Update version of BuiltKit task.

This version does not launch the ssh agent if no keys are mounted.

.lighthouse/triggers.yaml

@@ -1,70 +0,0 @@
-apiVersion: config.lighthouse.jenkins-x.io/v1alpha1
-kind: TriggerConfig
-spec:
-  postsubmits:
-    - name: semver
-      agent: tekton-pipeline
-      branches:
-        - ^main$
-        - ^master$
-      context: homepage
-      max_concurrency: 1
-      # Override https-based url from lighthouse events.
-      clone_uri: "git@code.fizz.buzz:talexander/homepage.git"
-      pipeline_run_spec:
-        serviceAccountName: build-bot
-        pipelineRef:
-          name: semver
-          namespace: lighthouse
-        workspaces:
-          - name: git-source
-            volumeClaimTemplate:
-              spec:
-                storageClassName: "nfs-client"
-                accessModes:
-                  - ReadWriteOnce
-                resources:
-                  requests:
-                    storage: 10Gi
-            subPath: homepage-source
-        params: []
-    - name: build-homepage-staging
-      source: "pipeline-build-homepage-staging.yaml"
-      # Override https-based url from lighthouse events.
-      clone_uri: "git@code.fizz.buzz:talexander/homepage.git"
-      skip_branches:
-        # We already run on every commit, so running when the semver tags get pushed is causing needless double-processing.
-        - "^v[0-9]+\\.[0-9]+\\.[0-9]+$"
-    - name: build-homepage
-      agent: tekton-pipeline
-      branches:
-        - "^v[0-9]+\\.[0-9]+\\.[0-9]+$"
-      context: build-docker
-      max_concurrency: 1
-      # Override https-based url from lighthouse events.
-      clone_uri: "git@code.fizz.buzz:talexander/homepage.git"
-      pipeline_run_spec:
-        serviceAccountName: build-bot
-        pipelineRef:
-          name: build-docker-pipeline
-        workspaces:
-          - name: git-source
-            volumeClaimTemplate:
-              spec:
-                storageClassName: "nfs-client"
-                accessModes:
-                  - ReadWriteOnce
-                resources:
-                  requests:
-                    storage: 10Gi
-            subPath: git-source
-          - name: docker-credentials
-            secret:
-              secretName: harbor-plain
-        params:
-          - name: image-name
-            value: "harbor.fizz.buzz/private/homepage"
-          - name: path-to-image-context
-            value: .
-          - name: path-to-dockerfile
-            value: docker/server/Dockerfile

