eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/.forgejo/workflows/build-container.yaml
Erich Blume ff63679efb Enable zot registry auth + wire CI credentials (#237) 
## Summary

- Enable OIDC + API key authentication on zot registry with three-tier accessControl
  - `anonymousPolicy: ["read"]` — anyone can pull
  - `artifact-workloads` group: `["read", "create"]` — CI push, no overwrite/delete
  - `admins` group: `["read", "create", "update", "delete"]` — break-glass
- Wire both CI push paths (Dagger and Nix/skopeo) with `ZOT_CI_API_KEY` credentials
- Add `artifact-workloads` PolicyBinding in Authentik blueprint for zot app access
- Add `ZOT_CI_API_KEY` to Forgejo Actions secrets via existing ansible role

Completes the `wire-ci-registry-auth` and `harden-zot-registry` Mikado cards.

## Manual Deployment Steps (after merge)

1. Deploy Authentik blueprint: `argocd app sync authentik`
2. In Authentik admin UI: set a password for the `zot-ci` service account
3. Deploy zot config: `mise run provision-indri -- --tags zot`
4. Log in to `https://registry.ops.eblu.me` as `zot-ci` via OIDC → generate API key
5. Store API key in 1Password as `zot-ci-apikey` in blumeops vault
6. Sync Forgejo secrets: `mise run provision-indri -- --tags forgejo_actions_secrets`
7. Trigger a test container build to verify CI push
8. Verify anonymous pull: `curl -sf https://registry.ops.eblu.me/v2/_catalog`

## Uncertainties

- **Zot `accessControl` group matching with OIDC:** Groups from Authentik's `profile` scope claim should map to zot policy groups, but the exact claim-to-group matching needs runtime verification
- **`http.auth.apikey: true`:** This config key is documented but needs verification against the specific zot version built from source on indri
- **API key permissions:** Need to confirm zot API keys inherit the generating user's group for accessControl evaluation

## Test Plan

- [ ] `mise run provision-indri -- --check --diff --tags zot` shows expected config changes
- [ ] Anonymous pull works after deploy
- [ ] Unauthenticated push fails (401)
- [ ] OIDC browser login redirects to Authentik and back
- [ ] API key push works after key generation
- [ ] CI push succeeds with both Dagger and skopeo paths
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/237
2026-02-21 12:20:29 -08:00

108 lines
3.4 KiB
YAML
Raw Blame History

# Dockerfile container build workflow
# Triggers on pushes to main that modify containers/*, or via manual dispatch.
# Detects which containers changed, extracts version from CONTAINER_APP_VERSION,
# and publishes with commit-SHA-based tags: vX.Y.Z-<sha>
name: Build Container
on:
push:
branches: [main]
paths: ['containers/**']
workflow_dispatch:
inputs:
container:
description: 'Container name (directory under containers/)'
required: true
type: string
ref:
description: 'Commit SHA to build (defaults to current HEAD)'
required: false
type: string
jobs:
detect:
runs-on: k8s
outputs:
containers: ${{ steps.list.outputs.containers }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Detect changed containers
id: list
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
CONTAINERS='["${{ inputs.container }}"]'
else
# Diff against parent commit to find changed container dirs
CONTAINERS=$(git diff --name-only HEAD~1 HEAD -- containers/ \
| cut -d/ -f2 | sort -u \
| jq -R -s -c 'split("\n") | map(select(length > 0))')
fi
echo "containers=$CONTAINERS" >> "$GITHUB_OUTPUT"
echo "Containers to build: $CONTAINERS"
build:
needs: detect
if: needs.detect.outputs.containers != '[]'
runs-on: k8s
strategy:
matrix:
container: ${{ fromJson(needs.detect.outputs.containers) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check for Dockerfile
id: check
run: |
if [ -f "containers/${{ matrix.container }}/Dockerfile" ]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "No Dockerfile for ${{ matrix.container }} — skipping"
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Extract version and SHA
if: steps.check.outputs.exists == 'true'
id: meta
run: |
VERSION=$(grep -m1 '^ARG CONTAINER_APP_VERSION=' \
"containers/${{ matrix.container }}/Dockerfile" \
| sed 's/^ARG CONTAINER_APP_VERSION=//')
if [ -z "$VERSION" ]; then
echo "Error: No CONTAINER_APP_VERSION found in Dockerfile"
exit 1
fi
# Use dispatch input ref if provided, otherwise current commit
REF="${{ inputs.ref }}"
if [ -z "$REF" ]; then
REF="${GITHUB_SHA}"
fi
SHORT_SHA=$(echo "$REF" | head -c 7)
# Ensure version starts with 'v'
case "$VERSION" in
v*) ;; # already has v prefix
*) VERSION="v${VERSION}" ;;
esac
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "sha=$SHORT_SHA" >> "$GITHUB_OUTPUT"
echo "Version: $VERSION, SHA: $SHORT_SHA"
- name: Publish
if: steps.check.outputs.exists == 'true'
env:
ZOT_CI_API_KEY: ${{ secrets.ZOT_CI_API_KEY }}
run: |
dagger call publish \
--src=. \
--container-name=${{ matrix.container }} \
--version=${{ steps.meta.outputs.version }} \
--commit-sha=${{ steps.meta.outputs.sha }} \
--registry-password=env:ZOT_CI_API_KEY
Reference in a new issue View git blame Copy permalink