ci: cross-compile binaries in workflow instead of downloading from APK registry

.gitea/workflows/apk-publish.yml

@@ -1,68 +0,0 @@
-name: Build and Publish APK Package
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  build-apk:
-    runs-on:
-      - ubuntu-24.04
-    container:
-      image: alpine:latest
-    strategy:
-      matrix:
-        include:
-          - goarch: amd64
-            pkgarch: x86_64
-          - goarch: arm64
-            pkgarch: aarch64
-    steps:
-      - name: Install build dependencies
-        run: |
-          apk update
-          apk add --no-cache git nodejs go abuild curl sudo build-base
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Create build user
-        run: |
-          adduser -D -G abuild build
-          echo "build ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-          chown -R build:abuild .
-
-      - name: Configure git safe directory
-        run: git config --global --add safe.directory "$PWD"
-
-      - name: Setup abuild for package signing
-        run: |
-          su build -c "abuild-keygen -a -n"
-          cp /home/build/.abuild/*.pub /etc/apk/keys/
-
-      - name: Prepare source
-        run: |
-          pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-          pkgname="axolotl"
-
-          sed -i "s/pkgver=.*/pkgver=$pkgver/" packaging/alpine/APKBUILD
-          sed -i "s/^arch=.*/arch=\"${{ matrix.pkgarch }}\"/" packaging/alpine/APKBUILD
-
-          git archive --format=tar.gz --prefix="$pkgname-$pkgver/" -o "packaging/alpine/$pkgname-$pkgver.tar.gz" HEAD
-
-          sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz\"|" packaging/alpine/APKBUILD
-          chown -R build:abuild .
-
-      - name: Generate checksums
-        run: su build -c "cd $PWD/packaging/alpine && abuild checksum"
-
-      - name: Build package
-        run: su build -c "cd $PWD/packaging/alpine && GOARCH=${{ matrix.goarch }} CARCH=${{ matrix.pkgarch }} abuild -r"
-
-      - name: Publish to Gitea Registry
-        run: |
-          apk_file=$(find ~build/packages -name "*.apk" -type f | head -1)
-          curl --fail-with-body \
-            --user "${{ github.repository_owner }}:${{ secrets.ACCESS_TOKEN }}" \
-            --upload-file "$apk_file" \
-            "${{ github.server_url }}/api/packages/${{ github.repository_owner }}/alpine/edge/main"

.gitea/workflows/docker-build.yml

@@ -1,15 +1,91 @@
-name: Build and Push Docker Container
+name: Build and Publish Docker Image
 on:
   push:
     tags:
       - 'v*'
 
