Assignment 1: Build-and-push pipeline on the lab runner

Goal: Write a GitHub-Actions-style workflow that builds a container image from your app and pushes it to the lab's private registry, running for real on the lab's Gitea Actions runner.

Where: A repository on the lab's Gitea server. The workflow executes on the Actions runner on the build VM 10.100.100.11 (Docker-out-of-Docker) and pushes to the private registry at 10.100.100.6.

Tasks

1. Create (or reuse) a small app repo in Gitea with a working Dockerfile at its root. Keep the app trivial — a "hello" web server is plenty. Confirm docker build . works locally first.
2. In the repo, create the workflow file .gitea/workflows/build-and-push.yml.
3. Make the workflow trigger on: push to the main branch.
4. Add a job with runs-on: ubuntu-latest and these steps, in order:
   • Check out the code with actions/checkout@v4.
   • Log in to the registry 10.100.100.6 using docker login with credentials read from secrets (--password-stdin). Do not type the password in the file.
   • Build the image, tagging it 10.100.100.6/<yourname>-app:${{ github.sha }}.
   • Push that image to the registry.
5. In the repo settings, add the registry credentials as Actions secrets (e.g. REGISTRY_USER, REGISTRY_PASSWORD). Use the values your mentor provides; record real secret values nowhere in the repo.
6. Push a commit to main and watch the workflow run in the Gitea Actions tab. Read the logs.
7. If it fails, fix it and push again until it goes green. (This is normal — read the error, adjust, repeat.)
8. Verify the image actually landed in the registry (ask your mentor for the registry catalog URL or use docker pull of your SHA-tagged image from a lab host).

Deliverable

A link to your Gitea repo containing .gitea/workflows/build-and-push.yml, a green workflow run on main, and a SHA-tagged image present in the registry at 10.100.100.6. Paste the workflow file and the URL of the successful run into your submission.

Acceptance criteria — you're done when:

• The repo has a working Dockerfile that builds locally.
• .gitea/workflows/build-and-push.yml exists and triggers on push to main.
• The workflow has steps for checkout, registry login, build, and push, in that order.
• Registry credentials come from Actions secrets; no password or token appears anywhere in the repo (grep your files to be sure).
• The image is tagged with ${{ github.sha }}, not latest.
• At least one workflow run on main completed green.
• The SHA-tagged image is confirmed present in the registry at 10.100.100.6.

Hints

• Re-read chapter 2, section 5 — your workflow is almost exactly that example; change the image name to yours.
• Run docker build . on your machine before touching the workflow. Fix Dockerfile problems locally where the loop is faster.
• "denied" or "unauthorized" on push almost always means the login step failed or the secret name is misspelled — check the login step's logs (the password will be masked, that's expected).
• Pipe the password into login: echo "$PASS" | docker login ... --password-stdin. Avoid -p on the command line; it leaks into logs.
• The . at the end of docker build is the build context (the current directory). Forgetting it is a common error.
• Use ${{ github.sha }} exactly — the curly braces and github. prefix matter.
• Blocked for >~30 min after re-reading the lessons? Bring what you've tried to your mentor.