From 28d02c88a374c0d47a720eafaf6886cad85d4f7d Mon Sep 17 00:00:00 2001 From: Walter Oggioni Date: Thu, 14 Aug 2025 20:54:11 +0800 Subject: [PATCH] test exposing ssh keys during docker build --- .gitea/workflows/build-nginx.yaml | 33 ++++++++++++++++++++++++++----- nginx/Dockerfile | 16 ++++++++++++--- 2 files changed, 41 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/build-nginx.yaml b/.gitea/workflows/build-nginx.yaml index 7b33dc8..a90834e 100644 --- a/.gitea/workflows/build-nginx.yaml +++ b/.gitea/workflows/build-nginx.yaml @@ -25,7 +25,7 @@ jobs: username: woggioni password: ${{ secrets.PUBLISHER_TOKEN }} - - name: Build and push nginx images + name: Build and push nginx vanilla images uses: docker/build-push-action@v6 with: context: "{{defaultContext}}:nginx" @@ -34,12 +34,35 @@ jobs: linux/arm64 push: true pull: true + ssh: default=/home/luser/.ssh/id_ed25519 tags: | "gitea.woggioni.net/woggioni/nginx:latest" "gitea.woggioni.net/woggioni/nginx:v1.29.1" secrets: | GIT_AUTH_TOKEN.github.com=${{ secrets.GH_ACCESS_TOKEN }} - build-args: "NGINX_VERSION=1.29.1" - cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx - cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx - + build-args: | + NGINX_VERSION=1.29.1 + NGINX_BRANCH=vanilla + cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx-vanilla + cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx-woggioni + - + name: Build and push nginx custom images + uses: docker/build-push-action@v6 + with: + context: "{{defaultContext}}:nginx" + platforms: | + linux/amd64 + linux/arm64 + push: true + pull: true + ssh: default=/home/luser/.ssh/id_ed25519 + tags: | + "gitea.woggioni.net/woggioni/nginx:woggioni" + "gitea.woggioni.net/woggioni/nginx:v1.29.1-woggioni" + secrets: | + GIT_AUTH_TOKEN.github.com=${{ secrets.GH_ACCESS_TOKEN }} + build-args: | + NGINX_VERSION=1.29.1 + NGINX_BRANCH=woggioni + cache-from: type=registry,ref=gitea.woggioni.net/woggioni/nginx:buildx-woggioni + cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/nginx:buildx-woggioni diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 2b703b9..42d5338 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,8 +1,7 @@ - FROM alpine:latest AS base -FROM alpine:latest AS build -ARG NGINX_VERSION LIBRESSL_VERSION=4.1.0 +FROM alpine:latest AS build_stage_1 +ARG NGINX_VERSION LIBRESSL_VERSION=4.1.0 NGINX_BRANCH=vanilla ENV NGINX_VERSION=${NGINX_VERSION} RUN --mount=type=cache,target=/var/cache/apk apk update RUN --mount=type=cache,target=/var/cache/apk apk add \ @@ -42,6 +41,8 @@ USER luser WORKDIR /home/luser #RUN git clone --depth 1 --branch v4.0.0 https://github.com/libressl/portable.git libressl +#RUN git clone --depth 1 --branch v4.0.0 https://github.com/libressl/portable.git libressl +#ADD --chown=luser:luser git@github.com:libressl/portable.git#v${LIBRESSL_VERSION} libressl ADD --chown=luser:luser https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz libressl.tgz RUN tar -xzf libressl.tgz && mv libressl-${LIBRESSL_VERSION} libressl && rm libressl.tgz RUN mkdir -p libressl/build @@ -55,7 +56,16 @@ RUN cmake -G Ninja -B libressl/build -S libressl \ -DBUILD_SHARED_LIBS=OFF RUN cmake --build libressl/build +FROM build_stage_1 AS build_stage_2_vanilla +ARG NGINX_VERSION ADD --chown=luser:luser https://github.com/nginx/nginx.git#release-${NGINX_VERSION} /nginx + +FROM build_stage_1 AS build_stage_2_woggioni +ARG NGINX_VERSION +ADD --chown=luser:luser git@github.com:woggioni/nginx.git#release-${NGINX_VERSION} /nginx + +FROM build_stage_2_${NGINX_BRANCH} AS build +ARG NGINX_BRANCH=vanilla ADD --chown=luser:luser https://github.com/openresty/headers-more-nginx-module.git /ngx_headers_more ADD --chown=luser:luser https://github.com/google/ngx_brotli.git /ngx_brotli USER root