.webhook_bridge/pipeline-build-homepage-staging.yaml

@@ -1,13 +1,22 @@
-apiVersion: tekton.dev/v1beta1
+apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   name: build-homepage-staging
 spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m0s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
   pipelineSpec:
     params:
       - name: image-name
         description: The name for the built image
         type: string
+      - name: target-name
+        description: The dockerfile target to build
+        type: string
       - name: path-to-image-context
         description: The path to the build context
         type: string
@@ -19,28 +28,53 @@ spec:
         taskSpec:
           metadata: {}
           stepTemplate:
-            image: alpine:3.18
+            image: alpine:3.20
-            name: ""
+            computeResources:
-            resources:
               requests:
                 cpu: 10m
                 memory: 600Mi
-            workingDir: /workspace/source
+            workingDir: "/"
           results:
             - name: unix-time
-              description: The current date in unix timestamp format
+              description: The current date in unix timestamp format.
           steps:
-            - image: alpine:3.18
+            - image: alpine:3.20
               name: get-time-step
               script: |
                 #!/usr/bin/env sh
+                set -euo pipefail
                 echo -n "$(date +%s)" | tee $(results.unix-time.path)
+      - name: get-git-commit-time
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: unix-time
+              description: The time of the git commit in unix timestamp format.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                echo -n "$(git log -1 --pretty=%ct)" | tee $(results.unix-time.path)
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
       - name: report-pending
         taskRef:
           resolver: git
           params:
             - name: url
-              value: https://github.com/tektoncd/catalog.git
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
             - name: revision
               value: df36b3853a5657fd883015cdbf07ad6466918acf
             - name: pathInRepo
@@ -67,7 +101,7 @@ spec:
           resolver: git
           params:
             - name: url
-              value: https://github.com/tektoncd/catalog.git
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
             - name: revision
               value: df36b3853a5657fd883015cdbf07ad6466918acf
             - name: pathInRepo
@@ -87,39 +121,41 @@ spec:
           resolver: git
           params:
             - name: url
-              value: https://github.com/tektoncd/catalog.git
+              value: https://code.fizz.buzz/talexander/personal_tekton_catalog.git
             - name: revision
-              value: df36b3853a5657fd883015cdbf07ad6466918acf
+              value: 7ee31a185243ee6da13dcd26a592c585b64c80e5
             - name: pathInRepo
-              value: task/kaniko/0.6//kaniko.yaml
+              value: task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
         params:
-          - name: IMAGE
+          - name: OUTPUT
-            value: "$(params.image-name):$(tasks.get-time.results.unix-time)"
+            value: >-
+              type=image,"name=$(params.image-name):latest,$(params.image-name):$(tasks.get-time.results.unix-time)",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
           - name: CONTEXT
             value: $(params.path-to-image-context)
           - name: DOCKERFILE
             value: $(params.path-to-dockerfile)
-          - name: BUILDER_IMAGE
-            value: "gcr.io/kaniko-project/executor:v1.12.1"
           - name: EXTRA_ARGS
             value:
-              - "--destination=$(params.image-name)" # Also write the :latest image
+              - --import-cache
-              - --cache=true
+              - "type=registry,ref=$(params.image-name):buildcache"
-              - --cache-copy-layers
+              - --export-cache
-              - --cache-repo=harbor.fizz.buzz/kanikocache/cache
+              - "type=registry,ref=$(params.image-name):buildcache,mode=max,compression=zstd,compression-level=22,rewrite-timestamp=true,image-manifest=true,oci-mediatypes=true"
-              - --use-new-run # Should result in a speed-up
+              - --opt
-              - --reproducible # To remove timestamps so layer caching works.
+              - build-arg:SOURCE_DATE_EPOCH=$(tasks.get-git-commit-time.results.unix-time)
-              - --snapshot-mode=redo
+          - name: BUILDKITD_TOML
-              - --skip-unused-stages=true
+            value: |
-              - --registry-mirror=dockerhub.dockerhub.svc.cluster.local
+              debug = true
+              [registry."docker.io"]
+                mirrors = ["dockerhub.dockerhub.svc.cluster.local"]
+              [registry."dockerhub.dockerhub.svc.cluster.local"]
+                http = true
+                insecure = true
         workspaces:
           - name: source
             workspace: git-source
           - name: dockerconfig
             workspace: docker-credentials
         runAfter:
-          - get-time
-          - report-pending
           - fetch-repository
     finally:
       - name: report-success
@@ -131,7 +167,7 @@ spec:
           resolver: git
           params:
             - name: url
-              value: https://github.com/tektoncd/catalog.git
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
             - name: revision
               value: df36b3853a5657fd883015cdbf07ad6466918acf
             - name: pathInRepo
@@ -160,7 +196,7 @@ spec:
           resolver: git
           params:
             - name: url
-              value: https://github.com/tektoncd/catalog.git
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
             - name: revision
               value: df36b3853a5657fd883015cdbf07ad6466918acf
             - name: pathInRepo
@@ -197,12 +233,12 @@ spec:
     - name: docker-credentials
       secret:
         secretName: harbor-plain
-  serviceAccountName: build-bot
-  timeout: 240h0m0s
   params:
     - name: image-name
       value: "harbor.fizz.buzz/private/homepage-staging"
+    - name: target-name
+      value: ""
     - name: path-to-image-context
       value: .
     - name: path-to-dockerfile
-      value: docker/server/Dockerfile
+      value: docker/server

