Tag releases based on <year>.<month>.<increment>

Move away from the week based increment because I don't use week numbers
for anything in my daily life, which makes them hard to evaluate time
from, and replace the per week bump with a global increment.  This means
that it's easy to see at a glance from two version numbers how far
appart they are in both time and number of releases.

.forgejo/workflows/build.yaml

@@ -1,41 +1,43 @@
-on: [push]
-env:
-  REGISTRY: forgejo.sbox.hornwitser.no
-  REGISTRY_IMAGE: forgejo.sbox.hornwitser.no/furnavia/builder
-
-jobs:
-  build:
-    runs-on: docker
-    container:
-      image: sif.g100.hornwitser.no:3000/furnavia/builder:latest
-    steps:
-      -
-        name: Get image tags
-        id: info
-        shell: bash
-        run: |
-          tee -a ${GITHUB_OUTPUT} <<EOF
-          TAGS<<EOT
-          $(
-            echo ${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
-            if [[ "${{ github.ref_name }}" =~ ^r[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-              echo ${{ env.REGISTRY_IMAGE }}:latest
-            elif [[ "${{ github.ref_name }}" == forgejo ]]; then
-              echo ${{ env.REGISTRY_IMAGE }}:development
-            fi
-          )
-          EOT
-          EOF
-      -
-        name: Authenticate
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-          registry: ${{ env.REGISTRY }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          push: true
-          tags: ${{ steps.info.outputs.TAGS }}
+on:
+  push:
+env:
+  REGISTRY_IMAGE: ${{ vars.REGISTRY }}/${{ github.repository }}:${{ github.ref_name }}
+
+jobs:
+  build:
+    runs-on: debian
+    steps:
+      -
+        name: Install and configure dependencies
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends \
+            buildah \
+            ca-certificates \
+            containers-storage \
+            crun \
+            git \
+            netavark \
+          ;
+          shared=/var/lib/shared/storage
+          sed /usr/share/containers/storage.conf \
+            -e "/^additionalimagestores/a"'\
+            '"\"$shared\"" \
+          > /etc/containers/storage.conf
+      -
+        name: Checkout repository
+        run: |
+          git config --global credential.helper store
+          echo "https://runner:${{ secrets.GITHUB_TOKEN }}@$(echo "${{ github.server_url }}" | cut -b 9-)" > ~/.git-credentials
+          git clone --branch ${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} ${{ github.workspace }}
+      -
+        name: Authenticate with registry
+        run: |
+          echo "${{ secrets.REGISTRY_TOKEN }}" | buildah login ${{ vars.REGISTRY }} --username runner --password-stdin
+      -
+        name: Build and push
+        run: |
+          export BUILDAH_ISOLATION=chroot
+          export _BUILDAH_STARTED_IN_USERNS=""
+          ${{ github.workspace }}/builder.sh ${{ env.REGISTRY_IMAGE }}
+          buildah push ${{ env.REGISTRY_IMAGE }}

.gitlab-ci.yml

@@ -1,17 +0,0 @@
-default:
-  image: docker:24.0.5
-
-build:
-  stage: build
-  script:
-    - docker build $CI_PROJECT_DIR
-      --tag ${REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}
-      $(echo "$CI_COMMIT_TAG" | if grep -q $(date -u '+^r%g\.%-V\.\(0\|[1-9][0-9]*\)$');
-        then echo --tag ${REGISTRY_IMAGE}:latest;
-      fi)
-
-deploy:
-  stage: deploy
-  script:
-    - echo "$REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $REGISTRY_USER --password-stdin
-    - docker push --all-tags ${REGISTRY_IMAGE}

Dockerfile

@@ -1,57 +0,0 @@
-FROM debian:bookworm
-
-ARG KUBE_RELEASE=v1.30.2
-ARG YQ_VERSION=v4.44.2
-ARG NODE_VERSION=20.x
-ARG PNPM_VERSION=v9.5.0
-ARG UBUNTU_CODENAME=jammy
-
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		ca-certificates \
-		curl \
-		git \
-		gpg \
-		openssh-client \
-	; \
-	install -m 0755 -d /etc/apt/keyrings; \
-	curl -sSL "https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=get&search=0x6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" \
-		> /etc/apt/keyrings/ansible.asc \
-	; \
-	echo \
-		"deb [signed-by=/etc/apt/keyrings/ansible.asc] \
-		http://ppa.launchpad.net/ansible/ansible/ubuntu \
-		$UBUNTU_CODENAME main" \
-	> /etc/apt/sources.list.d/ansible.list; \
-	curl -sSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc; \
-	chmod a+r /etc/apt/keyrings/docker.asc; \
-	echo \
-		"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
-		https://download.docker.com/linux/debian \
-		bookworm stable" \
-	> /etc/apt/sources.list.d/docker.list; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		ansible \
-		docker-ce-cli \
-		docker-buildx-plugin \
-		docker-compose-plugin \
-	; \
-	curl --silent --location "https://dl.k8s.io/release/$KUBE_RELEASE/bin/linux/amd64/kubectl" \
-		| install --owner=root --group=root --mode=0755 /dev/stdin /usr/local/bin/kubectl \
-	; \
-	curl --silent --location "https://github.com/mikefarah/yq/releases/download/$YQ_VERSION/yq_linux_amd64.tar.gz" \
-		| tar --extract --gzip --to-stdout ./yq_linux_amd64 \
-		| install --owner=root --group=root --mode=0755 /dev/stdin /usr/local/bin/yq \
-	; \
-	curl --silent --location "https://deb.nodesource.com/setup_$NODE_VERSION" | bash; \
-	apt-get install -y --no-install-recommends nodejs; \
-	corepack install --global pnpm@$PNPM_VERSION; \
-	corepack enable pnpm; \
-	rm -rf /var/lib/apt/lists/*
-
-# References:
-# - ansible: https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansible-on-debian
-# - docker: https://docs.docker.com/engine/install/debian/#install-from-a-package
-# - node: https://github.com/nodesource/distributions#installation-instructions-deb

