diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index 8d26d14..b67da49 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -64,6 +64,9 @@ jobs: # Gitea's cert is signed by the homelab mkcert CA (certs/rootCA.pem). # Install into both system + docker trust stores so docker CLI login # and the buildkit registry call both succeed. + # NOTE: certs/rootCA.pem is the PUBLIC cert only — the key is never + # committed. Source of truth: /home/kaykayyali/rootCA.pem on the + # homelab mkcert box. run: | set -euo pipefail sudo cp certs/rootCA.pem /usr/local/share/ca-certificates/homelab-rootCA.crt @@ -72,6 +75,16 @@ jobs: sudo cp certs/rootCA.pem /etc/docker/certs.d/git.homelab.local/ca.crt echo "✓ CA installed in system + docker trust stores" + - name: Compute image tag + id: tag + # Gitea 1.25 doesn't support GitHub's ${VAR::N} string-slicing shorthand + # in expressions. Compute the short SHA via shell and emit as a step + # output, then reference it as ${{ steps.tag.outputs.short_sha }}. + run: | + SHORT_SHA="${GITHUB_SHA::7}" + echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" + echo "✓ short SHA: ${SHORT_SHA}" + - name: Login to Gitea container registry uses: docker/login-action@v3 with: @@ -86,7 +99,7 @@ jobs: push: true tags: | ${{ env.REGISTRY }}/${{ github.repository }}:latest - ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.sha::7 }} + ${{ env.REGISTRY }}/${{ github.repository }}:${{ steps.tag.outputs.short_sha }} - name: Dispatch to orchestrator # Per the orchestrator's deploy.yaml contract: @@ -105,7 +118,7 @@ jobs: echo " and add it as DISPATCH_TOKEN in the repo's secrets." exit 1 fi - SHORT_SHA="${GITHUB_SHA::7}" + SHORT_SHA="${{ steps.tag.outputs.short_sha }}" curl -sS -X POST \ -H "Authorization: token ${DISPATCH_TOKEN}" \ -H "Content-Type: application/json" \