.forgejo/workflows/build.yml

@@ -1,44 +0,0 @@
-on:
-  push:
-  pull_request:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: build-${{matrix.tag}}
-    runs-on: docker
-    container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
-    strategy:
-      matrix:
-        tag:
-          - dotnet-8.0
-          - oci-image-builder-bookworm
-          - oci-runner
-          - openjdk-11-maven-3.8.6
-          - python-3.11
-          - python-3.13
-    steps:
-      - name: Clone git repo
-        uses: actions/checkout@v3
-
-      - name: List modified files
-        uses: actions/changed-files@v45
-        with:
-          files: |
-            ${{matrix.tag}}/**
-        id: changed
-
-      - name: Build OCI image
-        run: make ${{matrix.tag}}
-        if: >-
-          github.event_name == 'workflow_dispatch'
-          || steps.changed.outputs.any_changed == 'true'
-
-      - name: Push image to OCI registry
-        run: make push-${{matrix.tag}}
-        if: >-
-          github.ref == 'refs/heads/master' &&
-          (github.event_name == 'workflow_dispatch' ||
-          (steps.changed.outputs.any_changed == 'true' && github.event_name == 'push'))
-        env:
-          REGISTRY_PASSWORD: ${{secrets.FORGEJO_OCI_REGISTRY_PUSH_TOKEN}}

CODEOWNERS

@@ -1 +0,0 @@
-.* @TrueCloudLab/Infrastructure

Makefile

@@ -1,20 +0,0 @@
-REGISTRY?=git.frostfs.info
-REGISTRY_NAMESPACE?=truecloudlab
-REGISTRY_USER?=$(REGISTRY_NAMESPACE)
-REGISTRY_PASSWORD?=
-
-IMAGE?=$(REGISTRY)/$(REGISTRY_NAMESPACE)/env
-
-TAGS=$(patsubst %/.,%,$(wildcard */.))
-.PHONY: $(TAGS)
-$(TAGS):
-	buildah images
-	cd $@ && buildah bud --tag $(IMAGE):$@ .
-	buildah images
-
-PUSH=$(foreach tag,$(TAGS),push-$(tag))
-$(PUSH):
-	echo -n "$$REGISTRY_PASSWORD" | wc
-	echo "$$REGISTRY_PASSWORD" | buildah login --username $(REGISTRY_USER) --password-stdin $(REGISTRY)
-	buildah push --rm $(IMAGE):$(patsubst push-%,%,$@) docker://$(IMAGE):$(patsubst push-%,%,$@)
-	buildah logout $(REGISTRY)

README.md

@@ -1,21 +1,3 @@
-# Container environments for Forgejo Actions
+# WIP area: this repo is just a fork!
 
-Many actions developers are targeting GitHub Actions and assume that Node.js
-is available by default. This is not the case in Forgejo Actions, and we need
-to add Node.js to community provided images explicitly.
-
-This repo contains Dockerfile for images used by TrueCloudLab.
-
-Images are published to [our registry](https://git.frostfs.info/TrueCloudLab/-/packages/container/env/versions)
-
-## Modifying container images
-
-Prepare a pull request with a modified or entirely new Dockerfile.
-The image will get built and published after PR is merged to master.
-
-## Requirements
-
-Images for Forgejo Actions must contain:
-
-- Node.js
-- Git
+Useful things may be published only in [other branches](../../../branches)

dotnet-8.0/Dockerfile

@@ -1,4 +0,0 @@
-FROM docker.io/node:20-bookworm-slim as node
-FROM mcr.microsoft.com/dotnet/sdk:8.0-bookworm-slim
-COPY --from=node /usr/local /usr/local
-COPY --from=node /opt /opt

