unarr/.forgejo/workflows/docker-rebuild.yml

# Rebuilds and re-pushes the `latest` image without a version bump so newly
# *fixed* Alpine / ffmpeg / Go patches land between tagged releases. Versioned
# tags are immutable and never touched here. Runs weekly and on demand.
name: Docker rebuild

on:
  schedule:
    # Mondays 04:17 UTC (off the hour to avoid the scheduler rush)
    - cron: "17 4 * * 1"
  workflow_dispatch:

jobs:
  rebuild:
    runs-on: docker
    container:
      image: docker.io/library/docker:27-cli
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install build deps
        run: apk add --no-cache curl git bash

      - name: Install buildx
        run: |
          mkdir -p ~/.docker/cli-plugins
          curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
            -o ~/.docker/cli-plugins/docker-buildx
          chmod +x ~/.docker/cli-plugins/docker-buildx

      - name: Set up qemu
        run: docker run --rm --privileged tonistiigi/binfmt --install all

      # Stamp the binary with the most recent release tag (not "dev").
      - name: Resolve version
        id: ver
        run: |
          v=$(git describe --tags --abbrev=0 2>/dev/null || echo dev)
          echo "version=$v" >> "$GITHUB_OUTPUT"

      - name: Login to Docker Hub
        env:
          DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
          DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
        run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin

      - name: Build + push (refresh latest)
        env:
          VERSION: ${{ steps.ver.outputs.version }}
        run: |
          docker buildx create --name builder --use --driver docker-container
          # Refresh the floating tag only — never overwrite a versioned release.
          # Force a fresh base pull so apk upgrade picks up new patches.
          docker buildx build \
            --platform linux/amd64,linux/arm64 \
            --build-arg "VERSION=$VERSION" \
            --tag "torrentclaw/unarr:latest" \
            --no-cache \
            --push \
            .
ci: port workflows from .github/ to .forgejo/ (Forgejo Actions) GitHub torrentclaw org is shadow-banned and the CI lives at git.torrentclaw.com now. Forgejo Actions is enabled cluster-wide; this moves the workflows into the runner's natively-watched .forgejo/workflows/ tree and adapts each step so the existing Forgejo runner ('docker', 'ubuntu-latest' labels) can execute them without leaning on GitHub-only tooling. - ci.yml: drop actions/setup-go (use container: golang:1.25), replace golangci-lint-action with the upstream install.sh, drop codecov-action (third-party, can re-add later with a Forgejo-compatible variant). - release.yml: drop goreleaser-action (install via curl), wire GITEA_TOKEN + the new release.gitea_urls block in .goreleaser.yml so goreleaser publishes to Forgejo. Sign step swaps 'gh release upload' for curl against the Forgejo releases API (via the in-cluster forgejo:3000 hostname). VirusTotal job dropped — depended heavily on 'gh release' wiring; can be reimplemented against the Forgejo API later if we re-enable it. - docker-rebuild.yml: drop docker/login-action + docker/build-push-action, use raw 'docker' commands with manually-installed buildx + qemu. Same weekly schedule (Mon 04:17 UTC) and same 'latest' refresh behaviour. - pages.yml: deleted — install.sh / install.ps1 are already served from the Hetzner releases volume at torrentclaw.com/install.sh, so the GitHub Pages copy was redundant even before the shadow-ban. .goreleaser.yml: add release.gitea_urls (api=forgejo:3000, download via the public Forgejo URL) + prerelease:auto. ship.sh uses '--skip=publish' so local runs aren't affected by the new release block. 2026-05-27 15:44:48 +02:00			# Rebuilds and re-pushes the `latest` image without a version bump so newly
			`# fixed Alpine / ffmpeg / Go patches land between tagged releases. Versioned`
			`# tags are immutable and never touched here. Runs weekly and on demand.`
			`name: Docker rebuild`

			`on:`
			`schedule:`
			`# Mondays 04:17 UTC (off the hour to avoid the scheduler rush)`
			`- cron: "17 4 * * 1"`
			`workflow_dispatch:`

			`jobs:`
			`rebuild:`
			`runs-on: docker`
			`container:`
			`image: docker.io/library/docker:27-cli`
			`steps:`
			`- uses: actions/checkout@v4`
			`with:`
			`fetch-depth: 0`

			`- name: Install build deps`
			`run: apk add --no-cache curl git bash`

			`- name: Install buildx`
			`run: \|`
			`mkdir -p ~/.docker/cli-plugins`
			`curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \`
			`-o ~/.docker/cli-plugins/docker-buildx`
			`chmod +x ~/.docker/cli-plugins/docker-buildx`

			`- name: Set up qemu`
			`run: docker run --rm --privileged tonistiigi/binfmt --install all`

			`# Stamp the binary with the most recent release tag (not "dev").`
			`- name: Resolve version`
			`id: ver`
			`run: \|`
			`v=$(git describe --tags --abbrev=0 2>/dev/null \|\| echo dev)`
			`echo "version=$v" >> "$GITHUB_OUTPUT"`

			`- name: Login to Docker Hub`
			`env:`
			`DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}`
			`DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}`
			`run: echo "$DH_TOKEN" \| docker login -u "$DH_USER" --password-stdin`

			`- name: Build + push (refresh latest)`
			`env:`
			`VERSION: ${{ steps.ver.outputs.version }}`
			`run: \|`
			`docker buildx create --name builder --use --driver docker-container`
			`# Refresh the floating tag only — never overwrite a versioned release.`
			`# Force a fresh base pull so apk upgrade picks up new patches.`
			`docker buildx build \`
			`--platform linux/amd64,linux/arm64 \`
			`--build-arg "VERSION=$VERSION" \`
			`--tag "torrentclaw/unarr:latest" \`
			`--no-cache \`
			`--push \`
			`.`