Skip to content

Don't push container image on PR, but compare to published image #145

Don't push container image on PR, but compare to published image

Don't push container image on PR, but compare to published image #145

Workflow file for this run

name: ci
on:
push:
branches: [main]
paths:
- '**/Dockerfile'
- '**/toolsets/*.json'
pull_request:
paths:
- '**/Dockerfile'
- '**/toolsets/*.json'
- '**/.github/workflows/ci.yml'
permissions:
contents: read
packages: write
pull-requests: write
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
platforms: ['linux/amd64,linux/arm64']
from-version: ['22.04', '20.04']
include:
- from-version: '22.04'
from-version-major: '22'
from-version-minor: '04'
distro: 'ubuntu'
codename: 'jammy'
from-flavor: 'act'
- from-version: '20.04'
from-version-major: '20'
from-version-minor: '04'
distro: 'ubuntu'
codename: 'focal'
from-flavor: 'act'
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
CACHE_FROM_REGISTRY: docker.io
IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }}
IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', vars.DOCKERHUB_USER || github.repository_owner, matrix.distro, matrix.from-flavor) }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
REGISTRY: ${{ github.ref != 'refs/heads/main' && 'localhost:5000' || (vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io') }}
steps:
- uses: actions/checkout@v4
- name: Free up disk space
uses: ./.github/actions/free-space
with:
deleteDotnet: 'true'
deleteAndroid: 'true'
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/[email protected]
with:
driver: docker-container
driver-opts: image=moby/buildkit:v0.12.2${{ github.ref != 'refs/heads/main' && ',network=host' || '' }}
install: true
platforms: ${{ matrix.platforms }}
# Login to github container registry
# https://github.com/docker/login-action
- name: Login to GitHub Container Registry
uses: docker/[email protected]
if: vars.DOCKERHUB_USER == ''
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
# Login against a Docker registry
# https://github.com/docker/login-action
- name: Login to Docker Hub
uses: docker/[email protected]
if: vars.DOCKERHUB_USER != ''
with:
registry: docker.io
username: ${{ vars.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
images: ${{ github.actor == 'nektos/act' && env.IMAGE_REPOSITORY || env.REGISTRY_IMAGE }}
tags: |
type=sha,prefix=${{ matrix.from-version }}-,format=short,enable=${{ github.ref == 'refs/heads/main' }},priority=1000
type=raw,value=${{ matrix.from-version }},enable=${{ github.ref == 'refs/heads/main' }},priority=900
type=raw,value=${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},priority=600
flavor: |
latest=${{ github.ref == 'refs/heads/main' && matrix.from-version == '22.04' }}
labels: |
org.opencontainers.image.authors=['${{ env.REPOSITORY_LINK }}','${{ github.actor }}']
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.documentation=${{ env.REPOSITORY_LINK }}
org.opencontainers.image.revision=${{ env.SHA }}
org.opencontainers.image.source=${{ github.repositoryUrl }}
org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }}
org.opencontainers.image.url=${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile
org.opencontainers.image.vendor=${{ github.repository_owner }}
env:
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
REPOSITORY_LINK: https://github.com/${{ github.repository }}
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push
id: build
uses: docker/build-push-action@v4
with:
context: .
# github-token for the repository context
github-token: ${{ secrets.GITHUB_TOKEN }}
file: ./linux/${{ matrix.distro }}/Dockerfile
platforms: ${{ matrix.platforms }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ steps.meta.outputs.tags }}
# tags: ${{ format('{0}:{1}-{2}', github.actor != 'nektos/act' && env.REGISTRY_IMAGE || env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }}
build-args: |
FROM_IMAGE=buildpack-deps
FROM_VERSION_MAJOR=${{ matrix.from-version-major }}
FROM_VERSION_MINOR=${{ matrix.from-version-minor }}
FROM_FLAVOR=${{ matrix.from-flavor }}
DISTRO=${{ matrix.distro }}
CODENAME=${{ matrix.codename }}
# caching to speed up the build
cache-from: |
${{ format('type=registry,ref={0}:{1}', env.CACHE_FROM_REGISTRY_IMAGE, matrix.from-version) }}
${{ format('type=registry,ref={0}:cache-{1}', env.CACHE_FROM_REGISTRY_IMAGE, matrix.codename) }}
# don't export cache on PR
cache-to: ${{ github.ref == 'refs/heads/main' && format('type=registry,ref={0}:cache-{1},mode=max', env.REGISTRY_IMAGE, matrix.codename) || '' }}
# this will give us some useful information about the build
provenance: mode=max
# push if not building with act
push: ${{ github.actor != 'nektos/act' }}
load: ${{ github.actor == 'nektos/act' }}
env:
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }}
CACHE_FROM_REGISTRY_IMAGE: ${{ format('{0}/{1}', env.CACHE_FROM_REGISTRY, env.IMAGE_REPOSITORY) }}
- name: inspect image
continue-on-error: true
run: docker inspect ${{ steps.meta.outputs.tags }}
- name: pull image
continue-on-error: true
if: github.actor != 'nektos/act'
run: docker pull ${{ env.REGISTRY }}/${{ vars.DOCKERHUB_USER }}/${{ env.IMAGE_NAME }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }}
# vulnerability scanning to verify PRs
- name: Docker Scout
id: docker-scout
continue-on-error: true
uses: docker/[email protected]
with:
command: sbom,compare
image: ${{ steps.meta.outputs.tags }}
# image: ${{ github.actor == 'nektos/act' && env.IMAGE || env.REGISTRY_IMAGE }}
to: ${{ format('{0}/{1}:{2}', env.CACHE_FROM_REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version) }}
organization: ${{ vars.DOCKERHUB_USER }}
ignore-unchanged: true
only-severities: critical
write-comment: ${{ github.actor != 'nektos/act' }}
keep-previous-comments: true
summary: ${{ github.actor != 'nektos/act' }}
github-token: ${{ secrets.GITHUB_TOKEN }}
dockerhub-user: ${{ vars.DOCKERHUB_USER }}
dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }}
env:
IMAGE: ${{ format('{0}:{1}-{2}', env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }}
REGISTRY_IMAGE: ${{ format('{0}/{1}:{2}-{3}', env.REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }}
# ToDo: Move into a separate workflow and depend on ci and mega-linter
approve-pr:
name: Approve PR
runs-on: ubuntu-latest
needs: [build]
if: contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success'
permissions:
contents: read
pull-requests: write
actions: write
steps:
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
# # Disabling this since I enabled the auto-merge option for the repo
# - name: Merge PR
# run: gh pr merge --auto --merge "$PR_URL"
# env:
# PR_URL: ${{github.event.pull_request.html_url}}
# GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
# # Disabling this since github-actions-cache is currently not used
# - name: Clean cache
# run: |
# gh extension install actions/gh-actions-cache
# REPO=${{ github.repository }}
# BRANCH=refs/heads/${{ github.head_ref }}
# echo "Fetching list of cache key"
# cacheKeysForPR=$(gh actions-cache list -R "${REPO}" -B "${BRANCH}" | cut -f 1)
# if [ -n "$cacheKeysForPR" ]; then
# ## Setting this to not fail the workflow while deleting cache keys.
# set +e
# echo "Deleting caches..."
# for cacheKey in $cacheKeysForPR; do
# gh actions-cache delete "${cacheKey}" -R "${REPO}" -B "${BRANCH}" --confirm
# done
# echo "Done"
# ## Restore the fail on error.
# set -e
# else
# echo "No cache keys found for this PR"
# fi
# env:
# GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}