oci-image-builder-bookworm/Dockerfile

@@ -1,15 +0,0 @@
-FROM docker.io/node:20-bookworm-slim as node
-FROM docker.io/golang:1.23-bookworm
-COPY --from=node /usr/local /usr/local
-COPY --from=node /opt /opt
-
-RUN apt-get update && \
-    apt-get install -y buildah && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-COPY docker-wrapper.sh /usr/local/bin/docker
-
-# Configuration for buildah inside rootless podman
-COPY containers.conf /etc/containers/containers.conf
-COPY registries.conf /etc/containers/registries.conf
-COPY storage.conf /etc/containers/storage.conf

oci-image-builder-bookworm/README.md

@@ -1,39 +0,0 @@
-# Forgejo Actions environment for building OCI container images
-
-Building OCI container images inside Forgejo Actions is somewhat non-trivial.
-We need to execute Buildah inside of a rootless Podman container, which
-eventually leads to a podman-in-podman scenario. Thankfully, this is not as
-complex as docker-in-docker.
-
-This image contains everything we need for executing `make image` in our
-Golang repos:
-
-- Go toolchain (for helper scripts called by Makefile)
-- Docker wrapper (for abstracting Buildah away from human Makefile users)
-- Podman configuration files
-
-## Usage
-
-Referencing this container from `.forgejo/workflows/workflow.yml`:
-
-```yaml
-jobs:
-  oci-image:
-    runs-on: docker
-    container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
-```
-
-See full [live
-example](https://git.frostfs.info/TrueCloudLab/action-env/src/branch/master/.forgejo/workflows/build.yml)
-in action in this repo.
-
-## Initial Forgejo setup
-
-We use this image to build all images in this repo. To avoid chicken-and-egg
-situation in case of disaster recovery, the first version of this image must
-be pushed from outside of Forgejo Actions, e.g. from sysadmin laptop:
-
-```console
-$ make oci-image-builder-bookworm
-$ make push-oci-image-builder-bookworm
-```

oci-image-builder-bookworm/containers.conf

@@ -1,8 +0,0 @@
-# https://github.com/containers/podman/issues/20453#issuecomment-1912725982
-[containers]
-cgroupns="host"
-ipcns="host"
-netns="host"
-pidns="host"
-userns="host"
-utsns="host"

oci-image-builder-bookworm/docker-wrapper.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-#
-# A wrapper that translates `docker build` commands for use with buildah
-#
-set -euo pipefail
-while [[ $# -ne 0 ]]
-do
-    case "$1" in
-    --rm|--force-rm)
-        # 'rm' and 'force-rm' can only be set with either 'layers' or 'no-cache'
-        ;;
-    *)
-        args+=("$1")
-        ;;
-    esac
-    shift
-done
-buildah "${args[@]}"

oci-image-builder-bookworm/registries.conf

@@ -1,11 +0,0 @@
-unqualified-search-registries = ["docker.io"]
-
-[[registry]]
-prefix = "docker.io"
-location = "docker.io"
-
-[[registry.mirror]]
-location = "quay.io"
-
-[[registry.mirror]]
-location = "docker.io"

oci-image-builder-bookworm/storage.conf

@@ -1,5 +0,0 @@
-# STORAGE_DRIVER variable is ignored if /etc/containers/storage.conf does not exist
-[storage]
-driver = "vfs"
-runroot = "/run/containers/storage"
-graphroot = "/var/lib/containers/storage"

oci-runner/Dockerfile

@@ -1,24 +0,0 @@
-FROM docker.io/node:20-bookworm-slim as node
-FROM docker.io/golang:1.23-bookworm
-COPY --from=node /usr/local /usr/local
-COPY --from=node /opt /opt
-
-RUN apt-get update && \
-    apt-get install -y podman && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    ln -s /usr/bin/podman /usr/local/bin/docker && \
-    echo root:10000:1000 > /etc/subuid && \
-    echo root:10000:1000 > /etc/subgid && \
-    echo '#!/bin/bash\npodman system service -t 0 unix:///tmp/podman-service.socket &\ndisown' > /usr/local/bin/podman-service.sh && \
-    chmod +x /usr/local/bin/podman-service.sh
-
-# Configuration for podman inside rootless podman
-COPY containers.conf /etc/containers/containers.conf
-COPY registries.conf /etc/containers/registries.conf
-COPY storage.conf /etc/containers/storage.conf
-
-# Configuration for testcontainers
-ENV DOCKER_HOST=unix:///tmp/podman-service.socket
-ENV TESTCONTAINERS_DOCKER_SOCKER_OVERRIDE=/tmp/podman-service.socket
-ENV TESTCONTAINERS_RYUK_DISABLED=true

