6 changed files with 261 additions and 147 deletions
--- a/.forgejo/workflows/build_keycloak.yml
+++ b/.forgejo/workflows/build_keycloak.yml
@ -1,47 +0,0 @@
-name: Build Keycloak
-
-on:
-  workflow_dispatch: {}
-  push: {}
-  schedule:
-    - cron: "@daily"
-
-jobs:
-  build-container:
-    name: Build Keycloak Image
-    runs-on: docker
-    container:
-      image: ghcr.io/osscontainertools/kaniko:alpine
-    strategy:
-      matrix:
-         # renovate: datasource=docker depName=quay.io/keycloak/keycloak
-        keycloak-version: [ 26.6.0 ]
-    steps:
-      - name: Install required system packages
-        run: apk add --no-cache nodejs maven git
-
-      - name: Checkout Source Code
-        uses: actions/checkout@v6
-
-      - name: Build attribute-endpoints-provider
-        run: |
-          git clone https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider.git
-          cd keycloak-attribute-endpoints-provider
-          mvn -f attribute-endpoints-provider verify
-          cp attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar ${{ forgejo.workspace }}/keycloak/attribute-endpoints-provider.jar
-
-      - name: Build Container
-        env:
-          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
-          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
-          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
-        run: /kaniko/executor
-          --dockerfile="${{forgejo.workspace }}/keycloak/Containerfile"
-          --context="dir://${{ forgejo.workspace }}/keycloak"
-          --build-arg=TAG=${{ matrix.keycloak-version }}
-          --destination=git.hamburg.ccc.de/ccchh/oci-images/keycloak:${{ matrix.keycloak-version }}
-          --no-push-cache
-          --credential-helpers=env
-          --annotation=org.opencontainers.image.ref.name=keycloak
-          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
-          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
--- a/.forgejo/workflows/build_nextcloud.yml
+++ b/.forgejo/workflows/build_nextcloud.yml
@ -1,39 +0,0 @@
-name: Build Nextcloud
-
-on:
-  workflow_dispatch: {}
-  push: {}
-  schedule:
-    - cron: "@daily"
-
-jobs:
-  build-container:
-    name: Build Nextcloud ${{ matrix.nextcloud-version }} Image
-    runs-on: docker
-    container:
-      image: ghcr.io/osscontainertools/kaniko:alpine
-    strategy:
-      matrix:
-        nextcloud-version: [ 32, 33 ]
-    steps:
-      - name: Install required system packages
-        run: apk add --no-cache nodejs
-
-      - name: Checkout Source Code
-        uses: actions/checkout@v6
-
-      - name: Build Container
-        env:
-          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
-          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
-          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
-        run: /kaniko/executor
-          --dockerfile="${{forgejo.workspace }}/nextcloud/Containerfile"
-          --context="dir://${{ forgejo.workspace }}/nextcloud"
-          --build-arg=TAG=${{ matrix.nextcloud-version }}
-          --destination=git.hamburg.ccc.de/ccchh/oci-images/nextcloud:${{ matrix.nextcloud-version }}
-          --no-push-cache
-          --credential-helpers=env
-          --annotation=org.opencontainers.image.ref.name=nextcloud
-          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
-          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
--- a/.forgejo/workflows/build_penpot.yml
+++ b/.forgejo/workflows/build_penpot.yml
@ -1,61 +0,0 @@
-name: Build Penpot
-
-on:
-  workflow_dispatch: {}
-  push: {}
-  schedule:
-    - cron: "@daily"
-
-jobs:
-  build-container:
-    name: Build Image penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
-    runs-on: docker
-    container:
-      image: ghcr.io/osscontainertools/kaniko:alpine
-    strategy:
-      matrix:
-        penpot-version: [ "2.1.2" ]
-        image-type: [ frontend, backend, exporter ]
-    steps:
-      - name: Install required system packages
-        run: apk add --no-cache nodejs git curl
-
-      - name: Clone penpot repo
-        run: |
-          git clone --branch="${{ matrix.penpot-version }}" https://github.com/penpot/penpot.git "${{ forgejo.workspace }}/penpot"
-          cd "${{ forgejo.workspace }}/penpot"
-          git submodule update --init --recursive
-
-      - name: Patch penpot to work with kaniko
-        run: |
-          cd "${{ forgejo.workspace }}/penpot"
-          
-          # Get build system patch allowing for building images with kaniko.
