oceanbox/actions
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Commit

Browse Source
This commit is contained in:
Moritz Jörg
2026-01-29 12:35:43 +01:00
commit c6553f80bc
10 changed files with 285 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.envrc
+1
View File
@@ -0,0 +1 @@
use nix
.gitignore
+2
View File
@@ -0,0 +1,2 @@
node_modules/
.direnv/
README.md
+3
View File
@@ -0,0 +1,3 @@
# actions
Collection of common Gitea Actions workflows/actions used in our repositories.
default.nix
+18
View File
@@ -0,0 +1,18 @@
{
sources ? import ./npins,
system ? builtins.currentSystem,
pkgs ? import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
},
}:
{
shell = pkgs.mkShell {
packages = with pkgs; [
npins
actionlint
action-validator
];
};
}
npins/default.nix
+146
View File
@@ -0,0 +1,146 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else if spec.type == "Tarball" then
mkTarballSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
repository,
revision,
url ? null,
submodules,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
builtins.fetchGit {
rev = revision;
inherit name;
# hash = hash;
inherit url submodules;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{
url,
locked_url ? url,
hash,
...
}:
builtins.fetchTarball {
url = locked_url;
sha256 = hash;
};
in
if version == 5 then
builtins.mapAttrs mkSource data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
npins/sources.json
+11
View File
@@ -0,0 +1,11 @@
{
"pins": {
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre935717.afce96367b2e/nixexprs.tar.xz",
"hash": "1ris54b81dadzckl48agq50xv0m0girdpfammmkpmi67wa11jxf0"
}
},
"version": 5
}
publish-nuget/README.md
+3
View File
@@ -0,0 +1,3 @@
# publish-nuget
A Gitea Action which pushes a package to our NuGet registry, and performs Gitea artifact attestation on the result.
publish-nuget/action.yaml
+47
View File
@@ -0,0 +1,47 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/github-action.json
name: "publish-nuget"
description: "Publishes a NuGet package to a Gitea-hosted NuGet registry and attests to its contents."
inputs:
package-name:
description: "Name of the NuGet package, e.g. Oceanbox.FvcomKit."
required: true
nuget-key:
description: "API key with which to authenticate to the NuGet registry."
required: true
nupkg-dir:
description: |
Directory in which to find the NuGet .nupkg file. We will search one level deep inside this directory for nupkg files named {package-name}.{any-string}.nupkg.
Note that this action is not designed to work if you have two .nupkg files inside this directory, one called Foo.0.0.0.nupkg and one called Foo.Bar.0.0.0.nupkg;
you should make sure there's only one package in this directory.
required: true
registry-url:
description: "URL of the NuGet registry, e.g. https://git.oceanbox.io/api/packages/oceanbox/nuget/index.json"
required: true
default: "https://git.oceanbox.io/api/packages/oceanbox/nuget/index.json"
source-name:
description: "Name to use for the NuGet source when adding it."
required: false
default: "gitea-nuget"
dotnet:
description: "Path to the `dotnet` executable, if you want to override the default (e.g. because you wish to operate inside a Nix devshell)."
required: false
default: "dotnet"
skip-duplicate:
description: 'If set to "true", skips publishing if the package version already exists.'
required: false
default: "true"
runs:
using: "composite"
steps:
- name: Publish to NuGet Registry
shell: bash
id: publish-success
env:
NUGET_API_KEY: ${{ inputs.nuget-key }}
PACKAGE_DIR: ${{ inputs.nupkg-dir }}
PACKAGE_NAME: ${{ inputs.package-name }}
DOTNET_EXE: ${{ inputs.dotnet }}
REGISTRY_URL: ${{ inputs.registry-url }}
SOURCE_NAME: ${{ inputs.source-name }}
SKIP_DUPLICATE: ${{ inputs.skip-duplicate }}
run: '$GITHUB_ACTION_PATH/nuget_push.sh "$PACKAGE_DIR"/"$PACKAGE_NAME".*.nupkg'
publish-nuget/nuget_push.sh
+53
View File
@@ -0,0 +1,53 @@
#!/usr/bin/env bash
set -euo pipefail
# Script to publish NuGet packages to a Gitea registry
# Usage: nuget_push.sh <nupkg-path-pattern>
NUPKG_PATTERN="${1:?Missing nupkg pattern argument}"
# Function to run commands, optionally in nix-shell
run_cmd() {
nix-shell --run "$*"
}
# Find the nupkg file
NUPKG_FILE=$(find "$(dirname "$NUPKG_PATTERN")" -maxdepth 1 -name "$(basename "$NUPKG_PATTERN")" -type f | head -n 1)
if [[ -z "$NUPKG_FILE" ]]; then
echo "Error: No .nupkg file found matching pattern: $NUPKG_PATTERN"
exit 1
fi
echo "Found package: $NUPKG_FILE"
# Extract version from filename
FILENAME=$(basename "$NUPKG_FILE")
VERSION=$(echo "$FILENAME" | sed -E "s/^${PACKAGE_NAME}\.(.+)\.nupkg$/\1/")
echo "Package version: $VERSION"
# Add NuGet source if not already present
echo "Configuring NuGet source: $SOURCE_NAME"
run_cmd "$DOTNET_EXE nuget list source" | grep -q "$SOURCE_NAME" || \
run_cmd "$DOTNET_EXE nuget add source --name \"$SOURCE_NAME\" \"$REGISTRY_URL\""
# Publish the package
echo "Publishing package to $SOURCE_NAME..."
PUSH_CMD="$DOTNET_EXE nuget push \"$NUPKG_FILE\" --api-key \"$NUGET_API_KEY\" --source \"$SOURCE_NAME\""
if [[ "${SKIP_DUPLICATE:-true}" == "true" ]]; then
PUSH_CMD="$PUSH_CMD --skip-duplicate"
fi
if run_cmd "$PUSH_CMD"; then
# Check if it was skipped or actually pushed
# If skip-duplicate is enabled and package exists, dotnet exits with 0 but prints a message
echo "result=published" >> "$GITHUB_OUTPUT"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Successfully published (or skipped duplicate): $PACKAGE_NAME $VERSION"
else
echo "result=failed" >> "$GITHUB_OUTPUT"
echo "Failed to publish package"
exit 1
fi
shell.nix
+1
View File
@@ -0,0 +1 @@
(import ./default.nix { }).shell