 jobs:
-  build-and-push:
+  build-apk:
+    runs-on:
+      - ubuntu-24.04
+    container:
+      image: alpine:latest
+    strategy:
+      matrix:
+        include:
+          - goarch: amd64
+            pkgarch: x86_64
+          - goarch: arm64
+            pkgarch: aarch64
+    steps:
+      - name: Install build dependencies
+        run: |
+          apk update
+          apk add --no-cache git nodejs go abuild curl sudo build-base
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Create build user
+        run: |
+          adduser -D -G abuild build
+          echo "build ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+          chown -R build:abuild .
+
+      - name: Configure git safe directory
+        run: git config --global --add safe.directory "$PWD"
+
+      - name: Setup abuild for package signing
+        run: |
+          su build -c "abuild-keygen -a -n"
+          cp /home/build/.abuild/*.pub /etc/apk/keys/
+
+      - name: Prepare source
+        run: |
+          pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+          pkgname="axolotl"
+
+          sed -i "s/pkgver=.*/pkgver=$pkgver/" packaging/alpine/APKBUILD
+          sed -i "s/^arch=.*/arch=\"${{ matrix.pkgarch }}\"/" packaging/alpine/APKBUILD
+
+          git archive --format=tar.gz --prefix="$pkgname-$pkgver/" -o "packaging/alpine/$pkgname-$pkgver.tar.gz" HEAD
+
+          sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz\"|" packaging/alpine/APKBUILD
+          chown -R build:abuild .
+
+      - name: Generate checksums
+        run: su build -c "cd $PWD/packaging/alpine && abuild checksum"
+
+      - name: Build package
+        run: su build -c "cd $PWD/packaging/alpine && GOARCH=${{ matrix.goarch }} CARCH=${{ matrix.pkgarch }} abuild -r"
+
+      - name: Publish to Gitea Registry
+        run: |
+          apk_file=$(find ~build/packages -name "*.apk" -type f | head -1)
+          curl --fail-with-body \
+            --user "${{ github.repository_owner }}:${{ secrets.ACCESS_TOKEN }}" \
+            --upload-file "$apk_file" \
+            "${{ github.server_url }}/api/packages/${{ github.repository_owner }}/alpine/edge/main"
+
+  build-and-push-docker:
     runs-on:
       - ubuntu-24.04
     steps:
-      - name: Login to Docker Hub
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: src/go.mod
+
+      - name: Cross-compile binaries
+        run: |
+          cd src
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -trimpath -o ../out/amd64/ax .
+          CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-s -w" -trimpath -o ../out/arm64/ax .
+
+      - name: Login to Docker Registry
         uses: docker/login-action@v3
         with:
           registry: g.eliaskohout.de
@@ -25,6 +101,7 @@ jobs:
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
+          context: .
           push: true
           platforms: linux/amd64,linux/arm64
           tags: "g.eliaskohout.de/eliaskohout/axolotl-server:${{gitea.ref_name}},g.eliaskohout.de/eliaskohout/axolotl-server:latest"

Dockerfile

@@ -1,25 +1,11 @@
-FROM golang:1.25-alpine AS builder
-
-WORKDIR /app
-
-ENV GOTOOLCHAIN=local
-
-COPY src/go.mod src/go.sum ./
-RUN go mod download
-
-COPY src/ ./
-
-RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
-    go build -ldflags="-s -w" -trimpath -o /ax .
-
 FROM alpine:latest
 
+ARG TARGETARCH
+
 RUN apk --no-cache add ca-certificates
 
+COPY out/${TARGETARCH}/ax /usr/local/bin/ax
+
 WORKDIR /data
-
-COPY --from=builder /ax /usr/local/bin/ax
-
 EXPOSE 7000
-
 ENTRYPOINT ["ax", "serve"]

src/cmd/login.go

@@ -22,6 +22,48 @@ var loginCmd = &cobra.Command{
 		}
 		base := fmt.Sprintf("http://%s:%d", rc.Host, rc.Port)
 
+		sessionID := tryDeviceFlow(base)
+		if sessionID == "" {
+			sessionID = tryCallbackFlow(base)
+		}
+
+		pollForToken(base, sessionID)
+	},
+}
+
+// tryDeviceFlow attempts the device authorization flow. Returns a session ID
+// on success, or "" if the server does not support it.
+func tryDeviceFlow(base string) string {
+	resp, err := http.Post(base+"/auth/device/start", "application/json", nil)
+	if err != nil {
+		return ""
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return ""
+	}
+	var start struct {
+		SessionID               string `json:"session_id"`
+		UserCode                string `json:"user_code"`
+		VerificationURI         string `json:"verification_uri"`
+		VerificationURIComplete string `json:"verification_uri_complete"`
+	}
+	json.NewDecoder(resp.Body).Decode(&start)
+	if start.SessionID == "" {
+		return ""
+	}
+
+	uri := start.VerificationURI
+	if start.VerificationURIComplete != "" {
+		uri = start.VerificationURIComplete
+	}
+	fmt.Printf("To sign in, open this URL in any browser:\n\n  %s\n\nThen enter this code: %s\n\nWaiting for authentication...\n", uri, start.UserCode)
+	return start.SessionID
+}
+
+// tryCallbackFlow initiates the traditional callback-based OIDC flow.
+// Exits the process on failure.
+func tryCallbackFlow(base string) string {
 	resp, err := http.Post(base+"/auth/start", "application/json", nil)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to contact server: %v\n", err)
@@ -40,12 +82,16 @@ var loginCmd = &cobra.Command{
 	}
 
 	fmt.Printf("Open this URL in your browser:\n\n  %s\n\nWaiting for login...\n", start.URL)
+	return start.SessionID
+}
 