-          # https://github.com/penpot/penpot/pull/4945
-          # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
-          curl -sSL https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
-
-          # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
-          # https://github.com/penpot/penpot/issues/4975
-          # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
-          curl -sSL https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-
-
-          # apply patches
-          git config user.name "Woodpecker"
-          git config user.email "woodpecker@woodpecker.invalid"
-          git am *.patch
-
-      - name: Build Container
-        env:
-          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
-          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
-          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
-        run: /kaniko/executor
-          --dockerfile="${{forgejo.workspace }}/penpot/docker/images/Dockerfile.${{ matrix.image-type }}"
-          --context="dir://${{ forgejo.workspace }}/penpot/"
-          --destination=git.hamburg.ccc.de/ccchh/oci-images/penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
-          --no-push-cache
-          --credential-helpers=env
-          --annotation=org.opencontainers.image.ref.name=penpot-${{ matrix.image-type }}
-          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
-          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@ -0,0 +1,85 @@
+when:
+  - event: push
+    path: 
+      - 'keycloak/**'
+      - '.woodpecker/keycloak.yaml'
+  - event: cron
+    cron: daily
+
+# Manually set a workspace path, so we can use it literally, without using
+# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
+# https://github.com/woodpecker-ci/woodpecker/issues/3982
+workspace:
+  path: src
+
+# Use matrix to set KEYCLOAK_VERSION instead of setting the KEYCLOAK_VERSION as
+# an environment variable in the build-images step, since string substitution
+# doesn't work for custom environment variables.
+# https://github.com/woodpecker-ci/woodpecker/issues/3983
+# Also because global environment variables aren't a thing.
+matrix:
+  KEYCLOAK_VERSION:
+    # renovate: datasource=docker depName=quay.io/keycloak/keycloak
+    - 26.5.7
+  IMAGE_NAME:
+  - git.hamburg.ccc.de/ccchh/oci-images/keycloak
+
+steps:
+  - name: setup-image-path
+    image: alpine
+    commands:
+      - mkdir /woodpecker/images
+
+  - name: build-attribute-endpoints-provider
+    image: alpine
+    commands:
+      - apk -u add maven git
+      - git clone https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider.git
+      - cd keycloak-attribute-endpoints-provider
+      - mvn -f attribute-endpoints-provider verify
+      - cp attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar /woodpecker/src/keycloak/attribute-endpoints-provider.jar
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor
+    entrypoint:
+      - /kaniko/executor
+      - --context=dir:///woodpecker/src/keycloak
+      - --dockerfile=./Containerfile
+      - --build-arg=TAG=${KEYCLOAK_VERSION}
+      - --destination=${IMAGE_NAME}:${KEYCLOAK_VERSION}
+      - --no-push
+      - --tar-path=/woodpecker/images/keycloak.tar
+
+  - name: publish-image
+    image: alpine
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane push /woodpecker/images/keycloak.tar $IMAGE_NAME:$KEYCLOAK_VERSION-$CI_COMMIT_BRANCH
+
+  - name: tag-version
+    image: alpine
+    when:
+      - branch: main
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_NAME:$KEYCLOAK_VERSION-$CI_COMMIT_BRANCH $KEYCLOAK_VERSION
+
+  - name: tag-latest
+    image: alpine
+    when:
+      - branch: main
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_NAME:$KEYCLOAK_VERSION-$CI_COMMIT_BRANCH latest
--- a/.woodpecker/nextcloud.yaml
+++ b/.woodpecker/nextcloud.yaml
@ -0,0 +1,78 @@
+when:
+  - event: push
+    path: 
+      - 'nextcloud/**'
+      - '.woodpecker/nextcloud.yaml'
+  - event: cron
+    cron: daily
+
+# Manually set a workspace path, so we can use it literally, without using
+# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
+# https://github.com/woodpecker-ci/woodpecker/issues/3982
+workspace:
+  path: src
+
+# Use matrix to set NEXTCLOUD_VERSION instead of setting the NEXTCLOUD_VERSION as
+# an environment variable in the build-images step, since string substitution
+# doesn't work for custom environment variables.
+# https://github.com/woodpecker-ci/woodpecker/issues/3983
+# Also because global environment variables aren't a thing.
