From a8cf867fe0e909be653f3a8356056c755193d64f Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 16:14:54 -0500 Subject: [PATCH 01/14] ci: add homelab Gitea Actions workflow (ci-docker.yml) --- .gitea/workflows/ci.yml | 61 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .gitea/workflows/ci.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 0000000..bee7b1c --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,61 @@ +--- +# Homelab CI — Docker/heavy lane (git-ci-02) +name: CI + +on: + push: + branches: [master, main] + pull_request: + types: [opened, synchronize, reopened] + +jobs: + skip-ci-check: + runs-on: [homelab, self-hosted, linux] + outputs: + should-skip: ${{ steps.check.outputs.skip }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - id: check + run: | + SKIP=0 + BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" + MSG="${GITHUB_EVENT_HEAD_COMMIT_MESSAGE:-$(git log -1 --pretty=%B 2>/dev/null || true)}" + echo "$BRANCH" "$MSG" | grep -qi '@skipci' && SKIP=1 + echo "skip=$SKIP" >> $GITHUB_OUTPUT + + docker-ci: + needs: skip-ci-check + if: needs.skip-ci-check.outputs.should-skip != '1' + runs-on: [homelab, self-hosted, linux, heavy, docker] + steps: + - uses: actions/checkout@v4 + + - name: Hadolint + run: | + shopt -s globstar nullglob + found=0 + for f in Dockerfile docker/**/Dockerfile */Dockerfile; do + [ -f "$f" ] || continue + found=1 + docker run --rm -i hadolint/hadolint < "$f" + done + [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint" + + - name: Trivy config scan (advisory) + run: | + docker run --rm -v "$PWD:/repo" aquasec/trivy:latest config /repo || true + + secret-scan: + needs: skip-ci-check + if: needs.skip-ci-check.outputs.should-skip != '1' + runs-on: [homelab, self-hosted, linux, heavy] + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Gitleaks + run: | + docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \ + detect --source /repo --no-banner --redact From 07e6e3c5ae0fdf65b0632b74c05dd1f0b0cf7dcb Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:14:04 -0500 Subject: [PATCH 02/14] ci: sync workflow template (node container + host fixes) --- .gitea/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index bee7b1c..e81a91a 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -11,6 +11,8 @@ on: jobs: skip-ci-check: runs-on: [homelab, self-hosted, linux] + container: + image: node:20-bookworm outputs: should-skip: ${{ steps.check.outputs.skip }} steps: From 3ab85da5675b78f62e76eaed444bd73ebd084909 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:19:46 -0500 Subject: [PATCH 03/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index e81a91a..3f53bd3 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,4 +1,5 @@ --- +# ci-sync: 2026-05-30T01:19:52Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 20c1f03dff83b39f92dde5dd56bf3e727bb3a271 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:25:05 -0500 Subject: [PATCH 04/14] ci: sync workflow template --- .gitea/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 3f53bd3..e81a91a 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,4 @@ --- -# ci-sync: 2026-05-30T01:19:52Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From c57f3012e9d4ea7500a1e419de47376a1d663796 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:27:17 -0500 Subject: [PATCH 05/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index e81a91a..2e11938 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,4 +1,5 @@ --- +# ci-sync: 2026-05-30T01:27:24Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 584eff4c2a6d506d1250a3cc63862add10b15153 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:29:42 -0500 Subject: [PATCH 06/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 2e11938..48cc08b 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T01:27:24Z +# ci-sync: 2026-05-30T01:29:49Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 9604812daab94aa1d90ad2a53b8c12929e55f49a Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:18:46 -0500 Subject: [PATCH 07/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 48cc08b..8960bb4 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T01:29:49Z +# ci-sync: 2026-05-30T02:18:53Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI @@ -42,7 +42,8 @@ jobs: for f in Dockerfile docker/**/Dockerfile */Dockerfile; do [ -f "$f" ] || continue found=1 - docker run --rm -i hadolint/hadolint < "$f" + # Warnings (unpinned apt/pip) are advisory; only errors fail the job + docker run --rm -i hadolint/hadolint hadolint --failure-threshold error - < "$f" done [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint" @@ -60,5 +61,9 @@ jobs: fetch-depth: 0 - name: Gitleaks run: | + extra="" + if [ -f .gitleaks.toml ]; then + extra="--config /repo/.gitleaks.toml" + fi docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \ - detect --source /repo --no-banner --redact + detect --source /repo --no-banner --redact ${extra} From 75bde7ea3854ee87bb6c229422a2ca9775212397 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:18:48 -0500 Subject: [PATCH 08/14] ci: add homelab gitleaks allowlist --- .gitleaks.toml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..3587bd4 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,19 @@ +# Homelab bootstrap — gitleaks allowlist (tests, examples, placeholders) +title = "homelab gitea bootstrap" + +[allowlist] +description = "Test fixtures and example configs are not production secrets" +paths = [ + '''(?i).*\.test\.(ts|tsx|js|jsx|py)$''', + '''(?i).*\.spec\.(ts|tsx|js|jsx)$''', + '''(?i).*/tests/.*''', + '''(?i).*/__tests__/.*''', + '''(?i).*\.example\.(yml|yaml|env|json|toml)$''', + '''(?i).*vault\.example\.(yml|yaml)$''', + '''(?i).*\.env\.example$''', +] +regexes = [ + '''(?i)(invalid|fake|dummy|placeholder|example|changeme|change_me|not-a-real)''', + '''(?i)sk-or-invalid''', + '''(?i)msk-or-invalid''', +] From db36aa2a41232c2d8c2495962eba2e22e1c5dfe9 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:23:14 -0500 Subject: [PATCH 09/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 8960bb4..0948b15 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T02:18:53Z +# ci-sync: 2026-05-30T02:23:21Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 529971dcf418610e355e580fe4a410c39d1d747e Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:23:15 -0500 Subject: [PATCH 10/14] ci: sync gitleaks allowlist From 9e97261ef6079a0a31f0c39d559e1bd381995f0c Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:27:41 -0500 Subject: [PATCH 11/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 0948b15..5bb4c92 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T02:23:21Z +# ci-sync: 2026-05-30T02:27:48Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From e5f383786fbc7499aa0e0d74b956a4d76f7e4ded Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:27:41 -0500 Subject: [PATCH 12/14] ci: sync gitleaks allowlist From fd8eec3c70a783b631efd056cf29f846453d36f1 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:31:12 -0500 Subject: [PATCH 13/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 5bb4c92..50448bd 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T02:27:48Z +# ci-sync: 2026-05-30T02:31:18Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From e1bf495afa61261f1a0641c180175f2a3571e928 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:31:12 -0500 Subject: [PATCH 14/14] ci: sync gitleaks allowlist