TAG:-latest}" >> $GITHUB_OUTPUT fi OWNER=$(echo "${{ gitea.repository }}" | cut -d'/' -f1 | tr '[:upper:]' '[:lower:]') REPO_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f2 | tr '[:upper:]' '[:lower:]') - echo "image_name=git.pi-farm.de/$OWNER/$REPO_NAME" >> $GITHUB_OUTPUT - echo "owner=$OWNER" >> $GITHUB_OUTPUT echo "repo_pure=$REPO_NAME" >> $GITHUB_OUTPUT + echo "docker_tag=$BUILD_TAG" >> $GITHUB_OUTPUT + echo "image_name=git.pi-farm.de/$OWNER/$REPO_NAME" >> $GITHUB_OUTPUT echo "base_image=$BASE_IMAGE" >> $GITHUB_OUTPUT - name: Login to Gitea Registry @@ -57,13 +70,14 @@ jobs: IMAGE="${{ steps.prep.outputs.image_name }}" TAG="${{ steps.prep.outputs.docker_tag }}" BASE="${{ steps.prep.outputs.base_image }}" + LOCAL_ARGS_HASH="${{ steps.prep.outputs.build_args_hash }}" echo "🔍 Prüfe Remote-Registry..." + echo "ℹ️ Lokaler Args-Hash: $LOCAL_ARGS_HASH" if [[ "${{ steps.prep.outputs.event_name }}" != "schedule" ]]; then echo "🚀 Manueller Start: Build erzwungen." else - # 1. Base Image SHA holen REMOTE_BASE_SHA=$(docker buildx imagetools inspect "$BASE" --format '{{json .Manifest.Digest}}' 2>/dev/null | tr -d '"' || echo "") if [ -z "$REMOTE_BASE_SHA" ]; then @@ -71,35 +85,33 @@ jobs: else echo "ℹ️ Base-Image SHA (Remote): $REMOTE_BASE_SHA" - # 2. Annotation aus dem Index-Manifest holen - # Wir holen das RAW JSON, da wir wissen, dass es dort im Block "annotations" steht. - # Wir nutzen grep, um "pi_farm.base_digest": "sha256:..." zu finden. - RAW_INDEX=$(docker buildx imagetools inspect "$IMAGE:$TAG" --raw 2>/dev/null || echo "") if [ -z "$RAW_INDEX" ]; then echo "🆕 Image existiert noch nicht. Build erforderlich." else - # Extrahiere den Wert zwischen den Anführungszeichen nach dem Key - # Suche nach: "pi_farm.base_digest": "WERT" + # 1. Base Digest aus Annotation holen USED_BASE_SHA=$(echo "$RAW_INDEX" | grep "\"pi_farm.base_digest\":" | sed -E 's/.*: "([^"]+)".*/\1/' || echo "none") - # Falls grep fehlschlägt, ist USED_BASE_SHA leer oder none - if [ -z "$USED_BASE_SHA" ]; then USED_BASE_SHA="none"; fi + # 2. Args Hash aus Annotation holen (NEU!) + USED_ARGS_HASH=$(echo "$RAW_INDEX" | grep "\"pi_farm.args_hash\":" | sed -E 's/.*: "([^"]+)".*/\1/' || echo "none") - echo "ℹ️ Gefundene Annotation im Index: $USED_BASE_SHA" + echo "ℹ️ Remote Base SHA: $USED_BASE_SHA" + echo "ℹ️ Remote Args Hash: $USED_ARGS_HASH" - if [ "$REMOTE_BASE_SHA" == "$USED_BASE_SHA" ]; then - echo "😴 Base-Image unverändert. Kein Build nötig." + # Logik: Build wenn Base anders ODER Args anders + if [ "$REMOTE_BASE_SHA" == "$USED_BASE_SHA" ] && [ "$LOCAL_ARGS_HASH" == "$USED_ARGS_HASH" ]; then + echo "😴 Alles identisch. Kein Build nötig." SHOULD_BUILD="false" else - echo "✅ Update nötig: $USED_BASE_SHA -> $REMOTE_BASE_SHA" + echo "✅ Update nötig (Base oder Args geändert)." SHOULD_BUILD="true" fi fi fi fi echo "should_build=$SHOULD_BUILD" >> $GITHUB_OUTPUT + - name: Set up QEMU if: steps.check_changes.outputs.should_build == 'true' uses: docker/setup-qemu-action@v3 @@ -114,47 +126,47 @@ jobs: IMAGE=${{ steps.prep.outputs.image_name }} TAG=${{ steps.prep.outputs.docker_tag }} BASE=${{ steps.prep.outputs.base_image }} + ARGS_HASH=${{ steps.prep.outputs.build_args_hash }} - # 1. Variablen aus der Datei in die Shell laden, damit sie aufgelöst werden set -a source <(grep -v '^#' buildargs.env | sed 's/\r$//') set +a - # 2. Argumente für Docker vorbereiten (Variablen werden hier aufgelöst!) + # Wir übergeben trotzdem ALLE Variablen als Build-Arg. + # Docker ist schlau genug, nicht genutzte Args zu ignorieren. DOCKER_ARGS="" - # Wir extrahieren alle Keys aus der Datei keys=$(grep -v '^#' buildargs.env | cut -d'=' -f1 | tr -d '\r') for k in $keys; do - # Hier passiert die Magie: ${!k} holt den bereits aufgelösten Wert aus der Shell val="${!k}" DOCKER_ARGS="$DOCKER_ARGS --build-arg $k=$val" done - # 3. Base SHA für das Label holen (wichtig für den nächsten Check) - # Da BASE selbst Variablen enthalten kann, nutzen wir auch hier den aufgelösten Wert RESOLVED_BASE=$(echo $BASE) BASE_SHA=$(docker buildx imagetools inspect $RESOLVED_BASE --format '{{json .Manifest.Digest}}' 2>/dev/null | tr -d '"' || echo "unknown") - echo "🚀 Starte Multi-Arch Build für $IMAGE:$TAG..." - echo "📦 Basis-Image aufgelöst: $RESOLVED_BASE" + # WICHTIG: Wir speichern jetzt ZWEI Informationen im Label/Annotation # AMD64 Build docker buildx build $DOCKER_ARGS --pull --platform linux/amd64 -f Dockerfile \ - --label "pi_farm.base_digest=$BASE_SHA" -t $IMAGE:tmp-amd64 --push . + --label "pi_farm.base_digest=$BASE_SHA" \ + --label "pi_farm.args_hash=$ARGS_HASH" \ + -t $IMAGE:tmp-amd64 --push . # ARM64 Build docker buildx build $DOCKER_ARGS --pull --platform linux/arm64 -f Dockerfile.aarch64 \ - --label "pi_farm.base_digest=$BASE_SHA" -t $IMAGE:tmp-arm64 --push . - - # Manifeste zusammenführen und Annotation hinzufügen - # Das macht das Label "sichtbar", ohne dass man in die Child-Images schauen muss + --label "pi_farm.base_digest=$BASE_SHA" \ + --label "pi_farm.args_hash=$ARGS_HASH" \ + -t $IMAGE:tmp-arm64 --push . + # Manifest Create (mit Annotationen im Index) docker buildx imagetools create \ --annotation "index:pi_farm.base_digest=$BASE_SHA" \ + --annotation "index:pi_farm.args_hash=$ARGS_HASH" \ -t $IMAGE:$TAG $IMAGE:tmp-amd64 $IMAGE:tmp-arm64 docker buildx imagetools create \ --annotation "index:pi_farm.base_digest=$BASE_SHA" \ + --annotation "index:pi_farm.args_hash=$ARGS_HASH" \ -t $IMAGE:latest $IMAGE:tmp-amd64 $IMAGE:tmp-arm64 - name: Cleanup Temporary Registry Tags @@ -197,32 +209,40 @@ jobs: done - name: Update Documentation and Compose - if: steps.check_changes.outputs.should_build == 'true' + # Dieser Step läuft, wenn gebaut wurde ODER wenn manuell gepusht wurde (für Env-Änderungen) + if: steps.check_changes.outputs.should_build == 'true' || gitea.event_name == 'push' run: | export TZ=Europe/Berlin CURRENT_TIME=$(date +'%d.%m.%Y %H:%M') BUILD_DATE_ONLY=$(date +'%d.%m.