+matrix:
+  NEXTCLOUD_VERSION:
+    - 30
+    - 31
+    - 32
+  IMAGE_NAME:
+    - git.hamburg.ccc.de/ccchh/oci-images/nextcloud
+
+steps:
+  - name: setup-image-path
+    image: docker.io/library/alpine
+    commands:
+      - mkdir /woodpecker/images
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor
+    entrypoint:
+      - /kaniko/executor
+      - --context=dir:///woodpecker/src/nextcloud
+      - --dockerfile=./Containerfile
+      - --build-arg=TAG=${NEXTCLOUD_VERSION}
+      - --destination=${IMAGE_NAME}:${NEXTCLOUD_VERSION}
+      - --no-push
+      - --tar-path=/woodpecker/images/nextcloud.tar
+
+  - name: publish-image
+    image: docker.io/library/alpine
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane push /woodpecker/images/nextcloud.tar $IMAGE_NAME:$NEXTCLOUD_VERSION-$CI_COMMIT_BRANCH
+
+  - name: tag-version
+    image: docker.io/library/alpine
+    when:
+      - branch: main
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_NAME:$NEXTCLOUD_VERSION-$CI_COMMIT_BRANCH $NEXTCLOUD_VERSION
+
+  - name: tag-latest
+    image: docker.io/library/alpine
+    when:
+      - branch: main
+        evaluate: 'NEXTCLOUD_VERSION == "29"'
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_NAME:$NEXTCLOUD_VERSION-$CI_COMMIT_BRANCH latest
--- a/.woodpecker/penpot.yaml
+++ b/.woodpecker/penpot.yaml
@ -0,0 +1,98 @@
+when:
+  - event: push
+    path: 
+      - 'penpot/**'
+      - '.woodpecker/penpot.yaml'
+  - event: cron
+    cron: daily
+
+# Manually set a workspace path, so we can use it literally, without using
+# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
+# https://github.com/woodpecker-ci/woodpecker/issues/3982
+workspace:
+  path: src
+
+# Use matrix to set PENPOT_VERSION instead of setting the PENPOT_VERSION as an
+# environment variable in the build-images step, since string substitution
+# doesn't work for custom environment variables.
+# https://github.com/woodpecker-ci/woodpecker/issues/3983
+# Also because global environment variables aren't a thing.
+matrix:
+  PENPOT_VERSION:
+    - 2.1.2
+  IMAGE_BASE_NAME:
+    - git.hamburg.ccc.de/ccchh/oci-images/penpot
+  IMAGE_TYPE:
+    - frontend
+    - backend
+    - exporter
+
+steps:
+  - name: setup-image-path
+    image: alpine
+    commands:
+      - mkdir /woodpecker/images
+
+  - name: setup-penpot-repo
+    image: alpine
+    commands:
+      - apk -u add git curl
+      - git clone --branch $PENPOT_VERSION https://github.com/penpot/penpot.git /woodpecker/penpot
+      - cd /woodpecker/penpot
+      - git submodule update --init --recursive
+      # Get build system patch allowing for building images with kaniko.
+      # https://github.com/penpot/penpot/pull/4945
+      # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
+      - curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+      # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
+      # https://github.com/penpot/penpot/issues/4975
+      # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
+      - curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-is-disabled.patch
+      - git config user.name "Woodpecker"
+      - git config user.email "woodpecker@woodpecker.invalid"
+      - git am *.patch
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor
+    entrypoint:
+      - /kaniko/executor
+      - --context=dir:///woodpecker/penpot
+      - --dockerfile=./docker/images/Dockerfile.${IMAGE_TYPE}
+      - --destination=${IMAGE_BASE_NAME}/${IMAGE_TYPE}:${PENPOT_VERSION}
+      - --no-push
+      - --tar-path=/woodpecker/images/penpot-${IMAGE_TYPE}.tar
+
+  - name: publish-image
+    image: docker.io/library/alpine
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane push /woodpecker/images/penpot-$IMAGE_TYPE.tar $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH
+
+  - name: tag-version
+    image: docker.io/library/alpine
+    when:
+      - branch: main
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH $PENPOT_VERSION
+
+  - name: tag-latest
+    image: docker.io/library/alpine
+    when:
+      - branch: main
+        evaluate: 'PENPOT_VERSION == "2.1.2"'
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH latest