From a7962eec09c800d89b295559fd6257d2e803ba75 Mon Sep 17 00:00:00 2001 From: David Culbreth Date: Fri, 20 Mar 2026 16:12:45 -0500 Subject: [PATCH] auto-detect cluster registry host --- .gitea/workflows/publish.yml | 30 ++++++++++++++++------ Makefile | 10 ++++++-- docs/deployment/gitea-registry-and-helm.md | 2 +- gitleaks.sarif | 17 ++++++++++++ 4 files changed, 48 insertions(+), 11 deletions(-) create mode 100644 gitleaks.sarif diff --git a/.gitea/workflows/publish.yml b/.gitea/workflows/publish.yml index 95b0eeb..50c7e12 100644 --- a/.gitea/workflows/publish.yml +++ b/.gitea/workflows/publish.yml @@ -38,6 +38,8 @@ jobs: registry="${REGISTRY_HOST}" namespace="${REGISTRY_NAMESPACE}" registry_plain_http_raw="${REGISTRY_PLAIN_HTTP:-}" + registry_host_only="${registry%%:*}" + registry_plain_http_default="false" if [ -z "$registry" ]; then echo "CLUSTER_GITEA_HOST app variable is required" @@ -48,14 +50,26 @@ jobs: namespace="${{ github.repository_owner }}" fi - case "$(printf '%s' "$registry_plain_http_raw" | tr '[:upper:]' '[:lower:]')" in - 1|true|yes|on) - registry_plain_http="true" - ;; - *) - registry_plain_http="false" - ;; - esac + if printf '%s' "$registry_host_only" | grep -Eq '(^|[.])svc[.]cluster[.]local$'; then + registry_plain_http_default="true" + fi + + if [ -n "$registry_plain_http_raw" ]; then + case "$(printf '%s' "$registry_plain_http_raw" | tr '[:upper:]' '[:lower:]')" in + 1|true|yes|on) + registry_plain_http="true" + ;; + 0|false|no|off) + registry_plain_http="false" + ;; + *) + echo "CONTAINER_REGISTRY_INSECURE must be a boolean when set" + exit 1 + ;; + esac + else + registry_plain_http="$registry_plain_http_default" + fi short_sha="$(printf '%s' "${{ github.sha }}" | cut -c1-12)" ref_type="${{ github.ref_type }}" diff --git a/Makefile b/Makefile index 5517920..985b195 100644 --- a/Makefile +++ b/Makefile @@ -349,6 +349,11 @@ ci-web-blocking: cd web && npm run typecheck cd web && npm run build +ci-web-pre-commit: + cd web && npm ci + cd web && npm run lint + cd web && npm run typecheck + ci-web-advisory: cd web && npm ci cd web && npm run knip @@ -389,8 +394,9 @@ licenses: cargo license --json > licenses.json @echo "License information saved to licenses.json" -# All blocking checks run by the git pre-commit hook after formatting -pre-commit: deny ci-web-blocking ci-security-blocking +# Blocking checks run by the git pre-commit hook after formatting. +# Keep the local web step fast; full production builds stay in CI. +pre-commit: deny ci-web-pre-commit ci-security-blocking @echo "✅ Pre-commit checks passed." install-git-hooks: diff --git a/docs/deployment/gitea-registry-and-helm.md b/docs/deployment/gitea-registry-and-helm.md index 1fbc35c..0370dd2 100644 --- a/docs/deployment/gitea-registry-and-helm.md +++ b/docs/deployment/gitea-registry-and-helm.md @@ -30,7 +30,7 @@ Set these variables: - `CLUSTER_GITEA_HOST`: Registry hostname only, for example `gitea.example.com` - `CONTAINER_REGISTRY_NAMESPACE`: Optional override for the registry namespace. If omitted, the workflow uses the repository owner. -- `CONTAINER_REGISTRY_INSECURE`: Optional boolean toggle for plain HTTP registries. Set to `true` for cluster-internal registries such as `gitea-http.gitea.svc.cluster.local`. +- `CONTAINER_REGISTRY_INSECURE`: Optional boolean override for plain HTTP registry access. If omitted, the workflow auto-detects `*.svc.cluster.local` registry hosts and treats them as insecure/plain HTTP. Set this explicitly to force either behavior. Set one of these authentication options: diff --git a/gitleaks.sarif b/gitleaks.sarif new file mode 100644 index 0000000..7dab7c3 --- /dev/null +++ b/gitleaks.sarif @@ -0,0 +1,17 @@ +{ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "gitleaks", + "semanticVersion": "v8.0.0", + "informationUri": "https://github.com/gitleaks/gitleaks", + "rules": [] + } + }, + "results": [] + } + ] +}