Readme.md

@@ -1,15 +1,14 @@
 # Builder
 
-Common docker image used for running application builds, CI pipelines, and deployment scripts based on Debian 12.
+Common container image used for running application builds, CI pipelines, and deployment scripts based on Debian Trixie.
 
 ## Tools included
 
-- `ansible` - https://www.ansible.com/
-- `docker`
-- `curl`
-- `git`
-- `kubectl`
-- `node`
-- `pnpm`
-- `ssh`
-- `yq` - https://github.com/mikefarah/yq
+- `buildah` trixie - https://packages.debian.org/trixie/buildah
+- `curl` trixie - https://packages.debian.org/trixie/curl
+- `git` trixie - https://packages.debian.org/trixie/git
+- `node` v22.x - https://github.com/nodesource/distributions
+- `pnpm` v9.5.0 - https://pnpm.io/
+- `podman` trixie - https://packages.debian.org/trixie/podman
+- `ssh` trixie - https://packages.debian.org/trixie/openssh-client
+- `yq` v4.44.2 - https://github.com/mikefarah/yq

builder.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -xe
+
+YQ_VERSION=v4.44.2
+NODE_VERSION=22.x
+PNPM_VERSION=v9.5.0
+
+ctr=$(buildah from "docker.io/library/debian:trixie-20250428")
+mnt=$(buildah mount $ctr) # Used to verify mounts work
+
+# Install dependencies
+buildah run $ctr -- apt-get update
+buildah run $ctr -- apt-get install -y --no-install-recommends \
+	buildah \
+	ca-certificates \
+	containers-storage \
+	crun \
+	curl \
+	git \
+	netavark \
+	openssh-client \
+	podman \
+	podman-docker \
+;
+
+# Configure container storage
+shared=/var/lib/shared/storage
+buildah run $ctr -- sh -c "sed /usr/share/containers/storage.conf \
+	-e '/^additionalimagestores/a"'\
+'"  \"$shared\"' \
+> /etc/containers/storage.conf"
+buildah run $ctr -- sh -c "\
+	mkdir -p $shared/overlay-images $shared/overlay-layers; \
+	touch $shared/overlay-images/images.lock; \
+	touch $shared/overlay-layers/layers.lock; \
+"
+
+# yq https://github.com/mikefarah/yq?tab=readme-ov-file#install
+buildah run $ctr -- sh -c "curl --silent --location \"https://github.com/mikefarah/yq/releases/download/$YQ_VERSION/yq_linux_amd64.tar.gz\" \
+	| tar --extract --gzip --to-stdout ./yq_linux_amd64 \
+	| install --owner=root --group=root --mode=0755 /dev/stdin /usr/local/bin/yq \
+;"
+
+# node https://github.com/nodesource/distributions?tab=readme-ov-file#using-debian-as-root-nodejs-22
+buildah run $ctr -- sh -c "curl --silent --location \"https://deb.nodesource.com/setup_$NODE_VERSION\" | bash"
+buildah run $ctr -- apt-get install -y --no-install-recommends nodejs
+
+# pnpm https://nodejs.org/api/corepack.html#upgrading-the-global-versions
+buildah run $ctr -- corepack install --global pnpm@$PNPM_VERSION
+buildah run $ctr -- corepack enable pnpm
+
+# Clear caches
+buildah run $ctr -- rm -rf /var/lib/apt/lists/*
+
+# Config
+buildah config \
+	--env BUILDAH_ISOLATION=chroot \
+	--env _BUILDAH_STARTED_IN_USERNS= \
+$ctr;
+
+buildah unmount $ctr
+buildah commit --rm $ctr $1

tag-release.sh

@@ -1,11 +1,11 @@
 #!/bin/bash
 
-# Finds the next available r<year>.<week>.<bump> identifier for the current year and week
-YEAR_WEEK=$(date -u +%g.%-V)
-YEAR=${YEAR_WEEK:0:2}
-WEEK=${YEAR_WEEK:3}
-LAST_BUMP=$(git tag --list | grep '^r'$YEAR'\.'$WEEK'\.\(0\|[1-9][0-9]*\)$' | cut -d . -f 3 | sort -nr | head -n 1)
-RELEASE=r${YEAR_WEEK}.$(( ${LAST_BUMP:--1} + 1 ))
+# Finds the next available r<year>.<month>.<increment> identifier
+YEAR_MONTH=$(date -u +%Y.%-m)
+YEAR=${YEAR_MONTH:0:4}
+MONTH=${YEAR_MONTH:5}
+LAST_INCREMENT=$(git tag --list | grep '^r[1-9][0-9]*\.\([1-9]\|1[0-2]\)\.\(0\|[1-9][0-9]*\)$' | cut -d . -f 3 | sort -nr | head -n 1)
+RELEASE=r${YEAR_MONTH}.$(( ${LAST_INCREMENT:--1} + 1 ))
 
 git tag $RELEASE
 echo Tagged $RELEASE