Harden Gitea workflows for monero_c releases

2026-04-09 11:41:20 +02:00
parent 5e90cedb27
commit ddd7d5edea
4 changed files with 65 additions and 16 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -1,4 +1,5 @@
 name: build
+run-name: build ${{ inputs.flavor || 'peya' }}

 on:
  workflow_dispatch:
@@ -56,16 +57,20 @@ jobs:
      - name: Configure Gitea auth for private submodules
        env:
          MONERO_C_GITEA_PAT: ${{ secrets.MONERO_C_GITEA_PAT }}
+          PEYA_GITEA_PAT: ${{ secrets.PEYA_GITEA_PAT }}
+          GITEA_PAT: ${{ secrets.GITEA_PAT }}
        run: |
          set -euo pipefail

-          if [ "${FLAVOR}" != "monero" ] && [ -z "${MONERO_C_GITEA_PAT:-}" ]; then
-            echo "Missing MONERO_C_GITEA_PAT secret for private ${FLAVOR} submodule"
+          AUTH_TOKEN="${MONERO_C_GITEA_PAT:-${PEYA_GITEA_PAT:-${GITEA_PAT:-}}}"
+
+          if [ "${FLAVOR}" != "monero" ] && [ -z "${AUTH_TOKEN}" ]; then
+            echo "Missing Gitea PAT secret for private ${FLAVOR} submodule"
            exit 1
          fi

-          if [ -n "${MONERO_C_GITEA_PAT:-}" ]; then
-            git config --global url."http://tiamak:${MONERO_C_GITEA_PAT}@54.38.205.168:3000/".insteadOf "http://54.38.205.168:3000/"
+          if [ -n "${AUTH_TOKEN}" ]; then
+            git config --global url."http://tiamak:${AUTH_TOKEN}@54.38.205.168:3000/".insteadOf "http://54.38.205.168:3000/"
          fi

          git submodule sync
--- a/.gitea/workflows/consistency.yml
+++ b/.gitea/workflows/consistency.yml
@@ -48,15 +48,19 @@ jobs:
      - name: Configure Gitea auth for private submodules
        env:
          MONERO_C_GITEA_PAT: ${{ secrets.MONERO_C_GITEA_PAT }}
+          PEYA_GITEA_PAT: ${{ secrets.PEYA_GITEA_PAT }}
+          GITEA_PAT: ${{ secrets.GITEA_PAT }}
        run: |
          set -euo pipefail

-          if [ -z "${MONERO_C_GITEA_PAT:-}" ]; then
-            echo "Missing MONERO_C_GITEA_PAT secret for private submodules"
+          AUTH_TOKEN="${MONERO_C_GITEA_PAT:-${PEYA_GITEA_PAT:-${GITEA_PAT:-}}}"
+
+          if [ -z "${AUTH_TOKEN}" ]; then
+            echo "Missing Gitea PAT secret for private submodules"
            exit 1
          fi

-          git config --global url."http://tiamak:${MONERO_C_GITEA_PAT}@54.38.205.168:3000/".insteadOf "http://54.38.205.168:3000/"
+          git config --global url."http://tiamak:${AUTH_TOKEN}@54.38.205.168:3000/".insteadOf "http://54.38.205.168:3000/"
          git submodule sync
          git -c protocol.version=2 submodule update --init --force monero salvium peya
          git -C monero submodule sync --recursive
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -1,4 +1,5 @@
 name: release
+run-name: release ${{ inputs.flavor }} ${{ inputs.tag_name }}

 on:
  workflow_dispatch:
@@ -15,12 +16,26 @@ on:
          - peya
          - salvium
          - monero
+      target_ref:
+        description: Branch, tag or commit to build and tag
+        required: true
+        default: develop
      release_name:
        description: Optional release title
        required: false
      release_notes:
        description: Release notes / body
        required: false
+      prerelease:
+        description: Mark release as prerelease
+        required: false
+        default: false
+        type: boolean
+      draft:
+        description: Create release as draft
+        required: false
+        default: false
+        type: boolean

 jobs:
  create-release:
@@ -38,16 +53,26 @@ jobs:
      - name: Create or reuse Gitea release
        id: release
        env:
-          GITEA_TOKEN: ${{ github.token }}
+          MONERO_C_GITEA_PAT: ${{ secrets.MONERO_C_GITEA_PAT }}
+          PEYA_GITEA_PAT: ${{ secrets.PEYA_GITEA_PAT }}
+          GITEA_PAT: ${{ secrets.GITEA_PAT }}
          GITEA_API: ${{ github.server_url }}/api/v1
          REPO: ${{ github.repository }}
          TAG_NAME: ${{ inputs.tag_name }}
          INPUT_RELEASE_NAME: ${{ inputs.release_name }}
          RELEASE_NOTES: ${{ inputs.release_notes }}
-          TARGET_COMMITISH: ${{ github.sha }}
+          TARGET_COMMITISH: ${{ inputs.target_ref }}
+          INPUT_PRERELEASE: ${{ inputs.prerelease }}
+          INPUT_DRAFT: ${{ inputs.draft }}
        run: |
          set -euo pipefail

+          GITEA_TOKEN="${MONERO_C_GITEA_PAT:-${PEYA_GITEA_PAT:-${GITEA_PAT:-}}}"
+          if [ -z "${GITEA_TOKEN}" ]; then
+            echo "Missing Gitea PAT secret for release publishing"
+            exit 1
+          fi
+
          if [ -n "${INPUT_RELEASE_NAME}" ]; then
            RELEASE_NAME="${INPUT_RELEASE_NAME}"
          else
@@ -77,7 +102,9 @@ jobs:
            --arg target_commitish "${TARGET_COMMITISH}" \
            --arg name "${RELEASE_NAME}" \
            --arg body "${RELEASE_NOTES}" \
-            '{tag_name:$tag_name,target_commitish:$target_commitish,name:$name,body:$body,draft:false,prerelease:false}' \
+            --argjson draft "${INPUT_DRAFT}" \
+            --argjson prerelease "${INPUT_PRERELEASE}" \
+            '{tag_name:$tag_name,target_commitish:$target_commitish,name:$name,body:$body,draft:$draft,prerelease:$prerelease}' \
            > /tmp/release-payload.json

          curl -sS \
@@ -116,21 +143,26 @@ jobs:
        with:
          fetch-depth: 1
          submodules: false
+          ref: ${{ inputs.target_ref }}

      - name: Configure Gitea auth for private submodules
        env:
          MONERO_C_GITEA_PAT: ${{ secrets.MONERO_C_GITEA_PAT }}
+          PEYA_GITEA_PAT: ${{ secrets.PEYA_GITEA_PAT }}
+          GITEA_PAT: ${{ secrets.GITEA_PAT }}
          FLAVOR: ${{ needs.create-release.outputs.flavor }}
        run: |
          set -euo pipefail

-          if [ "${FLAVOR}" != "monero" ] && [ -z "${MONERO_C_GITEA_PAT:-}" ]; then
-            echo "Missing MONERO_C_GITEA_PAT secret for private ${FLAVOR} submodule"
+          AUTH_TOKEN="${MONERO_C_GITEA_PAT:-${PEYA_GITEA_PAT:-${GITEA_PAT:-}}}"
+
+          if [ "${FLAVOR}" != "monero" ] && [ -z "${AUTH_TOKEN}" ]; then
+            echo "Missing Gitea PAT secret for private ${FLAVOR} submodule"
            exit 1
          fi

-          if [ -n "${MONERO_C_GITEA_PAT:-}" ]; then
-            git config --global url."http://tiamak:${MONERO_C_GITEA_PAT}@54.38.205.168:3000/".insteadOf "http://54.38.205.168:3000/"
+          if [ -n "${AUTH_TOKEN}" ]; then
+            git config --global url."http://tiamak:${AUTH_TOKEN}@54.38.205.168:3000/".insteadOf "http://54.38.205.168:3000/"
          fi

          git submodule sync
@@ -159,7 +191,9 @@ jobs:

      - name: Upload release assets
        env:
-          GITEA_TOKEN: ${{ github.token }}
+          MONERO_C_GITEA_PAT: ${{ secrets.MONERO_C_GITEA_PAT }}
+          PEYA_GITEA_PAT: ${{ secrets.PEYA_GITEA_PAT }}
+          GITEA_PAT: ${{ secrets.GITEA_PAT }}
          GITEA_API: ${{ github.server_url }}/api/v1
          REPO: ${{ github.repository }}
          RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
@@ -168,6 +202,12 @@ jobs:
        run: |
          set -euo pipefail

+          GITEA_TOKEN="${MONERO_C_GITEA_PAT:-${PEYA_GITEA_PAT:-${GITEA_PAT:-}}}"
+          if [ -z "${GITEA_TOKEN}" ]; then
+            echo "Missing Gitea PAT secret for release publishing"
+            exit 1
+          fi
+
          assets_url="${GITEA_API}/repos/${REPO}/releases/${RELEASE_ID}/assets"
          shopt -s nullglob
          files=(release/${FLAVOR}/${HOST}_*.xz)
--- a/2
+++ b/2