Regalamiunsorriso/.forgejo/workflows/publish-faceai-container.yml
MaddoScientisto 41823ad60a
Some checks failed
Publish FaceAI Container / publish (push) Failing after 1m26s
Enhance Forgejo LFS integration by adding REPO_ACTOR and improving matcher binary resolution
2026-04-19 12:28:32 +02:00

283 lines
No EOL
12 KiB
YAML

name: Publish FaceAI Container
on:
push:
branches:
- master
paths:
- faceai/**
- bin/Face_Recognition_Unix/**
- .forgejo/workflows/publish-faceai-container.yml
workflow_dispatch:
env:
REGISTRY: ${{ vars.FORGEJO_REGISTRY }}
IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }}
CLIENT_IMAGE_NAME: ${{ vars.IMAGE_NAME != '' && vars.IMAGE_NAME || 'faceai-client' }}
PROCESSOR_IMAGE_NAME: ${{ vars.PROCESSOR_IMAGE_NAME != '' && vars.PROCESSOR_IMAGE_NAME || 'faceai-processor' }}
BUILD_CONTEXT: .
CLIENT_DOCKERFILE_PATH: faceai/docker/Dockerfile
PROCESSOR_DOCKERFILE_PATH: faceai/docker/processor.Dockerfile
jobs:
publish:
runs-on: docker
env:
DOCKER_HOST: ${{ vars.DOCKER_HOST != '' && vars.DOCKER_HOST || 'tcp://172.17.0.1:2375' }}
REPO_SERVER_URL: ${{ forgejo.server_url }}
REPO_NAME: ${{ forgejo.repository }}
REPO_ACTOR: ${{ forgejo.actor }}
REPO_AUTH_USER: ${{ secrets.FORGEJO_LFS_USERNAME != '' && secrets.FORGEJO_LFS_USERNAME || 'x-access-token' }}
REPO_TOKEN: ${{ secrets.FORGEJO_LFS_TOKEN != '' && secrets.FORGEJO_LFS_TOKEN || forgejo.token }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.FORGEJO_LFS_TOKEN != '' && secrets.FORGEJO_LFS_TOKEN || forgejo.token }}
persist-credentials: true
- name: Validate workflow variables
run: |
set -eu
if [ -z "${REGISTRY}" ]; then echo "vars.FORGEJO_REGISTRY is required"; exit 1; fi
if [ -z "${IMAGE_NAMESPACE}" ]; then echo "vars.IMAGE_NAMESPACE is required"; exit 1; fi
if [ -z "${CLIENT_IMAGE_NAME}" ]; then echo "client image name resolved to an empty value"; exit 1; fi
if [ -z "${PROCESSOR_IMAGE_NAME}" ]; then echo "processor image name resolved to an empty value"; exit 1; fi
if [ ! -f "${CLIENT_DOCKERFILE_PATH}" ]; then echo "Dockerfile not found at ${CLIENT_DOCKERFILE_PATH}"; exit 1; fi
if [ ! -f "${PROCESSOR_DOCKERFILE_PATH}" ]; then echo "Dockerfile not found at ${PROCESSOR_DOCKERFILE_PATH}"; exit 1; fi
if [ ! -f "faceai/package.json" ]; then echo "faceai/package.json is missing from the repository checkout"; exit 1; fi
if [ ! -f "bin/Face_Recognition_Unix/face_matcher" ]; then echo "bin/Face_Recognition_Unix/face_matcher is missing from the repository checkout"; exit 1; fi
- name: Resolve matcher binary from Forgejo LFS API
run: |
set -eu
if ! command -v git >/dev/null 2>&1; then
echo "git is required to resolve the matcher binary"
exit 1
fi
if ! command -v python3 >/dev/null 2>&1; then
if command -v apt-get >/dev/null 2>&1; then
apt-get update
apt-get install -y python3
else
echo "python3 is required to parse the Forgejo LFS batch response"
exit 1
fi
fi
if [ -z "${REPO_SERVER_URL}" ] || [ -z "${REPO_NAME}" ] || [ -z "${REPO_TOKEN}" ]; then
echo "Forgejo LFS resolution requires forgejo.server_url, forgejo.repository, and an auth token"
exit 1
fi
POINTER_CONTENT="$(git show HEAD:bin/Face_Recognition_Unix/face_matcher)"