oci-runner/README.md

@@ -1,47 +0,0 @@
-# Forgejo Actions environment for launching nested OCI containers
-
-This image contains everything we need for executing tests
-which spawn nested containers:
-
-- Go toolchain
-- Docker wrapper (for abstracting Podman away from users)
-- Podman configuration files
-
-## Usage
-
-Referencing this container from `.forgejo/workflows/workflow.yml`:
-
-```yaml
-jobs:
-  oci-image:
-    runs-on: oci-runner
-```
-
-## Privileges
-
-Managing network connectivity between nested containers requires extra
-privileges on the outer container:
-
-- CAP_NET_ADMIN (fixes `netavark: Netlink error: Operation not permitted`)
-- CAP_SYS_ADMIN (fixes `slirp4netns failed: "open(/dev/net/tun): No such file or directory`)
-
-These privileges are not required for running a single container inside
-rootless Podman.
-Use `--net=host --uts=host --pid=host --cgroups=enabled` to launch inner containers then.
-
-Example of privileged outer container:
-
-```
-podman run \
-    --cap-add CAP_NET_ADMIN --cap-add CAP_SYS_ADMIN \
-    --rm -it git.frostfs.info/truecloudlab/env:oci-runner \
-    podman run --name hi hello-world
-```
-
-Unprivileged outer container:
-
-```
-podman run \
-    --rm -it git.frostfs.info/truecloudlab/env:oci-runner \
-    podman run --net=host --uts=host --pid=host --cgroups=enabled hello-world
-```

oci-runner/containers.conf

@@ -1,21 +0,0 @@
-[containers]
-
-# Basic podman-in-podman config from quay.io/podman/stable
-cgroupns="host"
-cgroups="disabled"
-ipcns="host"
-pidns="private"
-userns="host"
-
-# Allow network connectivity between second order containers
-netns="private"
-utsns="private"
-
-# Workaround for ping_group_range error: https://github.com/containers/podman/issues/13194
-default_sysctls = []
-
-
-[engine]
-
-# Basic podman-in-podman config from quay.io/podman/stable
-cgroup_manager="cgroupfs"

oci-runner/registries.conf

@@ -1,11 +0,0 @@
-unqualified-search-registries = ["docker.io"]
-
-[[registry]]
-prefix = "docker.io"
-location = "docker.io"
-
-[[registry.mirror]]
-location = "quay.io"
-
-[[registry.mirror]]
-location = "docker.io"

oci-runner/storage.conf

@@ -1,5 +0,0 @@
-# STORAGE_DRIVER variable is ignored if /etc/containers/storage.conf does not exist
-[storage]
-driver = "vfs"
-runroot = "/run/containers/storage"
-graphroot = "/var/lib/containers/storage"

openjdk-11-maven-3.8.6/Dockerfile

@@ -1,4 +0,0 @@
-FROM docker.io/node:20-bullseye-slim as node
-FROM docker.io/maven:3.8.6-openjdk-11
-COPY --from=node /usr/local /usr/local
-COPY --from=node /opt /opt

python-3.11/Dockerfile

@@ -1,4 +0,0 @@
-FROM docker.io/node:20-bookworm-slim as node
-FROM docker.io/python:3.11-bookworm
-COPY --from=node /usr/local /usr/local
-COPY --from=node /opt /opt

python-3.13/Dockerfile

@@ -1,4 +0,0 @@
-FROM docker.io/node:20-bookworm-slim as node
-FROM docker.io/python:3.13-bookworm
-COPY --from=node /usr/local /usr/local
-COPY --from=node /opt /opt