.webhook_bridge/pipeline-build-homepage.yaml

@@ -0,0 +1,256 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: build-homepage
+spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m0s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  pipelineSpec:
+    params:
+      - name: image-name
+        description: The name for the built image
+        type: string
+      - name: target-name
+        description: The dockerfile target to build
+        type: string
+      - name: path-to-image-context
+        description: The path to the build context
+        type: string
+      - name: path-to-dockerfile
+        description: The path to the Dockerfile
+        type: string
+    tasks:
+      - name: get-git-commit-time
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: unix-time
+              description: The time of the git commit in unix timestamp format.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                echo -n "$(git log -1 --pretty=%ct)" | tee $(results.unix-time.path)
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: detect-tag
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: "$(workspaces.repo.path)"
+          results:
+            - name: tag
+              description: The tag to use for the docker container.
+          steps:
+            - image: alpine/git:v2.34.2
+              name: detect-tag-step
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                git fetch --tags
+                current_tag=$(git tag --points-at HEAD --list 'v*.*.*')
+                if [ -z "$current_tag" ]; then
+                  echo "No tag at current commit"
+                  exit 1
+                else
+                  echo -n "${current_tag}" | tee $(results.tag.path)
+                fi
+        workspaces:
+          - name: repo
+            workspace: git-source
+        runAfter:
+          - fetch-repository
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        runAfter:
+          - fetch-repository
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+      - name: build-image
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/talexander/personal_tekton_catalog.git
+            - name: revision
+              value: 7ee31a185243ee6da13dcd26a592c585b64c80e5
+            - name: pathInRepo
+              value: task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml
+        params:
+          - name: OUTPUT
+            value: >-
+              type=image,"name=$(params.image-name):latest,$(params.image-name):$(tasks.detect-tag.results.tag)",push=true,compression=zstd,compression-level=22,oci-mediatypes=true
+          - name: CONTEXT
+            value: $(params.path-to-image-context)
+          - name: DOCKERFILE
+            value: $(params.path-to-dockerfile)
+          - name: EXTRA_ARGS
+            value:
+              - --import-cache
+              - "type=registry,ref=$(params.image-name):buildcache"
+              - --export-cache
+              - "type=registry,ref=$(params.image-name):buildcache,mode=max,compression=zstd,compression-level=22,rewrite-timestamp=true,image-manifest=true,oci-mediatypes=true"
+              - --opt
+              - build-arg:SOURCE_DATE_EPOCH=$(tasks.get-git-commit-time.results.unix-time)
+          - name: BUILDKITD_TOML
+            value: |
+              debug = true
+              [registry."docker.io"]
+                mirrors = ["dockerhub.dockerhub.svc.cluster.local"]
+              [registry."dockerhub.dockerhub.svc.cluster.local"]
+                http = true
+                insecure = true
+        workspaces:
+          - name: source
+            workspace: git-source
+          - name: dockerconfig
+            workspace: docker-credentials
+        runAfter:
+          - fetch-repository
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+    workspaces:
+      - name: git-source
+      - name: docker-credentials
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "nfs-client"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: rust-source
+    - name: docker-credentials
+      secret:
+        secretName: harbor-plain
+  params:
+    - name: image-name
+      value: "harbor.fizz.buzz/private/homepage"
+    - name: target-name
+      value: ""
+    - name: path-to-image-context
+      value: .
+    - name: path-to-dockerfile
+      value: docker/server