%Y') - BUILD_TAG="${{ steps.prep.outputs.docker_tag }}" - REPO_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f2) - REPO_LOWER=$(echo "${{ gitea.repository }}" | tr '[:upper:]' '[:lower:]') - FULL_URL="git.pi-farm.de/${REPO_LOWER}" + # --- HIER IST DIE BRÜCKE: Outputs in Shell-Variablen laden --- + # Wir nutzen die Namen, die du im 'prep' Step definiert hast + BUILD_TAG="${{ steps.prep.outputs.docker_tag }}" + FULL_URL="${{ steps.prep.outputs.image_name }}" + REPO_PURE="${{ steps.prep.outputs.repo_pure }}" + + # Zusätzliche Info für ARM Status [ -f "Dockerfile.aarch64" ] && ARM_STATUS="✅ Aktiv (eigenes Dockerfile)" || ARM_STATUS="✅ Aktiv (via Standard Dockerfile)" + # Env laden für die Werteeretzung (z.B. für die Generatoren) set -a source <(grep -v '^#' buildargs.env | sed 's/\r$//') set +a + # Commit Message Logik if [[ "${{ steps.prep.outputs.event_name }}" == "schedule" ]]; then - COMMIT_MSG="Automatischer Security-Rebuild (Base Image Update)" + COMMIT_MSG="Automatischer Security-Rebuild" else - COMMIT_MSG=$(git log -1 --pretty=%s --no-merges 2>/dev/null || echo "Manual build") - COMMIT_MSG=$(echo "$COMMIT_MSG" | sed 's/\[skip ci\]//g' | xargs) + COMMIT_MSG=$(git log -1 --pretty=%s --no-merges 2>/dev/null || echo "Manual build") + COMMIT_MSG=$(echo "$COMMIT_MSG" | sed 's/\[skip ci\]//g' | xargs) fi + # Templates laden wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/README.template -O README.template || exit 1 wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/docker-compose.template -O docker-compose.template || true + # History Update NEW_ROW="| **v${BUILD_TAG}** | ${CURRENT_TIME} | ${COMMIT_MSG} ✅ |" if [ -f "VERSION.history" ]; then grep -v "| **v${BUILD_TAG}** |" VERSION.history > VERSION.history.tmp || true @@ -233,39 +253,86 @@ jobs: fi HISTORY_CONTENT=$(cat VERSION.history) + # --- GENERATOREN (Block-Bau) --- + + # 1. Environment Block + ENV_BLOCK_CONTENT="" + env_vars=$(grep '^ENV_' buildargs.env | grep -v '^#' | tr -d '\r') + if [ ! -z "$env_vars" ]; then + for line in $env_vars; do + key=$(echo "$line" | cut -d'=' -f1) + val="${!key}" + clean_key=${key#ENV_} + ENV_BLOCK_CONTENT="${ENV_BLOCK_CONTENT} - ${clean_key}=${val}\\n" + done + fi + + # 2. Ports Block + PORTS_BLOCK_CONTENT="" + port_vars=$(grep '^PORT_' buildargs.env | grep -v '^#' | tr -d '\r') + if [ ! -z "$port_vars" ]; then + PORTS_BLOCK_CONTENT=" ports:\\n" + for line in $port_vars; do + key=$(echo "$line" | cut -d'=' -f1) + val="${!key}" + PORTS_BLOCK_CONTENT="${PORTS_BLOCK_CONTENT} - \"${val}\"\\n" + done + fi + + # 3. Volumes Block + VOL_BLOCK_CONTENT="" + vol_vars=$(grep '^VOL_' buildargs.env | grep -v '^#' | tr -d '\r') + if [ ! -z "$vol_vars" ]; then + VOL_BLOCK_CONTENT=" volumes:\\n" + for line in $vol_vars; do + key=$(echo "$line" | cut -d'=' -f1) + val="${!key}" + VOL_BLOCK_CONTENT="${VOL_BLOCK_CONTENT} - ${val}\\n" + done + fi + + # --- TEMPLATE ENGINE --- + process_template() { local template=$1; local output=$2 if [ -f "$template" ]; then > "$output" while IFS= read -r line || [ -n "$line" ]; do - line="${line//__REPO_NAME__/$REPO_NAME}" + # Ersetzung deiner ursprünglichen Platzhalter + line="${line//__REPO_NAME__/$REPO_PURE}" line="${line//__FULL_URL__/$FULL_URL}" line="${line//__BUILD_TAG__/$BUILD_TAG}" + + # Ersetzung der neuen Block-Platzhalter line="${line//__CURRENT_DATE__/$CURRENT_TIME}" line="${line//__BUILD_DATE__/$BUILD_DATE_ONLY}" line="${line//__HISTORY_CONTENT__/$HISTORY_CONTENT}" line="${line//__ARM_STATUS__/$ARM_STATUS}" - keys=$(grep -v '^#' buildargs.env | cut -d'=' -f1) - for k in $keys; do - clean_key="__$(echo $k | tr -d '\r')__" - clean_val="${!k}" - line="${line//$clean_key/$clean_val}" - done - echo "$line" >> "$output" + # Block Injections + if [[ "$line" == *"__ENV_BLOCK__"* ]]; then + if [ -n "$ENV_BLOCK_CONTENT" ]; then echo -e "${ENV_BLOCK_CONTENT}" >> "$output"; fi + elif [[ "$line" == *"__PORTS_BLOCK__"* ]]; then + if [ -n "$PORTS_BLOCK_CONTENT" ]; then echo -e "${PORTS_BLOCK_CONTENT}" >> "$output"; fi + elif [[ "$line" == *"__VOL_BLOCK__"* ]]; then + if [ -n "$VOL_BLOCK_CONTENT" ]; then echo -e "${VOL_BLOCK_CONTENT}" >> "$output"; fi + else + echo "$line" >> "$output" + fi done < "$template" fi } process_template "README.template" "README.md" process_template "docker-compose.template" "docker-compose.yml" + echo "FINAL_MSG=$COMMIT_MSG" >> $GITHUB_ENV - + - name: Commit, Tag and Push Changes if: steps.check_changes.outputs.should_build == 'true' run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" + git config --local user.email "action@pi-farm.de" + git config --local user.name "Gitea Action" git add VERSION.history README.md docker-compose.yml git diff --quiet && git diff --staged --quiet || git commit -m "${{ env.FINAL_MSG }} [skip ci]" git tag -f "v${{ steps.prep.outputs.docker_tag }}" diff --git a/buildargs.env b/buildargs.env index 86e2d1c..8e8e9db 100644 --- a/buildargs.env +++ b/buildargs.env @@ -1,21 +1,21 @@ -# --- Versionierung --- BUILD_TAG=3.23 - -# --- Standard Variablen --- -BASE_IMAGE=alpine:${BUILD_TAG} +BUILD_BASE_IMAGE=alpine:${BUILD_TAG} # Examples for BASE_IMAGE -#alpine:${BUILD_TAG} -#git.pi-farm.de/pi-farm/docker-baseimage-alpine:v${BUILD_TAG} -ALPINE_ARCH_AMD64=x86_64 -ALPINE_ARCH_AARCH64=aarch64 -S6_ARCH_amd64=x86_64 -S6_ARCH_aarch64=aarch64 -S6_OVERLAY_VERSION=3.2.0.2 -MAINTAINER=pi-farm -TZ=Europe/Berlin - -# --- Projekt Spezifisch --- -APP_VERSION=v${BUILD_TAG} -APP_NAME=basimage-alpine -APP_USER=pi -APP_GID=1000 \ No newline at end of file +# alpine:${BUILD_TAG} +# git.pi-farm.de/pi-farm/docker-baseimage-alpine:v${BUILD_TAG} +BUILD_ALPINE_ARCH_AMD64=x86_64 +BUILD_ALPINE_ARCH_AARCH64=aarch64 +BUILD_S6_ARCH_amd64=x86_64 +BUILD_S6_ARCH_aarch64=aarch64 +BUILD_S6_OVERLAY_VERSION=3.2.0.2 +BUILD_MAINTAINER=pi-farm +BUILD_APP_VERSION=v${BUILD_TAG} +BUILD_APP_NAME=basimage-alpine +BUILD_APP_USER=pi +BUILD_APP_GID=1000 +ENV_TZ=Europe/Berlin +ENV_PUID=1000 +ENV_PGID=1000 +# VOL_CONFIG=./config:/config +# VOL_DATA=./data:/data +# PORT_WEB=8080:80 \ No newline at end of file