tas/major_tom
1
0
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: tas:fix/tls-verify-buildah
Branches Tags
tas:main tas:fix/insecure-registry-config tas:fix/tls-verify-buildah
...
pull from: tas:fix/insecure-registry-config
Branches Tags
tas:main tas:fix/insecure-registry-config tas:fix/tls-verify-buildah

7 Commits
fix/tls-ve ... fix/insecu

Author SHA1 Message Date
Le Serjant
763893c5d9 Debug: check Www-Authenticate header from registry 
Need to see what token endpoint/service buildah is being directed to.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 13:25:16 +00:00
Le Serjant
c44ace5804 Debug container registry auth: test v2 and token endpoints
Some checks failed
CI / build (pull_request) Successful in 31s
Details
Deploy / deploy (push) Failing after 1m14s
Details 
Revert to git.kimchi, add curl diagnostics to understand why
auth fails even after login succeeds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 13:21:33 +00:00
Le Serjant
ec63ce6701 Use external hostname for container registry push
All checks were successful
CI / build (pull_request) Successful in 32s
Details 
The Gitea container registry token service scopes tokens to ROOT_URL
(git.schick-web.site). Pushing to the internal hostname (git.kimchi)
causes auth failures because the token domain doesn't match.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 13:08:11 +00:00
Le Serjant
767d821534 Pass credentials directly to buildah push via --creds
Some checks failed
CI / build (pull_request) Successful in 31s
Details
Deploy / deploy (push) Failing after 1m12s
Details 
buildah login succeeds but push doesn't pick up the stored auth.
Skip login and pass --creds directly to each push command instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 12:17:55 +00:00
Le Serjant
59b6728ce8 Add debug output to identify which buildah command hangs
Some checks failed
CI / build (pull_request) Successful in 31s
Details
Deploy / deploy (push) Failing after 1m11s
Details 
Remove unnecessary registries.conf write (host already has it).
Add set -ex and echo markers between commands to pinpoint the hang.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 11:33:37 +00:00
Le Serjant
4e3e17ced4 Use v2 TOML format for registries.conf
All checks were successful
CI / build (pull_request) Successful in 31s
Details 
Match the format already used on the runner host.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 11:31:54 +00:00
Le Serjant
bb23f2e3a1 Add insecure registry config for buildah
All checks were successful
CI / build (pull_request) Successful in 31s
Details 
--tls-verify=false on login/push alone was not sufficient to prevent
the deploy from hanging. Register git.kimchi as an insecure registry
via registries.conf and add --tls-verify=false to buildah bud as well.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 11:31:01 +00:00
1 changed files with 15 additions and 4 deletions
Expand all files Collapse all files

19
.gitea/workflows/deploy.yaml
View File

@@ -21,13 +21,24 @@ jobs:
- name: Build and push container image
run: |
set -ex
IMAGE_TAG="${{ env.IMAGE }}:sha-${GITHUB_SHA::8}"
IMAGE_LATEST="${{ env.IMAGE }}:latest"
buildah bud -f Containerfile -t "$IMAGE_TAG" -t "$IMAGE_LATEST" .
buildah login --tls-verify=false "${{ env.REGISTRY }}" -u "${{ secrets.REGISTRY_USER }}" -p "${{ secrets.REGISTRY_PASSWORD }}"
buildah push --tls-verify=false "$IMAGE_TAG"
buildah push --tls-verify=false "$IMAGE_LATEST"
buildah bud --tls-verify=false -f Containerfile -t "$IMAGE_TAG" -t "$IMAGE_LATEST" .
CREDS="${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_PASSWORD }}"
echo "=== debug: Www-Authenticate header ==="
curl -sk -I https://git.kimchi/v2/ | grep -i www-authenticate || true
echo ""
echo "=== buildah push tag ==="
buildah push --tls-verify=false --creds "$CREDS" "$IMAGE_TAG"
echo "=== buildah push latest ==="
buildah push --tls-verify=false --creds "$CREDS" "$IMAGE_LATEST"
echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"