.webhook_bridge/pipeline-semver.yaml

@@ -0,0 +1,187 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: semver
+spec:
+  timeouts:
+    pipeline: "2h0m0s"
+    tasks: "1h0m0s"
+    finally: "0h30m0s"
+  taskRunTemplate:
+    serviceAccountName: build-bot
+  pipelineSpec:
+    params:
+      - name: REPO_OWNER
+        description: Owner of the repo on gitea
+        type: string
+      - name: REPO_NAME
+        description: Name of the repo on gitea
+        type: string
+      - name: PULL_BASE_SHA
+        description: The commit sha
+        type: string
+      - name: JOB_NAME
+        description: The name of the job to report to gitea
+        type: string
+    tasks:
+      - name: calculate-tag
+        runAfter:
+          - fetch-repository
+        workspaces:
+          - name: source
+            workspace: git-source
+        taskSpec:
+          metadata: {}
+          stepTemplate:
+            image: alpine:3.20
+            computeResources:
+              requests:
+                cpu: 10m
+                memory: 600Mi
+            workingDir: /workspace/source
+          results:
+            - name: tag
+              description: The tag to use for the docker container
+          steps:
+            - image: alpine/git:2.43.0
+              name: calculate-tag
+              script: |
+                #!/usr/bin/env sh
+                set -euo pipefail
+                git config --global --add safe.directory $(workspaces.source.path)
+                git fetch --tags
+                current_tag=$(git tag --points-at HEAD --list 'v*.*.*')
+                if [ -z "$current_tag" ]; then
+                  prev_tag=$(git tag --list 'v*.*.*' | sort -V -r | head -n 1)
+                  if [ -n "$prev_tag" ]; then
+                    last_bit=$(echo "$prev_tag" | cut -d '.' -f 3)
+                    incremented=$((last_bit + 1))
+                    prefix=$(echo "$prev_tag" | grep -oE 'v[0-9]*\.[0-9]*\.')
+                    final_tag="${prefix}${incremented}"
+                  else
+                    final_tag="v0.0.1"
+                  fi
+                  echo -n "${final_tag}" | tee $(results.tag.path)
+                  git tag "${final_tag}"
+                  git push origin "${final_tag}"
+                else
+                  echo -n "${current_tag}" | tee $(results.tag.path)
+                fi
+      - name: report-pending
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has started"
+          - name: STATE
+            value: pending
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: fetch-repository
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/git-clone/0.9/git-clone.yaml
+        workspaces:
+          - name: output
+            workspace: git-source
+        params:
+          - name: url
+            value: $(params.REPO_URL)
+          - name: revision
+            value: $(params.PULL_BASE_SHA)
+          - name: deleteExisting
+            value: "true"
+    finally:
+      - name: report-success
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Succeeded", "Completed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has succeeded"
+          - name: STATE
+            value: success
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+      - name: report-failure
+        when:
+          - input: "$(tasks.status)"
+            operator: in
+            values: ["Failed"]
+        taskRef:
+          resolver: git
+          params:
+            - name: url
+              value: https://code.fizz.buzz/mirror/catalog.git # mirror of https://github.com/tektoncd/catalog.git
+            - name: revision
+              value: df36b3853a5657fd883015cdbf07ad6466918acf
+            - name: pathInRepo
+              value: task/gitea-set-status/0.1/gitea-set-status.yaml
+        params:
+          - name: CONTEXT
+            value: "$(params.JOB_NAME)"
+          - name: REPO_FULL_NAME
+            value: "$(params.REPO_OWNER)/$(params.REPO_NAME)"
+          - name: GITEA_HOST_URL
+            value: code.fizz.buzz
+          - name: SHA
+            value: "$(tasks.fetch-repository.results.commit)"
+          - name: DESCRIPTION
+            value: "Build $(params.JOB_NAME) has failed"
+          - name: STATE
+            value: failure
+          - name: TARGET_URL
+            value: "https://tekton.fizz.buzz/#/namespaces/$(context.pipelineRun.namespace)/pipelineruns/$(context.pipelineRun.name)"
+    workspaces:
+      - name: git-source
+  workspaces:
+    - name: git-source
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "nfs-client"
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      subPath: source
+  params: []

.webhook_bridge/webhook_bridge.toml

@@ -0,0 +1,19 @@
+version = "0.0.1"
+
+[[push]]
+  name = "build"
+  source = "pipeline-build-homepage.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/homepage.git"
+  branches = [ "^v[0-9]+\\.[0-9]+\\.[0-9]+$" ]
+
+[[push]]
+  name = "build-staging"
+  source = "pipeline-build-homepage-staging.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/homepage.git"
+  skip_branches = [ "^v[0-9]+\\.[0-9]+\\.[0-9]+$" ]
+
+[[push]]
+  name = "semver"
+  source = "pipeline-semver.yaml"
+  clone_uri = "git@code.fizz.buzz:talexander/homepage.git"
+  branches = [ "^main$", "^master$" ]

docker/server/Dockerfile

@@ -1,10 +1,62 @@
-FROM harbor.fizz.buzz/private/natter:latest AS builder
+# syntax=docker/dockerfile:1
+ARG ALPINE_VERSION="3.20"
 
