brooktrails/forgejo-runner-operator
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: rewrite CI and publish workflows for Forgejo runners #23

Merged
rcsheets merged 3 commits from feat/ci-versioned-publish into master 2026-03-28 20:44:29 +00:00
Conversation 3 Commits 3 Files changed 4 +209 -49
rcsheets commented 2026-03-28 20:35:16 +00:00
Owner
Copy link
  • CI: use runner-operator label, golang container, manual checkout
  • Publish: conventional commit versioning, OpenBao for Harbor creds,
    build all three images (controller, provisioner, admin-registrar)

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

- CI: use runner-operator label, golang container, manual checkout - Publish: conventional commit versioning, OpenBao for Harbor creds, build all three images (controller, provisioner, admin-registrar) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat: rewrite CI and publish workflows for Forgejo runners
Some checks failed
CI / ci (push) Failing after 1m0s
Details
CI / ci (pull_request) Failing after 18s
Details
2549f73234 
- CI: use runner-operator label, golang container, manual checkout
- Publish: conventional commit versioning, OpenBao for Harbor creds,
  build all three images (controller, provisioner, admin-registrar)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-03-28 20:35:19 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-c83b86-ec3a2c
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The automated flag about credentials appears to be a false positive - the workflow properly retrieves secrets from OpenBao at runtime rather than hardcoding them.
Complexity: complex

Safety Check Review

Summary

This is a complete rewrite of CI/CD workflows that implements conventional commit-based versioning and switches to OpenBao for credential management. The automated alert about credentials appears to be a false positive.

Key Changes

  • CI: Switches from GitHub Actions to custom runner with manual checkout
  • Publish: Implements semantic versioning from conventional commits
  • Security: Uses OpenBao for Harbor registry credentials instead of hardcoded secrets
  • Images: Builds all three container images (controller, provisioner, admin-registrar)

Safety Assessment

No hardcoded credentials - The workflow retrieves Harbor credentials from OpenBao at runtime using Kubernetes service account authentication
Version handling - Go 1.26 is a reasonable version (likely newer than my training cutoff)
No obvious logic errors in the versioning or build logic
Proper token usage - FORGEJO_TOKEN is used appropriately for git operations

The automated credential detection appears to be triggered by the OpenBao secret path reference (secret/data/forgejo-runners/brooktrails/harbor-push), which is just a path specification, not an actual credential.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-c83b86-ec3a2c`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The automated flag about credentials appears to be a false positive - the workflow properly retrieves secrets from OpenBao at runtime rather than hardcoding them. **Complexity:** complex # Safety Check Review ## Summary This is a complete rewrite of CI/CD workflows that implements conventional commit-based versioning and switches to OpenBao for credential management. The automated alert about credentials appears to be a false positive. ## Key Changes - **CI**: Switches from GitHub Actions to custom runner with manual checkout - **Publish**: Implements semantic versioning from conventional commits - **Security**: Uses OpenBao for Harbor registry credentials instead of hardcoded secrets - **Images**: Builds all three container images (controller, provisioner, admin-registrar) ## Safety Assessment ✅ **No hardcoded credentials** - The workflow retrieves Harbor credentials from OpenBao at runtime using Kubernetes service account authentication ✅ **Version handling** - Go 1.26 is a reasonable version (likely newer than my training cutoff) ✅ **No obvious logic errors** in the versioning or build logic ✅ **Proper token usage** - FORGEJO_TOKEN is used appropriately for git operations The automated credential detection appears to be triggered by the OpenBao secret path reference (`secret/data/forgejo-runners/brooktrails/harbor-push`), which is just a path specification, not an actual credential.
fix: install libprotobuf-dev for well-known proto types
Some checks failed
CI / ci (push) Failing after 40s
Details
CI / ci (pull_request) Failing after 41s
Details
c140d84cdc 
protoc needs the well-known type definitions (e.g. timestamp.proto)
which are in libprotobuf-dev, not just protobuf-compiler.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-03-28 20:37:53 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-c83c20-bfc35c
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The automated detection of credentials is a false positive - the workflow references OpenBao secrets but doesn't hardcode any credentials.
Complexity: moderate

Safety Check Review

Overview

This PR rewrites the CI and publish workflows for a Forgejo runner operator, moving from GitHub Actions to custom runner configurations and implementing conventional commit versioning.

Key Changes

  • CI workflow: Switches to custom runner-operator runner with Go 1.26 container
  • Publish workflow: Implements conventional commit-based versioning, OpenBao integration for Harbor credentials, and builds three container images

Safety Assessment

No security issues detected: The automated flag about "possible secret or credential detected" is a false positive. The workflow references OpenBao secret paths and variables but doesn't hardcode any actual credentials.

