jwright
83edaf5975
build-and-deploy / build (push) Failing after 15m10s
scripts/new-post.mjs writes schema-valid posts from flags or a JSON event (the IaC publish seam). Gitea Actions workflow: ci check, audit-ci gate, build, dist scan, CycloneDX SBOM, buildah build+push, and a least-privilege digest-bump PR to home-ops (never auto-merged). Renovate + audit allowlist.
36 lines
1.2 KiB
Bash
Executable File
36 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Build + push the site image to the public Gitea registry using rootless buildah.
|
|
# Bootstrap path for M1-M4 (before the Gitea Actions runner exists in M5).
|
|
#
|
|
# Usage: scripts/build-image.sh [push]
|
|
# (no arg) -> build only
|
|
# push -> build then push, and print the pushed digest to pin in home-ops
|
|
#
|
|
# Requires: buildah (rootless) on the host, and `buildah login` to the registry
|
|
# for the push step (anonymous pull, authenticated push).
|
|
set -euo pipefail
|
|
|
|
REGISTRY="${REGISTRY:-git.bztmon.com}"
|
|
IMAGE="${IMAGE:-jwright/bztmon-site}"
|
|
REF="${REGISTRY}/${IMAGE}"
|
|
|
|
cd "$(dirname "$0")/.."
|
|
|
|
# Tag with the short git sha when available, else 'dev'.
|
|
TAG="$(git rev-parse --short HEAD 2>/dev/null || echo dev)"
|
|
|
|
echo ">> building ${REF}:${TAG}"
|
|
buildah build --layers -t "${REF}:${TAG}" -t "${REF}:latest" .
|
|
|
|
if [[ "${1:-}" == "push" ]]; then
|
|
echo ">> pushing ${REF}:${TAG}"
|
|
buildah push --digestfile /tmp/bztmon-site.digest "${REF}:${TAG}"
|
|
buildah push "${REF}:latest"
|
|
DIGEST="$(cat /tmp/bztmon-site.digest)"
|
|
echo
|
|
echo ">> pin this in home-ops kubernetes/apps/bztmon-site/bztmon-site.yaml:"
|
|
echo " image: ${REF}:${TAG}@${DIGEST}"
|
|
else
|
|
echo ">> built (not pushed). Re-run with: scripts/build-image.sh push"
|
|
fi
|