-COPY . /source
-RUN ls /source/
-RUN natter build --config /source/natter.toml
 
-FROM alpine:3.18 AS server
+
+FROM scratch AS private
+ADD git@code.fizz.buzz:talexander/homepage_private.git /homepage_private
+
+
+
+FROM scratch AS explorer
+ADD https://code.fizz.buzz/talexander/organic_ast_explorer.git /organic_ast_explorer
+
+
+
+FROM scratch AS organic
+ADD git@code.fizz.buzz:talexander/organic.git /organic
+
+
+
+FROM rustlang/rust:nightly-alpine$ALPINE_VERSION AS organic-build
+RUN apk add --no-cache musl-dev make bash
+RUN rustup target add wasm32-unknown-unknown
+RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked cargo install wasm-bindgen-cli
+COPY --link --from=organic /organic /organic
+WORKDIR /organic
+RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked make wasm
+
+
+
+FROM node:lts-alpine$ALPINE_VERSION AS explorer-build
+COPY --link --from=explorer /organic_ast_explorer /organic_ast_explorer
+COPY --link --from=organic-build /organic /organic
+WORKDIR /organic_ast_explorer
+RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/npmcache,sharing=locked npm set cache /npmcache && npm install
+RUN npm run release
+
+
+
+
+FROM rustlang/rust:nightly-alpine$ALPINE_VERSION AS natter-build
+RUN apk add --no-cache musl-dev
+ADD git@code.fizz.buzz:talexander/natter.git /natter
+WORKDIR /natter
+RUN --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked CARGO_TARGET_DIR=/target cargo build --profile release-lto
+
+
+
+FROM alpine:$ALPINE_VERSION AS natter
+COPY --link --from=natter-build /target/release-lto/natter /usr/bin/
+COPY --link . /source
+COPY --link --from=private /homepage_private/static/* /source/static/
+COPY --link --from=explorer-build /organic_ast_explorer/dist/* /source/static/organic/ast_explorer/
+RUN --network=none --mount=type=tmpfs,target=/tmp natter build --config /source/natter.toml
+
+
+
+
+FROM alpine:$ALPINE_VERSION AS server
 
 RUN apk add --no-cache bash nginx
 RUN addgroup web && adduser -D -G web web && install -d -D -o web -g web -m 700 /srv/http/public
@@ -12,6 +64,6 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/
 
 COPY --chown=web:web docker/server/nginx.conf /srv/http
 COPY --chown=web:web docker/server/headers.include /srv/http
-COPY --from=builder --chown=web:web /source/output/ /srv/http/public/
+COPY --from=natter --chown=web:web /source/output/ /srv/http/public/
 
 ENTRYPOINT ["/usr/sbin/nginx", "-c", "/srv/http/nginx.conf", "-e", "stderr", "-g", "daemon off;"]

docker/server/Makefile

@@ -21,7 +21,7 @@ help:
 
 .PHONY: build
 build: ## Build the docker image.
-> docker build --tag $(IMAGE_NAME) --target=$(TARGET) --file Dockerfile ../../
+> docker build --ssh default --tag $(IMAGE_NAME) --target=$(TARGET) --file Dockerfile ../../
 
 .PHONY: push
 push: ## Push the docker image to a remote repository.

docker/server/nginx.conf

@@ -31,6 +31,9 @@ http {
         root /srv/http/public;
 
         location / {
+            try_files $uri $uri/ =404;
+            autoindex on;
+
             index index.html index.htm;
             if (-d $request_filename) {
                 rewrite [^/]$ $http_x_forwarded_proto://$http_host$uri/ redirect;
@@ -48,6 +51,24 @@ http {
             default_type text/plain;
         }
 
+        location /.well-known/openpgpkey/hu/ {
+            alias /srv/http/public/well-known/openpgpkey/fizz.buzz/hu/;
+            default_type        "application/octet-stream";
+            add_header          Access-Control-Allow-Origin * always;
+        }
+
+        location /.well-known/openpgpkey/policy {
+            alias /srv/http/public/well-known/openpgpkey/fizz.buzz/policy;
+            default_type        "application/octet-stream";
+            add_header          Access-Control-Allow-Origin * always;
+        }
+
+        location ~ /\.well-known/(?<path>openpgpkey/[^/]+/hu/.*) {
+            alias /srv/http/public/well-known/$path;
+            default_type        "application/octet-stream";
+            add_header          Access-Control-Allow-Origin * always;
+        }
+
         location /.well-known/matrix/server {
           default_type application/json;
           add_header "Access-Control-Allow-Origin" *;

