From: Arran Cudbard-Bell Date: Thu, 14 May 2026 22:21:05 +0000 (-0600) Subject: Split docker.yml into self-hosted and public variants X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c116a2da739fed9df97a0457cbb642b4b297a02;p=thirdparty%2Ffreeradius-server.git Split docker.yml into self-hosted and public variants Restore the NetworkRADIUS-internal config for self-hosted runs while keeping fork (GitHub-hosted) builds on the public ubuntu:24.04 + dind shape: docker-selfhosted (if owner == FreeRADIUS): runs on self-hosted with docker.internal.networkradius.com/self-hosted as the job container, internal CA cert mounted into both dind and the job container so registry pulls and HTTPS to internal hosts work, NO_PROXY set on both. docker-public (else): runs on ubuntu-latest with the public docker:dind sidecar and a plain ubuntu:24.04 job container - no internal bits. The two jobs are mutually exclusive via if:, so each push fires exactly one. The matrix and step list are short enough that duplicating beats a third composite action. --- diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 8b95ac239a3..97a9ac5d18a 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -38,19 +38,89 @@ jobs: echo matrix=$M >> $GITHUB_OUTPUT # - # Run docker target for each given OS. This will build the - # Docker image. + # Self-hosted variant: runs on the FreeRADIUS Proxmox fleet inside + # the internal CI base image, with the internal CA mounted into + # both dind and the job container so internal registry pulls work. # - # Runs inside an ephemeral DinD sidecar so the runner's docker - # daemon is untouched. Both the dind service and the job container - # use public images so the same shape works on the self-hosted - # Proxmox fleet (for org pushes) and GitHub-hosted runners (forks). + docker-selfhosted: + needs: + - gen-matrix + + if: github.repository_owner == 'FreeRADIUS' + + runs-on: self-hosted + + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.gen-matrix.outputs.matrix) }} + + env: ${{ matrix.env }} + + name: "v4.0.x-${{ matrix.env.OS }}" + + services: + dind: + image: docker:dind + options: --privileged + env: + DOCKER_TLS_CERTDIR: "" + # Bypass the squid proxy for internal hosts. + NO_PROXY: "*.networkradius.com,127.0.0.1" + volumes: + - /usr/local/share/ca-certificates/networkradius.com.crt:/etc/docker/certs.d/docker.internal.networkradius.com/ca.crt:ro + - ${{ github.workspace }}:/workspace + + container: + image: docker.internal.networkradius.com/self-hosted + env: + DOCKER_HOST: tcp://dind:2375 + NO_PROXY: dind,*.networkradius.com,127.0.0.1 + volumes: + - /usr/local/share/ca-certificates/networkradius.com.crt:/usr/local/share/ca-certificates/networkradius.com.crt:ro + - ${{ github.workspace }}:/workspace + + defaults: + run: + working-directory: /workspace + + steps: + + - uses: actions/checkout@v6 + with: + fetch-depth: 1 + lfs: false + + - uses: ./.github/actions/setup-dind + with: + packages: m4 make + + - name: Regenerate Dockerfile + run: | + rm scripts/docker/build/$OS/Dockerfile || true + make docker.$OS.regen + + - name: Build docker image + run: | + make docker.$OS.build + + - name: "Debug: Start tmate" + uses: mxschmitt/action-tmate@v3 + with: + limit-access-to-actor: true + if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }} + # - docker: + # Public variant: runs on GitHub-hosted runners (fork pushes). Uses + # the public docker:dind sidecar and a plain ubuntu:24.04 job + # container - no internal registry or CA involvement. + # + docker-public: needs: - gen-matrix - runs-on: ${{ github.repository_owner == 'FreeRADIUS' && 'self-hosted' || 'ubuntu-latest' }} + if: github.repository_owner != 'FreeRADIUS' + + runs-on: ubuntu-latest strategy: fail-fast: false @@ -66,9 +136,6 @@ jobs: options: --privileged env: DOCKER_TLS_CERTDIR: "" - # Share the runner's workspace so the build context is visible - # from inside dind. github.workspace is the HOST path; both - # containers agree on /workspace as the in-container path. volumes: - ${{ github.workspace }}:/workspace @@ -103,10 +170,6 @@ jobs: run: | make docker.$OS.build - # - # If the CI has failed and the branch is ci-debug then start a tmate - # session. SSH rendezvous point is emited continuously in the job output. - # - name: "Debug: Start tmate" uses: mxschmitt/action-tmate@v3 with: