From c6fe7cbd3a38e2b8bebbc37b71bcba9a67b4d5c7 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 16:15:08 -0500 Subject: [PATCH 01/14] ci: add homelab Gitea Actions workflow (ci-docker.yml) --- .gitea/workflows/ci.yml | 61 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .gitea/workflows/ci.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 0000000..bee7b1c --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,61 @@ +--- +# Homelab CI — Docker/heavy lane (git-ci-02) +name: CI + +on: + push: + branches: [master, main] + pull_request: + types: [opened, synchronize, reopened] + +jobs: + skip-ci-check: + runs-on: [homelab, self-hosted, linux] + outputs: + should-skip: ${{ steps.check.outputs.skip }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + - id: check + run: | + SKIP=0 + BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" + MSG="${GITHUB_EVENT_HEAD_COMMIT_MESSAGE:-$(git log -1 --pretty=%B 2>/dev/null || true)}" + echo "$BRANCH" "$MSG" | grep -qi '@skipci' && SKIP=1 + echo "skip=$SKIP" >> $GITHUB_OUTPUT + + docker-ci: + needs: skip-ci-check + if: needs.skip-ci-check.outputs.should-skip != '1' + runs-on: [homelab, self-hosted, linux, heavy, docker] + steps: + - uses: actions/checkout@v4 + + - name: Hadolint + run: | + shopt -s globstar nullglob + found=0 + for f in Dockerfile docker/**/Dockerfile */Dockerfile; do + [ -f "$f" ] || continue + found=1 + docker run --rm -i hadolint/hadolint < "$f" + done + [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint" + + - name: Trivy config scan (advisory) + run: | + docker run --rm -v "$PWD:/repo" aquasec/trivy:latest config /repo || true + + secret-scan: + needs: skip-ci-check + if: needs.skip-ci-check.outputs.should-skip != '1' + runs-on: [homelab, self-hosted, linux, heavy] + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Gitleaks + run: | + docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \ + detect --source /repo --no-banner --redact From 9cfe05bd96caa0e663eb2e73ad51da7aad5f543b Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:15:07 -0500 Subject: [PATCH 02/14] ci: sync workflow template (node container + host fixes) --- .gitea/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index bee7b1c..e81a91a 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -11,6 +11,8 @@ on: jobs: skip-ci-check: runs-on: [homelab, self-hosted, linux] + container: + image: node:20-bookworm outputs: should-skip: ${{ steps.check.outputs.skip }} steps: From d21741c5b0fe0b96a17549c31b850c1c215396a8 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:20:47 -0500 Subject: [PATCH 03/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index e81a91a..a10a45f 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,4 +1,5 @@ --- +# ci-sync: 2026-05-30T01:20:53Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From e6bd689a2285c233735310c33301abd341984a4c Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:26:18 -0500 Subject: [PATCH 04/14] ci: sync workflow template --- .gitea/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index a10a45f..e81a91a 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,4 @@ --- -# ci-sync: 2026-05-30T01:20:53Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From eaa03d115b1a9e73e2cfa2b6ca7d3249c7e55001 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:28:42 -0500 Subject: [PATCH 05/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index e81a91a..c8d183b 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,4 +1,5 @@ --- +# ci-sync: 2026-05-30T01:28:48Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 4fd6c4f24cbc973f19988cc007c1c50dac4645bc Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 20:31:01 -0500 Subject: [PATCH 06/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index c8d183b..4423808 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T01:28:48Z +# ci-sync: 2026-05-30T01:31:07Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From d876a67244005bec0e30493096cb33f4ca08025b Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:19:56 -0500 Subject: [PATCH 07/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 4423808..aa938db 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T01:31:07Z +# ci-sync: 2026-05-30T02:20:03Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI @@ -42,7 +42,8 @@ jobs: for f in Dockerfile docker/**/Dockerfile */Dockerfile; do [ -f "$f" ] || continue found=1 - docker run --rm -i hadolint/hadolint < "$f" + # Warnings (unpinned apt/pip) are advisory; only errors fail the job + docker run --rm -i hadolint/hadolint hadolint --failure-threshold error - < "$f" done [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint" @@ -60,5 +61,9 @@ jobs: fetch-depth: 0 - name: Gitleaks run: | + extra="" + if [ -f .gitleaks.toml ]; then + extra="--config /repo/.gitleaks.toml" + fi docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \ - detect --source /repo --no-banner --redact + detect --source /repo --no-banner --redact ${extra} From ef5d4df233a1e911dce9781203f86e185e857153 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:19:59 -0500 Subject: [PATCH 08/14] ci: add homelab gitleaks allowlist --- .gitleaks.toml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..3587bd4 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,19 @@ +# Homelab bootstrap — gitleaks allowlist (tests, examples, placeholders) +title = "homelab gitea bootstrap" + +[allowlist] +description = "Test fixtures and example configs are not production secrets" +paths = [ + '''(?i).*\.test\.(ts|tsx|js|jsx|py)$''', + '''(?i).*\.spec\.(ts|tsx|js|jsx)$''', + '''(?i).*/tests/.*''', + '''(?i).*/__tests__/.*''', + '''(?i).*\.example\.(yml|yaml|env|json|toml)$''', + '''(?i).*vault\.example\.(yml|yaml)$''', + '''(?i).*\.env\.example$''', +] +regexes = [ + '''(?i)(invalid|fake|dummy|placeholder|example|changeme|change_me|not-a-real)''', + '''(?i)sk-or-invalid''', + '''(?i)msk-or-invalid''', +] From 60c57bc351abe33179605d25cff6d6694e572be3 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:24:13 -0500 Subject: [PATCH 09/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index aa938db..532ddd7 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T02:20:03Z +# ci-sync: 2026-05-30T02:24:18Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From e2f980ad1a6a45393f800f8c63866e7ff22fe58c Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:24:22 -0500 Subject: [PATCH 10/14] ci: sync gitleaks allowlist From 7279c57955d0c61a203b902ffb6d83a6146b41dd Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:28:28 -0500 Subject: [PATCH 11/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 532ddd7..f7f2d91 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T02:24:18Z +# ci-sync: 2026-05-30T02:28:34Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 2658bc7b07b549f784baa1aca24a1067a1f43349 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:28:30 -0500 Subject: [PATCH 12/14] ci: sync gitleaks allowlist From c0b09b1d6bf3bf0a20bd6d43f1c1861691cba6ce Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:31:56 -0500 Subject: [PATCH 13/14] ci: refresh workflow (re-run pipelines) --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f7f2d91..483cc69 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,5 +1,5 @@ --- -# ci-sync: 2026-05-30T02:28:34Z +# ci-sync: 2026-05-30T02:32:03Z # Homelab CI — Docker/heavy lane (git-ci-02) name: CI From 2db7ee88c9462b98e3cccc609d9a66280877101b Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 29 May 2026 21:31:59 -0500 Subject: [PATCH 14/14] ci: sync gitleaks allowlist