kenpat/kitestacks-homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
kitestacks-homelab/.forgejo/workflows/ci.yml
kenpat f38decc285
Some checks are pending
KiteStacks CI / Validate compose files (push) Waiting to run
Details
KiteStacks CI / Check for accidental secrets (push) Waiting to run
Details
KiteStacks CI / Shellcheck scripts (push) Waiting to run
Details
ci: add Forgejo Actions pipeline + runner setup 
- apps/forgejo/docker-compose.yml: enable FORGEJO__actions__ENABLED=true
- apps/forgejo-runner/docker-compose.yml: forgejo-runner:3.5.0 container
  mounts docker.sock so jobs can spin up containers on monk
- .forgejo/workflows/ci.yml: 3-job pipeline on every push to main
    compose-lint   → validates all apps/*/docker-compose.yml
    secrets-check  → scans for hardcoded passwords/tokens/keys
    shellcheck     → lints all scripts/*.sh
- docs/ci-cd-setup.md: runner registration steps + extension guide

PENDING (needs user action):
  1. docker compose up -d --force-recreate in apps/forgejo/ to apply env
  2. Get runner token from Forgejo admin panel
  3. Run forgejo-runner register with token, then docker compose up

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 03:03:29 -05:00

77 lines
2.5 KiB
YAML
Raw Blame History

name: KiteStacks CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
# ── Lint Docker Compose files ──────────────────────────────────────────────
compose-lint:
name: Validate compose files
runs-on: docker
container:
image: docker:27-cli
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install docker compose plugin
run: apk add --no-cache docker-cli-compose
- name: Validate all compose files
run: |
find apps -name "docker-compose.yml" | while read f; do
echo "Checking $f ..."
docker compose -f "$f" config --quiet && echo " OK"
done
# ── Secret leak detection ──────────────────────────────────────────────────
secrets-check:
name: Check for accidental secrets
runs-on: docker
container:
image: alpine:3.20
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Scan for plaintext secrets patterns
run: |
# Fail if any committed file contains common secret patterns
# Add false-positive exclusions via .secretsignore if needed
FAIL=0
check() {
local pattern="$1"
local label="$2"
if git grep -qiP "${pattern}" -- ':!*.md' ':!docs/' ':!.forgejo/' 2>/dev/null; then
echo "FAIL: possible ${label} found"
git grep -ilP "${pattern}" -- ':!*.md' ':!docs/' ':!.forgejo/'
FAIL=1
fi
}
check 'password\s*=\s*["\x27][^"\x27]{8,}' "plaintext password"
check 'secret_?key\s*=\s*["\x27][A-Za-z0-9+/]{32,}' "hardcoded secret key"
check 'TUNNEL_TOKEN\s*=\s*ey' "Cloudflare tunnel token"
check '-----BEGIN.*PRIVATE KEY-----' "private key"
exit ${FAIL}
# ── Shell script checks ────────────────────────────────────────────────────
shellcheck:
name: Shellcheck scripts
runs-on: docker
container:
image: koalaman/shellcheck-alpine:stable
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run shellcheck
run: |
find scripts -name "*.sh" -exec shellcheck {} +
Reference in a new issue View git blame Copy permalink