Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address docker images for PRs failing to build for external PRs #737

Merged
merged 3 commits into from
Mar 11, 2024
Merged

Address docker images for PRs failing to build for external PRs #737

merged 3 commits into from
Mar 11, 2024

Conversation

asimpson
Copy link
Contributor

@asimpson asimpson commented Feb 29, 2024
edited
Loading

Currently we build a Docker image and push it to Docker Hub for every PR (#496). This works great. However, this doesn't work for PRs from external forks (example failed run) since secrets are not passed to Github Actions in that context.

There are two things to fix:

  1. Prevent PRs from public forks from trying to build and push the image.

  2. Come up with a workaround for PRs from external forks so that someone reviewing theh PR can easily spin up a Docker image.

The first point is easy enough to fix by only attempting to push to Dockerhub if the PR is not from a fork.

The second is more difficult and ramps up the complexity.

I previously attempted to migrate to Github Container Registry since that uses the GITHUB_TOKEN which is the only secret that is available in PRs from external forks. However that case only allows read access.

The solution I've settled on is to use docker save to generate a tarball of the image and then persist that as an artifact. The steps to use that artifact locally are then:

  1. Download artifact and unzip it (Github Actions automatically zips all artifacts, see issue)
  2. Use docker load to load the tarfile as a Docker image, e.g. docker load < /path/to/image.tar
  3. docker run -p 3000:3000 imagename

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 29, 2024
edited
Loading

Use the following command to run this PR with Docker at http://localhost:3000:

docker run --rm -p 3000:3000 grafana/plugin-builds:a2a400d31a9486a13cd8bd0bcf2b5d9adacc44f7pre

@asimpson asimpson changed the title migrate to github registry for images Address docker images for PRs failing to build for external PRs Mar 1, 2024
@asimpson asimpson marked this pull request as ready for review March 1, 2024 17:03
@asimpson asimpson requested a review from a team as a code owner March 1, 2024 17:03
@asimpson asimpson enabled auto-merge (squash) March 1, 2024 17:04
aangelisc
aangelisc reviewed Mar 1, 2024
View reviewed changes
Copy link
Contributor

@aangelisc aangelisc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, a couple questions:

  • Is it possible to remove the condition on the build step and then only add a condition for the push? Can build and push be separated? It'll probably make the workflow more readable.
  • Shall we add a PR comment detailing that the image has been saved as an artifact and how to run it?

@asimpson
Copy link
Contributor Author

asimpson commented Mar 1, 2024

@aangelisc

Good questions!

  1. The step for building also pushes which would then fail for PRs from forks
  2. Adding a comment also requires escalated privileges which aren't given for PRs from forks (see this note). I toyed around with adding a comment using pull_request_target and a separate workflow to do that commenting but it didn't seem worth the effort.

@asimpson asimpson requested a review from aangelisc March 11, 2024 15:06
aangelisc
aangelisc approved these changes Mar 11, 2024
View reviewed changes
Copy link
Contributor

@aangelisc aangelisc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@asimpson asimpson merged commit 714ed6b into main Mar 11, 2024
16 of 17 checks passed
@SpencerTorres SpencerTorres mentioned this pull request Apr 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aangelisc aangelisc aangelisc approved these changes

@bossinc bossinc Awaiting requested review from bossinc bossinc is a code owner automatically assigned from grafana/partner-datasources

@adamyeats adamyeats Awaiting requested review from adamyeats adamyeats is a code owner automatically assigned from grafana/partner-datasources

@alyssabull alyssabull Awaiting requested review from alyssabull alyssabull is a code owner automatically assigned from grafana/partner-datasources

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asimpson @aangelisc