+// pollForToken polls the server until the login completes or times out.
+func pollForToken(base, sessionID string) {
 	deadline := time.Now().Add(5 * time.Minute)
 	for time.Now().Before(deadline) {
 		time.Sleep(2 * time.Second)
 
-			resp, err := http.Get(fmt.Sprintf("%s/auth/poll?session_id=%s", base, start.SessionID))
+		resp, err := http.Get(fmt.Sprintf("%s/auth/poll?session_id=%s", base, sessionID))
 		if err != nil {
 			continue
 		}
@@ -82,7 +128,6 @@ var loginCmd = &cobra.Command{
 
 	fmt.Fprintln(os.Stderr, "login timed out")
 	os.Exit(1)
-	},
 }
 
 func init() {

src/serve/auth.go

@@ -23,16 +23,26 @@ type pendingLogin struct {
 	serverToken string // set by callback when complete; empty while pending
 }
 
+// pendingDeviceLogin tracks an in-progress device authorization flow.
+type pendingDeviceLogin struct {
+	created     time.Time
+	serverToken string // set when device token exchange completes
+	username    string // set when device token exchange completes
+	err         string // set if the flow fails
+}
+
 // authHandler owns the OIDC provider connection, the pending login store,
 // and the active server-side session map.
 type authHandler struct {
 	mu            sync.Mutex
 	pending       map[string]*pendingLogin       // loginID → pending state
+	pendingDevice map[string]*pendingDeviceLogin // loginID → pending device state
 	sessions      map[string]string              // serverToken → username
 
 	cfg                 store.OIDCConfig
 	provider            *oidc.Provider
 	oauth2              oauth2.Config
+	deviceFlowAvailable bool
 }
 
 func newAuthHandler(cfg store.OIDCConfig) (*authHandler, error) {
@@ -43,18 +53,21 @@ func newAuthHandler(cfg store.OIDCConfig) (*authHandler, error) {
 	if err != nil {
 		return nil, fmt.Errorf("OIDC provider: %w", err)
 	}
+	endpoint := provider.Endpoint()
 	h := &authHandler{
 		pending:       make(map[string]*pendingLogin),
+		pendingDevice: make(map[string]*pendingDeviceLogin),
 		sessions:      make(map[string]string),
 		cfg:           cfg,
 		provider:      provider,
 		oauth2: oauth2.Config{
 			ClientID:     cfg.ClientID,
 			ClientSecret: cfg.ClientSecret,
-			Endpoint:     provider.Endpoint(),
+			Endpoint:     endpoint,
 			RedirectURL:  cfg.PublicURL + "/auth/callback",
 			Scopes:       []string{oidc.ScopeOpenID, "profile", "email", "offline_access"},
 		},
+		deviceFlowAvailable: endpoint.DeviceAuthURL != "",
 	}
 	go h.cleanup()
 	return h, nil
@@ -68,6 +81,11 @@ func (h *authHandler) cleanup() {
 				delete(h.pending, id)
 			}
 		}
+		for id, p := range h.pendingDevice {
+			if time.Since(p.created) > 15*time.Minute {
+				delete(h.pendingDevice, id)
+			}
+		}
 		h.mu.Unlock()
 	}
 }
@@ -148,6 +166,71 @@ func (h *authHandler) callback(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintln(w, "Login successful! You can close this tab.")
 }
 
