casjaysdevdocker/gitea
1
0
Fork 0
mirror of https://github.com/casjaysdevdocker/gitea synced 2026-06-24 02:01:03 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

🔧 Harden gitea binary download in 05-custom.sh 🔧

Browse Source 
Fix SSL and rate-limit failures when downloading gitea during docker build.
The GitHub REST API is rate-limited at 60 req/hour for unauthenticated
requests from Docker BuildKit's outgoing IP. Additionally, BuildKit resolves
github.com via the host DNS which may return an IPv6 address served by a
transparent proxy, causing TLS cert verification failures (error 60: "no
alternative certificate subject name matches target hostname 'github.com'").
Changes:
- rootfs/root/docker/setup/05-custom.sh: replace JSON API version lookup
with a redirect-follow approach (curl -4sfL -o /dev/null -w %{url_effective})
that avoids the rate-limited /releases/latest API endpoint entirely
- rootfs/root/docker/setup/05-custom.sh: add -4 (IPv4-only) flag to all
github.com curl calls to bypass intercepted IPv6 DNS resolutions
- rootfs/root/docker/setup/05-custom.sh: add explicit ca-certificates
install and update-ca-certificates before any HTTPS downloads, since
the base image cert bundle may be stale after system upgrade

rootfs/root/docker/setup/05-custom.sh
This commit is contained in:
Jason Hempstead
2026-05-24 20:53:40 -04:00
parent 7668154e67
commit ae8a7583a8
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rootfs/root/docker/setup/05-custom.sh
+11 -5
View File
@@ -25,6 +25,8 @@ set -o pipefail
# - - - - - - - - - - - - - - - - - - - - - - - - -
# Set env variables
exitCode=0
apk add --no-cache ca-certificates 2>/dev/null || true
update-ca-certificates 2>/dev/null || true
GITEA_VERSION="${GITEA_VERSION:-latest}"
GITEA_BIN_FILE="/usr/local/bin/gitea"
ACT_BIN_FILE="/usr/local/bin/act_runner"
@@ -33,14 +35,18 @@ case "$ARCH" in x86_64) ARCH="amd64" ;; aarch64) ARCH="arm64" ;; *) echo "$ARCH
ACT_VERSIONS="$(curl -q -LSsf 'https://gitea.com/api/v1/repos/gitea/act_runner/releases' -H 'accept: application/json' | jq -r '.[].tag_name' | sort -Vr | head -n1)"
ACT_URL="$(curl -q -LSsf "https://gitea.com/api/v1/repos/gitea/act_runner/releases/tags/$ACT_VERSIONS" -H 'accept: application/json' | jq -rc '.assets|.[]|.browser_download_url' | grep "linux.*$ARCH$")"
if [ -z "$GITEA_VERSION" ] || [ "$GITEA_VERSION" = "latest" ] || [ "$GITEA_VERSION" = "current" ]; then
GITEA_URL="$(curl -s https://api.github.com/repos/go-gitea/gitea/releases/latest | jq -r '.assets[] | select(.name|match("linux.*'${ARCH}'$")) | .browser_download_url')"
else
GITEA_URL="https://github.com/go-gitea/gitea/releases/download/v$GITEA_VERSION/gitea-$GITEA_VERSION-linux-$ARCH"
_latest_url="$(curl -4sfL -o /dev/null -w '%{url_effective}' https://github.com/go-gitea/gitea/releases/latest 2>/dev/null)"
GITEA_VERSION="$(printf '%s\n' "$_latest_url" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')"
fi
if [ -z "$GITEA_VERSION" ]; then
echo "Failed to resolve gitea latest version from GitHub" >&2
exit 1
fi
GITEA_URL="https://github.com/go-gitea/gitea/releases/download/v${GITEA_VERSION}/gitea-${GITEA_VERSION}-linux-${ARCH}"
# - - - - - - - - - - - - - - - - - - - - - - - - -
# Predefined actions
echo "Dowloading gitea from $GITEA_URL"
if curl -q -LSsf "$GITEA_URL" -o "/tmp/gitea.$$"; then
echo "Downloading gitea from $GITEA_URL"
if curl -4 -q -LSsf "$GITEA_URL" -o "/tmp/gitea.$$"; then
mv -f "/tmp/gitea.$$" "$GITEA_BIN_FILE"
echo "gitea has been installed to: $GITEA_BIN_FILE"
chmod +x "$GITEA_BIN_FILE"