From 1de8fce103498c8ae441463f94add6d66444c784 Mon Sep 17 00:00:00 2001
From: Spencer Twaddle <7374698+stwaddle@users.noreply.github.com>
Date: Sat, 20 Jun 2026 17:10:01 -0500
Subject: [PATCH] Add Gitea build workflow

---
 .gitea/workflows/build.yaml | 71 +++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 .gitea/workflows/build.yaml

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
new file mode 100644
index 0000000..524fe8d
--- /dev/null
+++ b/.gitea/workflows/build.yaml
@@ -0,0 +1,71 @@
+name: Build and Push
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Determine image name and tags
+        id: meta
+        env:
+          # Pass context values through env so the workflow templater does not
+          # interpolate them into the script body (prevents shell injection via
+          # attacker-controlled ref names). Shell vars below are NOT templated.
+          REF_TYPE: ${{ gitea.ref_type }}
+          REF_NAME: ${{ gitea.ref_name }}
+          REPOSITORY: ${{ gitea.repository }}
+          SHA: ${{ gitea.sha }}
+          REGISTRY: ${{ vars.REGISTRY }}
+        run: |
+          # Image names must be lowercase; lowercase the full owner/name path.
+          IMAGE="${REGISTRY}/$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')"
+          echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
+          if [ "$REF_TYPE" = "tag" ]; then
+            # Reject tags that aren't clean semver-ish refs.
+            case "$REF_NAME" in
+              v[0-9]*) : ;;
+              *) echo "Refusing to build non-version tag: $REF_NAME" >&2; exit 1 ;;
+            esac
+            echo "is_release=true" >> "$GITHUB_OUTPUT"
+            echo "version=$REF_NAME" >> "$GITHUB_OUTPUT"
+          else
+            SHORT_SHA="$(echo "$SHA" | cut -c1-8)"
+            echo "is_release=false" >> "$GITHUB_OUTPUT"
+            echo "version=dev-${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Log in to Gitea registry
+        if: steps.meta.outputs.is_release == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and push release image
+        if: steps.meta.outputs.is_release == 'true'
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}
+            ${{ steps.meta.outputs.image }}:latest
+
+      - name: Build dev image (no push)
+        if: steps.meta.outputs.is_release == 'false'
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: false
+          tags: ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.version }}