Skip to content

Commit c101a57

Browse files
dash14dash14
committed
Add self-hosting guide for private repository deployment
1 parent eec6026 commit c101a57

File tree

2 files changed

+116
-0
lines changed

2 files changed

+116
-0
lines changed

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -444,6 +444,10 @@ Given these implementation costs versus the strict preconditions for the attack
444444
445445
## FAQ
446446
447+
**Q: Can I host buildcage in my own private repository?**
448+
449+
A: Yes. You can import the repository into your organization and build the Docker image yourself. See the [Self-Hosting Guide](./docs/self-hosting.md) for details.
450+
447451
**Q: Does this slow down my builds?**
448452
449453
A: Minimal impact. The proxy adds negligible latency (<1ms per request). DNS caching and connection pooling keep overhead low.

docs/self-hosting.md

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
# Self-Hosting Guide
2+
3+
This guide explains how to host your own buildcage Docker image in a private GitHub repository. This is useful when you want to:
4+
5+
- Keep the build infrastructure private within your organization
6+
- Control exactly which version of buildcage is deployed
7+
- Audit the source code before using it in your CI/CD pipelines
8+
9+
## Prerequisites
10+
11+
- A GitHub Organizations account with **GitHub Team** or **Enterprise** plan (required for private repository packages)
12+
13+
## 1. Import the Repository
14+
15+
Since forking creates a public repository, use **GitHub's import** feature to create a private copy.
16+
17+
1. Go to [github.com/new/import](https://github.com/new/import)
18+
2. Enter the source URL: `https://github.com/dash14/buildcage.git`
19+
3. Select your organization as the owner
20+
4. Set the repository name (e.g., `buildcage`)
21+
5. Choose **Private**
22+
6. Click **Begin import**
23+
24+
## 2. Build and Publish the Docker Image
25+
26+
Your imported repository already contains the **Build and Push Docker Image** workflow (`.github/workflows/docker-publish.yml`). This workflow builds the image from source and publishes it to your repository's GitHub Container Registry (GHCR).
27+
28+
To trigger the build:
29+
30+
1. Go to your repository on GitHub
31+
2. Navigate to **Actions** > **Build and Push Docker Image**
32+
3. Click **Run workflow**
33+
34+
Once complete, the image will be available at:
35+
36+
```
37+
ghcr.io/<your_org>/buildcage
38+
```
39+
40+
## 3. Configure Package Visibility
41+
42+
The published package needs to be accessible from the repositories that will use it.
43+
44+
1. Go to `github.com/<your_org>/buildcage/pkgs/container/buildcage`
45+
2. Click **Package settings**
46+
3. Under **Manage Actions access**, add the repositories that need to pull the image
47+
48+
## 4. Configure Actions Access
49+
50+
Allow other repositories in your organization to use the actions from your private repository:
51+
52+
1. Go to your buildcage repository's **Settings** > **Actions** > **General**
53+
2. Under **Access**, select **Accessible from repositories in the '\<your_org\>' organization**
54+
55+
## 5. Update Your Workflows
56+
57+
In the repositories where you want to use buildcage, make two changes:
58+
59+
### Add GHCR login step
60+
61+
Add a login step before the buildcage setup, and ensure the job has `packages: read` permission:
62+
63+
```yaml
64+
jobs:
65+
build:
66+
runs-on: ubuntu-latest
67+
permissions:
68+
contents: read
69+
packages: read
70+
steps:
71+
- uses: actions/checkout@v4
72+
73+
- name: Login to GHCR
74+
uses: docker/login-action@v3
75+
with:
76+
registry: ghcr.io
77+
username: ${{ github.actor }}
78+
password: ${{ secrets.GITHUB_TOKEN }}
79+
80+
- name: Start buildcage
81+
id: buildcage
82+
uses: <your_org>/buildcage/setup@v1
83+
with:
84+
proxy_mode: audit
85+
# ... rest of your workflow
86+
```
87+
88+
Note that `uses:` now points to `<your_org>/buildcage/setup@v1` instead of `dash14/buildcage/setup@v1`. The same applies to the report action (`<your_org>/buildcage/report@v1`).
89+
90+
## Syncing with Upstream
91+
92+
### Initial setup
93+
94+
Clone your private repository and register the upstream remote:
95+
96+
```bash
97+
git clone https://github.com/<your_org>/buildcage.git
98+
cd buildcage
99+
git remote add upstream https://github.com/dash14/buildcage.git
100+
```
101+
102+
### Pulling updates
103+
104+
Fetch the latest changes from the original repository and merge them into your copy:
105+
106+
```bash
107+
git fetch upstream --tags --force
108+
git merge upstream/main
109+
git push origin HEAD --tags --force
110+
```
111+
112+
After pushing a new version tag, the **Build and Push Docker Image** workflow will automatically trigger and publish the updated image.

0 commit comments

Comments
 (0)