Refactor CI workflows (#37487)

1. only trigger docker-dryrun arm64&riscv64 when dockerfile changes 2. de-duplicate "contents: read" permission for most workflows 3. merge various "lint-*" jobs into one job 4. add missing lint targets to the "lint" (all) target
2026-05-01 02:15:01 +08:00
parent 81692ceafa
commit 1721c235a7
10 changed files with 103 additions and 197 deletions
--- a/.github/actions/docker-dryrun/action.yml
+++ b/.github/actions/docker-dryrun/action.yml
@@ -0,0 +1,29 @@
 name: docker-dryrun
 description: Composite action that performs the container build steps for a single platform.
 inputs:
  platform:
    description: "The target platform: linux/amd64, linux/arm64, linux/riscv64."
    required: true
 runs:
  using: composite
  steps:
    - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
    - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
    - name: Build regular image
      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
      with:
        context: .
        platforms: ${{ inputs.platform }}
        push: false
        file: Dockerfile
        cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
    - name: Build rootless image
      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
      with:
        context: .
        platforms: ${{ inputs.platform }}
        push: false
        file: Dockerfile.rootless
        cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
--- a/.github/workflows/cache-seeder.yml
+++ b/.github/workflows/cache-seeder.yml
@@ -27,11 +27,12 @@ concurrency:
  group: cache-seeder
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  gobuild:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -49,8 +50,6 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/cron-renovate.yml
+++ b/.github/workflows/cron-renovate.yml
@@ -11,13 +11,14 @@ concurrency:
 env:
  RENOVATE_VERSION: 43.141.5 # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
 permissions:
  contents: read
 jobs:
  cron-renovate:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea' # prevent running on forks
    timeout-minutes: 30
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: renovatebot/github-action@83ec54fee49ab67d9cd201084c1ff325b4b462e4 # v46.1.10
--- a/.github/workflows/files-changed.yml
+++ b/.github/workflows/files-changed.yml
@@ -15,6 +15,8 @@ on:
        value: ${{ jobs.detect.outputs.templates }}
      docker:
        value: ${{ jobs.detect.outputs.docker }}
      dockerfile:
        value: ${{ jobs.detect.outputs.dockerfile }}
      swagger:
        value: ${{ jobs.detect.outputs.swagger }}
      yaml:
@@ -24,12 +26,13 @@ on:
      e2e:
        value: ${{ jobs.detect.outputs.e2e }}
 permissions:
  contents: read
 jobs:
  detect:
    runs-on: ubuntu-latest
    timeout-minutes: 3
    permissions:
      contents: read
    outputs:
      backend: ${{ steps.changes.outputs.backend }}
      frontend: ${{ steps.changes.outputs.frontend }}
@@ -37,6 +40,7 @@ jobs:
      actions: ${{ steps.changes.outputs.actions }}
      templates: ${{ steps.changes.outputs.templates }}
      docker: ${{ steps.changes.outputs.docker }}
      dockerfile: ${{ steps.changes.outputs.dockerfile }}
      swagger: ${{ steps.changes.outputs.swagger }}
      yaml: ${{ steps.changes.outputs.yaml }}
      json: ${{ steps.changes.outputs.json }}
@@ -94,6 +98,10 @@ jobs:
              - "docker/**"
              - "Makefile"
            dockerfile:
                - "Dockerfile"
                - "Dockerfile.rootless"
            swagger:
              - "templates/swagger/v1_json.tmpl"
              - "templates/swagger/v1_input.json"
