name: Build Offline GitLab Installer on: push: paths: - '.github/workflows/offline-package-gitlab-installer.yaml' workflow_dispatch: inputs: tag: description: "Release tag to use/sync (e.g., v16.11.0). Leave empty to use offline-gitlab-" required: false type: string chart_version: description: "Override Helm chart version for gitlab/gitlab. Leave empty to auto-resolve" required: false type: string permissions: contents: write concurrency: group: build-offline-gitlab cancel-in-progress: false jobs: build-offline-installer: strategy: matrix: arch: [amd64, arm64] runs-on: ubuntu-latest env: NERDCTL_VERSION: "2.0.3" outputs: chart_version: ${{ steps.resolve.outputs.chart_version }} steps: - uses: actions/checkout@v4 - name: Install deps (curl, jq, helm) run: script/install-offline-gitlab-deps.sh - name: Add helm repo run: | set -euo pipefail helm repo add gitlab https://charts.gitlab.io --force-update helm repo update - name: Resolve chart version id: resolve env: OVERRIDE_CHART_VERSION: ${{ github.event.inputs.chart_version }} run: script/resolve-gitlab-chart-version.sh - name: Prepare directories run: | set -euo pipefail rm -rf offline-installer mkdir -p offline-installer/{images,charts,scripts,metadata} - name: Stage installer script env: CHART_VERSION: ${{ steps.resolve.outputs.chart_version }} run: script/stage-gitlab-offline-installer.sh - name: Download nerdctl binary for ${{ matrix.arch }} run: | set -euo pipefail wget https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-${NERDCTL_VERSION}-linux-${{ matrix.arch }}.tar.gz \ -O offline-installer/nerdctl.tar.gz - name: Pull & export required images env: CHART_VERSION: ${{ steps.resolve.outputs.chart_version }} ARCH: ${{ matrix.arch }} run: script/pull-and-export-gitlab-images.sh - name: Download Helm chart env: CHART_VERSION: ${{ steps.resolve.outputs.chart_version }} run: | set -euo pipefail helm pull gitlab/gitlab --version "${CHART_VERSION}" --untar --untardir offline-installer/charts - name: Package offline installer run: | set -euo pipefail tar -czf offline-setup-gitlab-${{ matrix.arch }}.tar.gz -C offline-installer . ls -lh offline-setup-gitlab-${{ matrix.arch }}.tar.gz - name: Upload artifact uses: actions/upload-artifact@v4 with: name: offline-setup-gitlab-${{ matrix.arch }} path: offline-setup-gitlab-${{ matrix.arch }}.tar.gz test-offline-installer: needs: build-offline-installer strategy: matrix: arch: [amd64] runs-on: ubuntu-latest steps: - name: Download artifact uses: actions/download-artifact@v4 with: name: offline-setup-gitlab-${{ matrix.arch }} path: offline-test - name: Verify offline package integrity run: | set -euo pipefail cd offline-test tar -tzf offline-setup-gitlab-${{ matrix.arch }}.tar.gz > /dev/null publish-release: needs: test-offline-installer runs-on: ubuntu-latest env: TAG_NAME: ${{ github.event.inputs.tag != '' && github.event.inputs.tag || format('offline-gitlab-{0}', github.run_number) }} RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }} RSYNC_SSH_USER: ${{ secrets.RSYNC_SSH_USER }} VPS_HOST: ${{ secrets.VPS_HOST }} REMOTE_ROOT: /data/update-server/gitlab steps: - uses: actions/checkout@v4 - name: Create Release id: create_release uses: actions/create-release@v1 with: tag_name: ${{ env.TAG_NAME }} release_name: Build ${{ env.TAG_NAME }} draft: false prerelease: false env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Download amd64 artifact uses: actions/download-artifact@v4 with: name: offline-setup-gitlab-amd64 path: release-artifacts/amd64 - name: Download arm64 artifact uses: actions/download-artifact@v4 with: name: offline-setup-gitlab-arm64 path: release-artifacts/arm64 - name: Upload offline installers to GitHub Release uses: softprops/action-gh-release@v1 with: tag_name: ${{ env.TAG_NAME }} files: | release-artifacts/amd64/offline-setup-gitlab-amd64.tar.gz release-artifacts/arm64/offline-setup-gitlab-arm64.tar.gz env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Ensure deps (rsync, ssh) run: | set -euo pipefail sudo apt-get update -y sudo apt-get install -y rsync openssh-client - name: Init SSH run: | set -euo pipefail mkdir -p ~/.ssh echo "$RSYNC_SSH_KEY" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H "$VPS_HOST" >> ~/.ssh/known_hosts - name: Rsync release assets to remote run: | set -euo pipefail REMOTE_DIR="${REMOTE_ROOT}/${TAG_NAME}" ssh -i ~/.ssh/id_rsa "${RSYNC_SSH_USER}@${VPS_HOST}" "mkdir -p '${REMOTE_DIR}'" echo "Rsync -> ${VPS_HOST}:${REMOTE_DIR}/" rsync -av -e "ssh -i ~/.ssh/id_rsa" \ release-artifacts/amd64/offline-setup-gitlab-amd64.tar.gz \ release-artifacts/arm64/offline-setup-gitlab-arm64.tar.gz \ "${RSYNC_SSH_USER}@${VPS_HOST}:${REMOTE_DIR}/" retention: name: Remote retention (keep latest 3) needs: publish-release runs-on: ubuntu-latest env: RSYNC_SSH_KEY: ${{ secrets.RSYNC_SSH_KEY }} RSYNC_SSH_USER: ${{ secrets.RSYNC_SSH_USER }} VPS_HOST: ${{ secrets.VPS_HOST }} REMOTE_ROOT: /data/update-server/gitlab steps: - name: Init SSH run: | set -euo pipefail mkdir -p ~/.ssh echo "$RSYNC_SSH_KEY" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H "$VPS_HOST" >> ~/.ssh/known_hosts - name: Prune old versions on remote (keep 3) run: | set -euo pipefail ssh -i ~/.ssh/id_rsa "${RSYNC_SSH_USER}@${VPS_HOST}" bash -lc ' set -euo pipefail cd "'"${REMOTE_ROOT}"'" || exit 0 keep=3 mapfile -t all < <(ls -1 | grep -E "^(offline-gitlab-|v[0-9]+\.)" | sort -V -r || true) if [ "${#all[@]}" -le "$keep" ]; then echo "Nothing to prune. Count=${#all[@]}" exit 0 fi to_delete=("${all[@]:keep}") echo "Pruning old versions: ${to_delete[*]}" for d in "${to_delete[@]}"; do rm -rf -- "$d" done '