auto-detect cluster registry host

2026-03-20 16:12:45 -05:00
parent 2182be1008
commit a7962eec09
4 changed files with 48 additions and 11 deletions
--- a/.gitea/workflows/publish.yml
+++ b/.gitea/workflows/publish.yml
@@ -38,6 +38,8 @@ jobs:
          registry="${REGISTRY_HOST}"
          namespace="${REGISTRY_NAMESPACE}"
          registry_plain_http_raw="${REGISTRY_PLAIN_HTTP:-}"
+          registry_host_only="${registry%%:*}"
+          registry_plain_http_default="false"

          if [ -z "$registry" ]; then
            echo "CLUSTER_GITEA_HOST app variable is required"
@@ -48,14 +50,26 @@ jobs:
            namespace="${{ github.repository_owner }}"
          fi

+          if printf '%s' "$registry_host_only" | grep -Eq '(^|[.])svc[.]cluster[.]local$'; then
+            registry_plain_http_default="true"
+          fi
+
+          if [ -n "$registry_plain_http_raw" ]; then
            case "$(printf '%s' "$registry_plain_http_raw" | tr '[:upper:]' '[:lower:]')" in
              1|true|yes|on)
                registry_plain_http="true"
                ;;
-            *)
+              0|false|no|off)
                registry_plain_http="false"
                ;;
+              *)
+                echo "CONTAINER_REGISTRY_INSECURE must be a boolean when set"
+                exit 1
+                ;;
            esac
+          else
+            registry_plain_http="$registry_plain_http_default"
+          fi

          short_sha="$(printf '%s' "${{ github.sha }}" | cut -c1-12)"
          ref_type="${{ github.ref_type }}"
--- a/10
+++ b/10
@@ -349,6 +349,11 @@ ci-web-blocking:
 	cd web && npm run typecheck
 	cd web && npm run build

+ci-web-pre-commit:
+	cd web && npm ci
+	cd web && npm run lint
+	cd web && npm run typecheck
+
 ci-web-advisory:
 	cd web && npm ci
 	cd web && npm run knip
@@ -389,8 +394,9 @@ licenses:
 	cargo license --json > licenses.json
 	@echo "License information saved to licenses.json"

-# All blocking checks run by the git pre-commit hook after formatting
-pre-commit: deny ci-web-blocking ci-security-blocking
+# Blocking checks run by the git pre-commit hook after formatting.
+# Keep the local web step fast; full production builds stay in CI.
+pre-commit: deny ci-web-pre-commit ci-security-blocking
 	@echo "✅ Pre-commit checks passed."

 install-git-hooks:
--- a/docs/deployment/gitea-registry-and-helm.md
+++ b/docs/deployment/gitea-registry-and-helm.md
@@ -30,7 +30,7 @@ Set these variables:

 - `CLUSTER_GITEA_HOST`: Registry hostname only, for example `gitea.example.com`
 - `CONTAINER_REGISTRY_NAMESPACE`: Optional override for the registry namespace. If omitted, the workflow uses the repository owner.
- `CONTAINER_REGISTRY_INSECURE`: Optional boolean toggle for plain HTTP registries. Set to `true` for cluster-internal registries such as `gitea-http.gitea.svc.cluster.local`.
+- `CONTAINER_REGISTRY_INSECURE`: Optional boolean override for plain HTTP registry access. If omitted, the workflow auto-detects `*.svc.cluster.local` registry hosts and treats them as insecure/plain HTTP. Set this explicitly to force either behavior.

 Set one of these authentication options:

--- a/gitleaks.sarif
+++ b/gitleaks.sarif
@@ -0,0 +1,17 @@
+{
+ "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+ "version": "2.1.0",
+ "runs": [
+  {
+   "tool": {
+    "driver": {
+     "name": "gitleaks",
+     "semanticVersion": "v8.0.0",
+     "informationUri": "https://github.com/gitleaks/gitleaks",
+     "rules": []
+    }
+   },
+   "results": []
+  }
+ ]
+}