pages/index.org

@@ -12,7 +12,7 @@ Links:
 - My personal repos: [[https://code.fizz.buzz/explore/repos][code.fizz.buzz]]
 - LinkedIn: https://www.linkedin.com/in/tom-alexander-b6a18216/
 - GitHub: https://github.com/tomalexander
-- Resume: https://fizz.buzz/resume.pdf
+- Resume: https://fizz.buzz/tom_alexander_resume.pdf
 - PGP Key: https://fizz.buzz/pgp.asc
 
 * Why is your website the way it is?

static/pgp.asc

@@ -1,27 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mDMEXZwWGhYJKwYBBAHaRw8BAQdAfv7qozKkmf4D+5PDzADsMm4aAKDGLha7+Cu0
-0H+RsWG0HlRvbSBBbGV4YW5kZXIgPHdvcmtAZml6ei5idXp6PoiQBBMWCAA4FiEE
-uEgVk2PCh3kXlUvhJ95A2bhFXBsFAl+w+R0CGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQJ95A2bhFXBt6fgD+NOYnw9gz5K/q3H5LE/JvqzCSHezJmeGgif0C
-uU4m1/MA+gPDKME7syEtJsTpELEMrxWWpDW0tD/W1iJE7roGYPQPtB1Ub20gQWxl
-eGFuZGVyIDx0b21AZml6ei5idXp6PoiQBBMWCAA4FiEEuEgVk2PCh3kXlUvhJ95A
-2bhFXBsFAl2cFhoCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQJ95A2bhF
-XBvYJQEA19wc2s/bEKcnHONC3i8UikLFqZXyYoH6/MFjoAteU8sBAKpE7Qq0zbJb
-XWRESzK3u6p7/+kUqOeDltAuKXTe1FAGuDMEXZwWyhYJKwYBBAHaRw8BAQdAPyIL
-4EGg4T5JO9q2kpVDy2WjMiXz3nZXwYW4GLoTYkiI9QQYFggAJgIbAhYhBLhIFZNj
-wod5F5VL4SfeQNm4RVwbBQJlC4ZhBQkLMdaXAIF2IAQZFggAHRYhBIHmRDmWdVAu
-sSUWutOhecmlPA7eBQJdnBbKAAoJENOhecmlPA7ejJ4A/iq7N2mMhx+ovOXm1REo
-ASPF3l4YAAjOHsXqcPtFHKGJAQCiuA71d6CQ+qNZLuka/KVB/etkkJvDzvaTtiQQ
-QG+gAwkQJ95A2bhFXBtRDgEAqymMavroD5c/4+M/EZ3/d8wxfA9E3Fb/1mt4c2Zr
-NnkBAKYOM+pz/pncFnV+kF7h7TQEEYuGw1JhJVT/duA4lwsLuDMEXZwXARYJKwYB
-BAHaRw8BAQdAa76TmWuKuiR1bnNV1FUE6oQ4C8A+UiQb8x0k1z2DmTKIfgQYFggA
-JgIbIBYhBLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdZgAAoJECfeQNm4
-RVwb8TkA/RkBu9Ev8iDE5nvn8YF8FRiY56Z5d+SBPG4VvrCzXrmlAP46wUjIRpkM
-rTbb1GMbvYnkeOrBs/qiWjEtHHc3ZLMWD7g4BF2cFygSCisGAQQBl1UBBQEBB0AO
-0t3BUxLuokTqKVcheFAZd4UKxAGznPQlvsVyhWWIEgMBCAeIfgQYFggAJgIbDBYh
-BLhIFZNjwod5F5VL4SfeQNm4RVwbBQJlC4ZwBQkLMdY5AAoJECfeQNm4RVwbXscA
-/A8zRRTCwQKxJ8iz5jmTcVFAhl2vD781Dtv8NvcWd5t8APwIwcuFVZZA3yayhIxi
-3aqYpMRxpn2t6Nswax1MIM8DBQ==
-=dzEV
------END PGP PUBLIC KEY BLOCK-----