No obvious bugs: The logic for conventional commit parsing and version bumping appears sound, with proper fallbacks for missing previous tags.

No breaking changes: This is infrastructure code that shouldn't break existing functionality.

Go version is valid: Go 1.26 is a reasonable version number (even if newer than my training data cutoff).

Minor Notes

  • The workflow uses several external dependencies (OpenBao, custom runners) but this appears intentional for the target environment
  • Manual git operations are used instead of actions, which is unconventional but not inherently unsafe
  • The Docker-in-Docker setup with gateway detection is environment-specific but looks correct for the intended infrastructure

The changes appear well-structured and safe for deployment.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-c83c20-bfc35c`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The automated detection of credentials is a false positive - the workflow references OpenBao secrets but doesn't hardcode any credentials. **Complexity:** moderate # Safety Check Review ## Overview This PR rewrites the CI and publish workflows for a Forgejo runner operator, moving from GitHub Actions to custom runner configurations and implementing conventional commit versioning. ## Key Changes - **CI workflow**: Switches to custom `runner-operator` runner with Go 1.26 container - **Publish workflow**: Implements conventional commit-based versioning, OpenBao integration for Harbor credentials, and builds three container images ## Safety Assessment **✅ No security issues detected**: The automated flag about "possible secret or credential detected" is a false positive. The workflow references OpenBao secret paths and variables but doesn't hardcode any actual credentials. **✅ No obvious bugs**: The logic for conventional commit parsing and version bumping appears sound, with proper fallbacks for missing previous tags. **✅ No breaking changes**: This is infrastructure code that shouldn't break existing functionality. **✅ Go version is valid**: Go 1.26 is a reasonable version number (even if newer than my training data cutoff). ## Minor Notes - The workflow uses several external dependencies (OpenBao, custom runners) but this appears intentional for the target environment - Manual git operations are used instead of actions, which is unconventional but not inherently unsafe - The Docker-in-Docker setup with gateway detection is environment-specific but looks correct for the intended infrastructure The changes appear well-structured and safe for deployment.
style: fix gofmt alignment
Some checks failed
CI / ci (push) Successful in 1m21s
Details
CI / ci (pull_request) Successful in 1m20s
Details
E2E smoke test / e2e (pull_request) Has been cancelled
Details
2f661a2b39 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-03-28 20:41:00 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-c83cdb-e14d03
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The changes look legitimate - this is a CI/CD workflow rewrite with proper secret handling via OpenBao and no obvious security issues.
Complexity: moderate

Safety Check Review

Overall Assessment: The changes implement a rewritten CI/CD pipeline with proper secret management and no alarming issues detected.

Key observations:

  • CI workflow migrates from GitHub Actions to custom runner with manual checkout - implementation looks correct
  • Publish workflow implements proper secret retrieval from OpenBao K8s auth instead of hardcoded secrets
  • Version calculation using conventional commits is implemented safely
  • Docker operations use proper authentication via OpenBao
  • Git operations use proper token authentication
  • Go version 1.26 is reasonable (newer versions exist)
  • Minor whitespace changes in Go files are cosmetic

Security considerations reviewed:

  • OpenBao integration follows K8s service account token pattern correctly
  • Harbor credentials fetched securely from vault, not hardcoded
  • Git operations use proper OAuth2 token authentication
  • No credentials or secrets accidentally committed

The "possible secret detected" flag appears to be a false positive - the workflow retrieves credentials from OpenBao at runtime rather than having them hardcoded.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-c83cdb-e14d03`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The changes look legitimate - this is a CI/CD workflow rewrite with proper secret handling via OpenBao and no obvious security issues. **Complexity:** moderate ## Safety Check Review **Overall Assessment**: The changes implement a rewritten CI/CD pipeline with proper secret management and no alarming issues detected. **Key observations**: - CI workflow migrates from GitHub Actions to custom runner with manual checkout - implementation looks correct - Publish workflow implements proper secret retrieval from OpenBao K8s auth instead of hardcoded secrets - Version calculation using conventional commits is implemented safely - Docker operations use proper authentication via OpenBao - Git operations use proper token authentication - Go version 1.26 is reasonable (newer versions exist) - Minor whitespace changes in Go files are cosmetic **Security considerations reviewed**: - OpenBao integration follows K8s service account token pattern correctly - Harbor credentials fetched securely from vault, not hardcoded - Git operations use proper OAuth2 token authentication - No credentials or secrets accidentally committed The "possible secret detected" flag appears to be a false positive - the workflow retrieves credentials from OpenBao at runtime rather than having them hardcoded.
rcsheets merged commit b962a3300f into master 2026-03-28 20:44:29 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
brooktrails/forgejo-runner-operator!23
No description provided.