+// POST /auth/device/start → {session_id, user_code, verification_uri, verification_uri_complete}
+func (h *authHandler) deviceStart(w http.ResponseWriter, r *http.Request) {
+	if !h.deviceFlowAvailable {
+		writeError(w, http.StatusNotFound, "device flow not supported by OIDC provider")
+		return
+	}
+
+	da, err := h.oauth2.DeviceAuth(r.Context(),
+		oauth2.SetAuthURLParam("client_secret", h.cfg.ClientSecret),
+	)
+	if err != nil {
+		writeError(w, http.StatusBadGateway, "device authorization request failed: "+err.Error())
+		return
+	}
+
+	loginID := randomToken(16)
+
+	h.mu.Lock()
+	h.pendingDevice[loginID] = &pendingDeviceLogin{created: time.Now()}
+	h.mu.Unlock()
+
+	// Exchange device code for token in the background.
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
+		defer cancel()
+
+		token, err := h.oauth2.DeviceAccessToken(ctx, da)
+		if err != nil {
+			h.mu.Lock()
+			if p := h.pendingDevice[loginID]; p != nil {
+				p.err = err.Error()
+			}
+			h.mu.Unlock()
+			return
+		}
+
+		username, err := h.extractUsername(ctx, token)
+		if err != nil {
+			h.mu.Lock()
+			if p := h.pendingDevice[loginID]; p != nil {
+				p.err = "failed to identify user: " + err.Error()
+			}
+			h.mu.Unlock()
+			return
+		}
+
+		serverToken := randomToken(32)
+
+		h.mu.Lock()
+		h.sessions[serverToken] = username
+		if p := h.pendingDevice[loginID]; p != nil {
+			p.serverToken = serverToken
+			p.username = username
+		}
+		h.mu.Unlock()
+	}()
+
+	writeJSON(w, map[string]string{
+		"session_id":                loginID,
+		"user_code":                 da.UserCode,
+		"verification_uri":          da.VerificationURI,
+		"verification_uri_complete": da.VerificationURIComplete,
+	})
+}
+
 // GET /auth/poll?session_id=...
 // Returns 202 while pending, 200 {token, username} when done, 404 if expired.
 func (h *authHandler) poll(w http.ResponseWriter, r *http.Request) {
@@ -157,15 +240,12 @@ func (h *authHandler) poll(w http.ResponseWriter, r *http.Request) {
 	p := h.pending[loginID]
 	h.mu.Unlock()
 
-	if p == nil {
+	// Check callback-based flow first.
-		writeError(w, http.StatusNotFound, "session not found or expired")
+	if p != nil {
-		return
-	}
-
 		h.mu.Lock()
 		serverToken := p.serverToken
 		if serverToken != "" {
-		delete(h.pending, loginID) // consume once delivered
+			delete(h.pending, loginID)
 		}
 		h.mu.Unlock()
 
@@ -173,9 +253,39 @@ func (h *authHandler) poll(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusAccepted)
 			return
 		}
-
 		username := h.lookupSession(serverToken)
 		writeJSON(w, map[string]string{"token": serverToken, "username": username})
+		return
+	}
+
+	// Check device flow.
+	h.mu.Lock()
+	dp := h.pendingDevice[loginID]
+	h.mu.Unlock()
+
+	if dp == nil {
+		writeError(w, http.StatusNotFound, "session not found or expired")
+		return
+	}
+
+	h.mu.Lock()
+	serverToken := dp.serverToken
+	errMsg := dp.err
+	if serverToken != "" || errMsg != "" {
+		delete(h.pendingDevice, loginID)
+	}
+	h.mu.Unlock()
+
+	if errMsg != "" {
+		writeError(w, http.StatusGone, errMsg)
+		return
+	}
+	if serverToken == "" {
+		w.WriteHeader(http.StatusAccepted)
+		return
+	}
+
+	writeJSON(w, map[string]string{"token": serverToken, "username": dp.username})
 }
 
 func (h *authHandler) extractUsername(ctx context.Context, token *oauth2.Token) (string, error) {

src/serve/server.go

@@ -30,6 +30,7 @@ func New(newSvc func(user string) (service.NodeService, error), oidcCfg *store.O
 			return nil, err
 		}
 		mux.HandleFunc("POST /auth/start", ah.start)
+		mux.HandleFunc("POST /auth/device/start", ah.deviceStart)
 		mux.HandleFunc("GET /auth/callback", ah.callback)
 		mux.HandleFunc("GET /auth/poll", ah.poll)
 		return withSessionAuth(ah, mux), nil