ci: add weekly Gitea Action to mirror python:3.12-slim into in-house registry
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m16s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m16s
Companion to the Dockerfile change in 5a2ebf9. The previous manual refresh
note in the Dockerfile becomes automated: a workflow_dispatch + weekly cron
that pulls python:3.12-slim from docker.io and re-pushes it to
repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim.
Workflow can also be triggered manually from the Gitea UI when Python
publishes patches between cron firings. Logs the upstream and mirror digests
so it's easy to verify "did the mirror really update" after a run.
If more base images need mirroring later (haproxy itself, alpine, etc.),
this workflow should be promoted to a matrix or moved to a dedicated infra
repo — keeping it co-located with haproxy-manager-base for now since it's
the only consumer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
52
.gitea/workflows/mirror-base-image.yaml
Normal file
52
.gitea/workflows/mirror-base-image.yaml
Normal file
@@ -0,0 +1,52 @@
|
|||||||
|
name: Mirror python:3.12-slim base image
|
||||||
|
run-name: weekly base-image mirror
|
||||||
|
# Pulls python:3.12-slim from docker.io and re-pushes it to the in-house
|
||||||
|
# registry, so haproxy-manager-base's build (and any future image that
|
||||||
|
# uses the same mirror) doesn't depend on docker.io's Cloudflare R2
|
||||||
|
# blob storage being reachable. The 2026-05-12 Cloudflare incident
|
||||||
|
# motivated this; manual refresh was the workaround at the time.
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
# Mondays 06:00 UTC — outside customer peak hours and well before
|
||||||
|
# the typical Tuesday/Thursday push cycles. workflow_dispatch lets us
|
||||||
|
# trigger manually from the Gitea UI when Python publishes patches.
|
||||||
|
- cron: '0 6 * * 1'
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
Mirror-Base:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Login to in-house registry
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: repo.anhonesthost.net
|
||||||
|
username: ${{ secrets.CI_USER }}
|
||||||
|
password: ${{ secrets.CI_TOKEN }}
|
||||||
|
|
||||||
|
- name: Pull, retag, push
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
SRC=docker.io/library/python:3.12-slim
|
||||||
|
DST=repo.anhonesthost.net/cloud-hosting-platform/python:3.12-slim
|
||||||
|
|
||||||
|
echo "::group::Pulling ${SRC}"
|
||||||
|
docker pull "${SRC}"
|
||||||
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
# Capture the upstream digest so the workflow log shows what we
|
||||||
|
# actually pushed. Helps diagnose "did the mirror really update"
|
||||||
|
# questions later.
|
||||||
|
SRC_DIGEST=$(docker image inspect "${SRC}" -f '{{index .RepoDigests 0}}')
|
||||||
|
echo "upstream digest: ${SRC_DIGEST}"
|
||||||
|
|
||||||
|
docker tag "${SRC}" "${DST}"
|
||||||
|
|
||||||
|
echo "::group::Pushing ${DST}"
|
||||||
|
docker push "${DST}"
|
||||||
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
# Sanity: the in-house tag should now resolve to the same content.
|
||||||
|
DST_DIGEST=$(docker image inspect "${DST}" -f '{{index .RepoDigests 0}}')
|
||||||
|
echo "mirror digest: ${DST_DIGEST}"
|
||||||
Reference in New Issue
Block a user