OID="$(printf '%s\n' "${POINTER_CONTENT}" | awk '/^oid sha256:/{sub(/^oid sha256:/, ""); print; exit}')"
MATCHER_SIZE="$(printf '%s\n' "${POINTER_CONTENT}" | awk '/^size /{print $2; exit}')"
if [ -z "${OID}" ] || [ -z "${MATCHER_SIZE}" ]; then
echo "Failed to read the matcher LFS pointer from HEAD"
printf '%s\n' "${POINTER_CONTENT}"
exit 1
fi
TMP_DIR="$(mktemp -d)"
cleanup() {
rm -rf "${TMP_DIR}"
}
trap cleanup EXIT
BATCH_URL="${REPO_SERVER_URL}/${REPO_NAME}.git/info/lfs/objects/batch"
AUTH_BASIC_PRIMARY="$(printf '%s' "${REPO_AUTH_USER}:${REPO_TOKEN}" | base64 | tr -d '\n')"
AUTH_BASIC_ACTOR="$(printf '%s' "${REPO_ACTOR}:${REPO_TOKEN}" | base64 | tr -d '\n')"
cat > "${TMP_DIR}/batch-request.json" <<EOF
{
"operation": "download",
"transfers": ["basic"],
"ref": {"name": "${FORGEJO_REF}"},
"objects": [
{
"oid": "${OID}",
"size": ${MATCHER_SIZE}
}
],
"hash_algo": "sha256"
}
EOF
batch_request() {
label="$1"
header_name="$2"
header_value="$3"
status="$(curl -sS -o "${TMP_DIR}/batch-response.json" -D "${TMP_DIR}/batch-headers.txt" -w '%{http_code}' \
-X POST "${BATCH_URL}" \
-H 'Accept: application/vnd.git-lfs+json' \
-H 'Content-Type: application/vnd.git-lfs+json' \
-H "${header_name}: ${header_value}" \
--data @"${TMP_DIR}/batch-request.json")"
echo "Batch auth attempt ${label}: HTTP ${status}"
[ "${status}" = "200" ]
}
if ! batch_request "basic-primary" "Authorization" "basic ${AUTH_BASIC_PRIMARY}"; then
if ! batch_request "basic-actor" "Authorization" "basic ${AUTH_BASIC_ACTOR}"; then
if ! batch_request "token" "Authorization" "token ${REPO_TOKEN}"; then
echo "Forgejo LFS batch request failed with all auth variants"
cat "${TMP_DIR}/batch-response.json"
exit 1
fi
fi
fi
python3 - "${TMP_DIR}/batch-response.json" "${TMP_DIR}/download-url.txt" "${TMP_DIR}/download-headers.txt" <<'PY'
import json
import sys
response_path, url_path, headers_path = sys.argv[1:4]
with open(response_path, 'r', encoding='utf-8') as handle:
data = json.load(handle)
objects = data.get('objects') or []
if not objects:
raise SystemExit('Forgejo LFS batch response did not contain any objects')
obj = objects[0]
if 'error' in obj:
raise SystemExit(f"Forgejo LFS object error: {obj['error']}")
download = ((obj.get('actions') or {}).get('download'))
if not download or 'href' not in download:
raise SystemExit('Forgejo LFS batch response did not contain a download action')
with open(url_path, 'w', encoding='utf-8') as handle:
handle.write(download['href'])
headers = download.get('header') or {}
with open(headers_path, 'w', encoding='utf-8') as handle:
for key, value in headers.items():
handle.write(f'{key}: {value}\n')
PY
DOWNLOAD_URL="$(cat "${TMP_DIR}/download-url.txt")"
download_args=()
while IFS= read -r header; do
[ -n "${header}" ] || continue
download_args+=(-H "${header}")
done < "${TMP_DIR}/download-headers.txt"
curl -fL "${download_args[@]}" -o bin/Face_Recognition_Unix/face_matcher "${DOWNLOAD_URL}"
if grep -q "https://git-lfs.github.com/spec/v1" bin/Face_Recognition_Unix/face_matcher; then
echo "bin/Face_Recognition_Unix/face_matcher is still an LFS pointer, not the real binary"
exit 1
fi
RESOLVED_SIZE="$(wc -c < bin/Face_Recognition_Unix/face_matcher | tr -d '[:space:]')"
if [ "${RESOLVED_SIZE}" -lt 1000000 ]; then
echo "bin/Face_Recognition_Unix/face_matcher is unexpectedly small (${RESOLVED_SIZE} bytes) and does not look like the real binary"
exit 1
fi
if [ "${RESOLVED_SIZE}" != "${MATCHER_SIZE}" ]; then
echo "bin/Face_Recognition_Unix/face_matcher size mismatch: expected ${MATCHER_SIZE}, got ${RESOLVED_SIZE}"
exit 1
fi
echo "Resolved matcher binary from Forgejo LFS API (${RESOLVED_SIZE} bytes)"
- name: Validate registry secrets
run: |
set -eu
if [ -z "${{ secrets.FORGEJO_REGISTRY_USERNAME }}" ]; then echo "secrets.FORGEJO_REGISTRY_USERNAME is required"; exit 1; fi
if [ -z "${{ secrets.FORGEJO_REGISTRY_TOKEN }}" ]; then echo "secrets.FORGEJO_REGISTRY_TOKEN is required"; exit 1; fi
- name: Ensure Docker CLI exists
run: |
set -eu
if command -v docker >/dev/null 2>&1; then
docker --version
exit 0
fi
ARCH="$(uname -m)"
case "${ARCH}" in
x86_64) DOCKER_ARCH="x86_64" ;;
aarch64|arm64) DOCKER_ARCH="aarch64" ;;
*) echo "Unsupported architecture for Docker CLI bootstrap: ${ARCH}"; exit 1 ;;
esac
DOCKER_CLI_VERSION="27.5.1"
curl -fsSL "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-${DOCKER_CLI_VERSION}.tgz" -o docker.tgz
tar -xzf docker.tgz
mkdir -p "${HOME}/.local/bin"
mv docker/docker "${HOME}/.local/bin/docker"
chmod +x "${HOME}/.local/bin/docker"
echo "${HOME}/.local/bin" >> "${FORGEJO_PATH}"
"${HOME}/.local/bin/docker" --version
- name: Ensure Docker Buildx exists
run: |
set -eu
if docker buildx version >/dev/null 2>&1; then
docker buildx version
exit 0
fi
ARCH="$(uname -m)"
case "${ARCH}" in
x86_64) BUILDX_ARCH="amd64" ;;
aarch64|arm64) BUILDX_ARCH="arm64" ;;
*) echo "Unsupported architecture for Docker Buildx bootstrap: ${ARCH}"; exit 1 ;;
esac
BUILDX_VERSION="v0.21.1"
mkdir -p "${HOME}/.docker/cli-plugins"
curl -fsSL "https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-${BUILDX_ARCH}" -o "${HOME}/.docker/cli-plugins/docker-buildx"
chmod +x "${HOME}/.docker/cli-plugins/docker-buildx"
docker buildx version
- name: Check Docker daemon connectivity
run: |
set -eu
echo "Using DOCKER_HOST=${DOCKER_HOST}"
docker version
docker info >/dev/null
- name: Create Buildx builder
run: |
set -eu
docker buildx rm forgejo-builder >/dev/null 2>&1 || true
docker buildx create --name forgejo-builder --driver docker-container --use
docker buildx inspect --bootstrap
- name: Login to Forgejo registry
run: |
echo "${{ secrets.FORGEJO_REGISTRY_TOKEN }}" | docker login "${REGISTRY}" -u "${{ secrets.FORGEJO_REGISTRY_USERNAME }}" --password-stdin
- name: Build and push client image
run: |
set -eu
IMAGE_REF="${REGISTRY}/${IMAGE_NAMESPACE}/${CLIENT_IMAGE_NAME}"
SHORT_SHA="$(echo "${FORGEJO_SHA}" | cut -c1-12)"
docker buildx build \
--builder forgejo-builder \
--file "${CLIENT_DOCKERFILE_PATH}" \
--tag "${IMAGE_REF}:sha-${SHORT_SHA}" \
--tag "${IMAGE_REF}:latest" \
--push \
"${BUILD_CONTEXT}"
- name: Build and push processor image
run: |
set -eu
IMAGE_REF="${REGISTRY}/${IMAGE_NAMESPACE}/${PROCESSOR_IMAGE_NAME}"
SHORT_SHA="$(echo "${FORGEJO_SHA}" | cut -c1-12)"
docker buildx build \
--builder forgejo-builder \
--file "${PROCESSOR_DOCKERFILE_PATH}" \
--tag "${IMAGE_REF}:sha-${SHORT_SHA}" \
--tag "${IMAGE_REF}:latest" \
--push \
"${BUILD_CONTEXT}"