diff --git a/.github/actions/renovate/action.yaml b/.github/actions/renovate/action.yaml index 902241ba..f63e61a6 100644 --- a/.github/actions/renovate/action.yaml +++ b/.github/actions/renovate/action.yaml @@ -18,11 +18,11 @@ runs: ${{ inputs.config }} - name: run renovate bot - uses: renovatebot/github-action@v40.3.3 + uses: renovatebot/github-action@v41.0.8 with: renovate-image: "harbor.ukserp.ac.uk/github-workflows/renovate" # TODO annotate this for renovate to bump... the irony is not lost on me... - renovate-version: "38.115.0" + renovate-version: "39.92.0" configurationFile: ${{ inputs.config }} token: ${{ inputs.token }} env-regex: "^(?:RENOVATE_\\w+|LOG_LEVEL|\\w+_PROXY)$" diff --git a/.github/commitlint.config.mjs b/.github/commitlint.config.mjs index f8ef60e8..cba64c5d 100644 --- a/.github/commitlint.config.mjs +++ b/.github/commitlint.config.mjs @@ -12,7 +12,8 @@ export default { 'commitlint', 'labeler', 'renovate', - 'sonar-dotnet' + 'sonar-dotnet', + 'arc-container' ]] } }; diff --git a/.github/workflows/actions-runner-container.yaml b/.github/workflows/actions-runner-container.yaml new file mode 100644 index 00000000..3dc27071 --- /dev/null +++ b/.github/workflows/actions-runner-container.yaml @@ -0,0 +1,45 @@ +name: Build Actions Runner Container + +on: + pull_request: + paths: + - '.github/workflows/actions-runner-container.yaml' + - 'containers/actions-runner/**' + push: + branches: + - 'main' + paths: + - '.github/workflows/actions-runner-container.yaml' + - 'containers/actions-runner/**' + +permissions: + contents: write + pull-requests: write + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Cancel early on pull requests if new commits are added, + # Don't cancel on release pushes + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + # Job name must be unique across repo to target + # branch protection rules "required checks" properly! + actions-runner-container: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-container.yaml@feat/runs-on-input + with: + job-name: actions-runner-container + comment-pr: "true" + comment-release: "true" + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-repo: ${{ vars.HARBOR_PROJECT }}/actions-runner + release-tag-format: 'v${version}-actions-runner-container' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + build-file: containers/actions-runner/Dockerfile + build-context: containers/actions-runner + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} diff --git a/.github/workflows/pr-title-commitlint.yaml b/.github/workflows/pr-title-commitlint.yaml index 6c5f9470..da156e51 100644 --- a/.github/workflows/pr-title-commitlint.yaml +++ b/.github/workflows/pr-title-commitlint.yaml @@ -45,7 +45,7 @@ jobs: node-version: 20 - name: cache node modules - uses: actions/cache@v4.1.1 + uses: actions/cache@v4.2.0 with: path: ~/.npm key: ${{ github.workflow }}-commitlint diff --git a/containers/actions-runner/Dockerfile b/containers/actions-runner/Dockerfile new file mode 100644 index 00000000..9612011b --- /dev/null +++ b/containers/actions-runner/Dockerfile @@ -0,0 +1,18 @@ +FROM ghcr.io/actions/actions-runner:2.318.0 + +LABEL org.opencontainers.image.source=https://github.com/SwanseaUniversityMedical/workflows + +# Add missing dependencies compared to the old summerwind runners +USER root +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + curl unzip jq wget python3-pip git-all && \ + rm -rf /var/lib/apt/lists/* + +RUN echo 'export PATH="/home/runner/.local/bin:$PATH"' >> /etc/profile +ENV PATH="/home/runner/.local/bin:$PATH" + +USER runner +ENV PATH="/home/runner/.local/bin:$PATH" +