--- a/.github/workflows/part-docker-dryrun.yml
+++ b/.github/workflows/part-docker-dryrun.yml
@@ -1,35 +0,0 @@
 # Reusable workflow that performs the container build steps for a single platform.
 # Used by `pull-docker-dryrun.yml` to run builds in parallel per-platform.
 on:
  workflow_call:
    inputs:
      platform:
        description: 'The target platform(s) to build for (e.g. linux/amd64)'
        required: true
        type: string
 jobs:
  build-dryrun:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Build rootful image
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          platforms: ${{ inputs.platform }}
          push: false
          file: Dockerfile
          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootful
      - name: Build rootless image
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          platforms: ${{ inputs.platform }}
          push: false
          file: Dockerfile.rootless
          cache-from: type=registry,ref=ghcr.io/go-gitea/gitea:buildcache-rootless
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -7,18 +7,17 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
  lint-backend:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -35,93 +34,40 @@ jobs:
        env:
          TAGS: bindata sqlite sqlite_unlock_notify
-  lint-templates:
+  lint-on-demand:
    if: needs.files-changed.outputs.templates == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - run: uv python install 3.14
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-py
      - run: make deps-frontend
      - run: make lint-templates
  lint-yaml:
    if: needs.files-changed.outputs.yaml == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - run: uv python install 3.14
      - run: make deps-py
      - run: make lint-yaml
  lint-json:
    if: needs.files-changed.outputs.json == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-frontend
      - run: make lint-json
  lint-swagger:
    if: needs.files-changed.outputs.swagger == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-frontend
      - run: make lint-swagger
  lint-spell:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make lint-spell
      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
        run: uv python install 3.14 && make deps-py lint-templates lint-yaml
      - if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.swagger == 'true' || needs.files-changed.outputs.json == 'true'
        run: make deps-frontend lint-md lint-swagger lint-json
      - if: needs.files-changed.outputs.actions == 'true'
        run: make lint-actions
  lint-go-windows:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -144,8 +90,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -166,8 +110,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -186,8 +128,6 @@ jobs:
    if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -206,8 +146,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -217,13 +155,12 @@ jobs:
          cache: false
      - uses: ./.github/actions/go-cache
        with:
-          cache-name: backend
+          cache-name: compliance-backend
-      # no frontend build here as backend should be able to build
+      - run: make deps-backend generate-go
-      # even without any frontend files
+      # no frontend build here as backend should be able to build, even without any frontend files
-      - run: make deps-backend
+      # CGO is not used when cross-compile, so these steps also test if the code is compatible with CGO disabled
      - run: go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
      - name: build-backend-arm64
-        run: make backend # test cross compile
+        run: go build -o gitea_linux_arm64
        env:
          GOOS: linux
          GOARCH: arm64
@@ -235,38 +172,7 @@ jobs:
          GOARCH: amd64
          TAGS: bindata gogit
      - name: build-backend-386
-        run: go build -o gitea_linux_386 # test if compatible with 32 bit
+        run: go build -o gitea_linux_386
        env:
          GOOS: linux
          GOARCH: 386
  docs:
    if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml
      - run: make deps-frontend
      - run: make lint-md
  actions:
    if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
      - run: make lint-actions
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -7,18 +7,17 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
  test-pgsql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      pgsql:
        image: postgres:14
@@ -70,8 +69,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -103,8 +100,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      elasticsearch:
        image: elasticsearch:7.5.0
@@ -173,8 +168,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      mysql:
        # the bitnami mysql image has more options than the official one, it's easier to customize
@@ -227,8 +220,6 @@ jobs:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      mssql:
        image: mcr.microsoft.com/mssql/server:2019-latest
--- a/.github/workflows/pull-docker-dryrun.yml
+++ b/.github/workflows/pull-docker-dryrun.yml
@@ -13,27 +13,35 @@ permissions:
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
-  # dryrun build is slow, so run them in parallel per-platform
+  # QEMU-based build is slow (40-50 minutes), so run arm64 and riscv64 when dockerfile changes.
  # Run amd64 when any docker-related files change, which is fast (4 minutes).
  container-amd64:
    if: needs.files-changed.outputs.docker == 'true'
    needs: [files-changed]
-    uses: ./.github/workflows/part-docker-dryrun.yml
+    runs-on: ubuntu-latest
-    with:
+    steps:
-      platform: linux/amd64
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/docker-dryrun
        with:
          platform: linux/amd64
  container-arm64:
-    if: needs.files-changed.outputs.docker == 'true'
+    if: needs.files-changed.outputs.dockerfile == 'true'
    needs: [files-changed]
-    uses: ./.github/workflows/part-docker-dryrun.yml
+    runs-on: ubuntu-latest
-    with:
+    steps:
-      platform: linux/arm64
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/docker-dryrun
        with:
          platform: linux/arm64
  container-riscv64:
-    if: needs.files-changed.outputs.docker == 'true'
+    if: needs.files-changed.outputs.dockerfile == 'true'
    needs: [files-changed]
-    uses: ./.github/workflows/part-docker-dryrun.yml
+    runs-on: ubuntu-latest
-    with:
+    steps:
-      platform: linux/riscv64
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/docker-dryrun
        with:
          platform: linux/riscv64
--- a/.github/workflows/pull-e2e-tests.yml
+++ b/.github/workflows/pull-e2e-tests.yml
@@ -7,18 +7,17 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml
    permissions:
      contents: read
  test-e2e:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.e2e == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
--- a/2
+++ b/2
@@ -274,7 +274,7 @@ checks-frontend: lockfile-check svg-check ## check frontend files
 checks-backend: tidy-check swagger-check openapi3-check fmt-check swagger-validate security-check ## check backend files
 .PHONY: lint
-lint: lint-frontend lint-backend lint-spell ## lint everything
+lint: lint-frontend lint-backend lint-templates lint-swagger lint-spell lint-md lint-actions lint-json lint-yaml ## lint everything
 .PHONY: lint-fix
 lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix ## lint everything and fix issues