Don't push container image on PR, but compare to published image #145
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
push: | |
branches: [main] | |
paths: | |
- '**/Dockerfile' | |
- '**/toolsets/*.json' | |
pull_request: | |
paths: | |
- '**/Dockerfile' | |
- '**/toolsets/*.json' | |
- '**/.github/workflows/ci.yml' | |
permissions: | |
contents: read | |
packages: write | |
pull-requests: write | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
platforms: ['linux/amd64,linux/arm64'] | |
from-version: ['22.04', '20.04'] | |
include: | |
- from-version: '22.04' | |
from-version-major: '22' | |
from-version-minor: '04' | |
distro: 'ubuntu' | |
codename: 'jammy' | |
from-flavor: 'act' | |
- from-version: '20.04' | |
from-version-major: '20' | |
from-version-minor: '04' | |
distro: 'ubuntu' | |
codename: 'focal' | |
from-flavor: 'act' | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
env: | |
CACHE_FROM_REGISTRY: docker.io | |
IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }} | |
IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', vars.DOCKERHUB_USER || github.repository_owner, matrix.distro, matrix.from-flavor) }} | |
SHA: ${{ github.event.pull_request.head.sha || github.event.after }} | |
REGISTRY: ${{ github.ref != 'refs/heads/main' && 'localhost:5000' || (vars.DOCKERHUB_USER && 'docker.io' || 'ghcr.io') }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Free up disk space | |
uses: ./.github/actions/free-space | |
with: | |
deleteDotnet: 'true' | |
deleteAndroid: 'true' | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/[email protected] | |
with: | |
driver: docker-container | |
driver-opts: image=moby/buildkit:v0.12.2${{ github.ref != 'refs/heads/main' && ',network=host' || '' }} | |
install: true | |
platforms: ${{ matrix.platforms }} | |
# Login to github container registry | |
# https://github.com/docker/login-action | |
- name: Login to GitHub Container Registry | |
uses: docker/[email protected] | |
if: vars.DOCKERHUB_USER == '' | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Login against a Docker registry | |
# https://github.com/docker/login-action | |
- name: Login to Docker Hub | |
uses: docker/[email protected] | |
if: vars.DOCKERHUB_USER != '' | |
with: | |
registry: docker.io | |
username: ${{ vars.DOCKERHUB_USER }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
logout: true | |
# Extract metadata (tags, labels) for Docker | |
# https://github.com/docker/metadata-action | |
- name: Extract Docker metadata | |
id: meta | |
uses: docker/[email protected] | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
images: ${{ github.actor == 'nektos/act' && env.IMAGE_REPOSITORY || env.REGISTRY_IMAGE }} | |
tags: | | |
type=sha,prefix=${{ matrix.from-version }}-,format=short,enable=${{ github.ref == 'refs/heads/main' }},priority=1000 | |
type=raw,value=${{ matrix.from-version }},enable=${{ github.ref == 'refs/heads/main' }},priority=900 | |
type=raw,value=${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},priority=600 | |
flavor: | | |
latest=${{ github.ref == 'refs/heads/main' && matrix.from-version == '22.04' }} | |
labels: | | |
org.opencontainers.image.authors=['${{ env.REPOSITORY_LINK }}','${{ github.actor }}'] | |
org.opencontainers.image.description=${{ github.event.repository.description }} | |
org.opencontainers.image.documentation=${{ env.REPOSITORY_LINK }} | |
org.opencontainers.image.revision=${{ env.SHA }} | |
org.opencontainers.image.source=${{ github.repositoryUrl }} | |
org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }} | |
org.opencontainers.image.url=${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile | |
org.opencontainers.image.vendor=${{ github.repository_owner }} | |
env: | |
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} | |
REPOSITORY_LINK: https://github.com/${{ github.repository }} | |
# Build and push Docker image with Buildx (don't push on PR) | |
# https://github.com/docker/build-push-action | |
- name: Build and push | |
id: build | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
# github-token for the repository context | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
file: ./linux/${{ matrix.distro }}/Dockerfile | |
platforms: ${{ matrix.platforms }} | |
labels: ${{ steps.meta.outputs.labels }} | |
tags: ${{ steps.meta.outputs.tags }} | |
# tags: ${{ format('{0}:{1}-{2}', github.actor != 'nektos/act' && env.REGISTRY_IMAGE || env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }} | |
build-args: | | |
FROM_IMAGE=buildpack-deps | |
FROM_VERSION_MAJOR=${{ matrix.from-version-major }} | |
FROM_VERSION_MINOR=${{ matrix.from-version-minor }} | |
FROM_FLAVOR=${{ matrix.from-flavor }} | |
DISTRO=${{ matrix.distro }} | |
CODENAME=${{ matrix.codename }} | |
# caching to speed up the build | |
cache-from: | | |
${{ format('type=registry,ref={0}:{1}', env.CACHE_FROM_REGISTRY_IMAGE, matrix.from-version) }} | |
${{ format('type=registry,ref={0}:cache-{1}', env.CACHE_FROM_REGISTRY_IMAGE, matrix.codename) }} | |
# don't export cache on PR | |
cache-to: ${{ github.ref == 'refs/heads/main' && format('type=registry,ref={0}:cache-{1},mode=max', env.REGISTRY_IMAGE, matrix.codename) || '' }} | |
# this will give us some useful information about the build | |
provenance: mode=max | |
# push if not building with act | |
push: ${{ github.actor != 'nektos/act' }} | |
load: ${{ github.actor == 'nektos/act' }} | |
env: | |
REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} | |
CACHE_FROM_REGISTRY_IMAGE: ${{ format('{0}/{1}', env.CACHE_FROM_REGISTRY, env.IMAGE_REPOSITORY) }} | |
- name: inspect image | |
continue-on-error: true | |
run: docker inspect ${{ steps.meta.outputs.tags }} | |
- name: pull image | |
continue-on-error: true | |
if: github.actor != 'nektos/act' | |
run: docker pull ${{ env.REGISTRY }}/${{ vars.DOCKERHUB_USER }}/${{ env.IMAGE_NAME }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }} | |
# vulnerability scanning to verify PRs | |
- name: Docker Scout | |
id: docker-scout | |
continue-on-error: true | |
uses: docker/[email protected] | |
with: | |
command: sbom,compare | |
image: ${{ steps.meta.outputs.tags }} | |
# image: ${{ github.actor == 'nektos/act' && env.IMAGE || env.REGISTRY_IMAGE }} | |
to: ${{ format('{0}/{1}:{2}', env.CACHE_FROM_REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version) }} | |
organization: ${{ vars.DOCKERHUB_USER }} | |
ignore-unchanged: true | |
only-severities: critical | |
write-comment: ${{ github.actor != 'nektos/act' }} | |
keep-previous-comments: true | |
summary: ${{ github.actor != 'nektos/act' }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
dockerhub-user: ${{ vars.DOCKERHUB_USER }} | |
dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
env: | |
IMAGE: ${{ format('{0}:{1}-{2}', env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }} | |
REGISTRY_IMAGE: ${{ format('{0}/{1}:{2}-{3}', env.REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }} | |
# ToDo: Move into a separate workflow and depend on ci and mega-linter | |
approve-pr: | |
name: Approve PR | |
runs-on: ubuntu-latest | |
needs: [build] | |
if: contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success' | |
permissions: | |
contents: read | |
pull-requests: write | |
actions: write | |
steps: | |
- name: Approve PR | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{github.event.pull_request.html_url}} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
# # Disabling this since I enabled the auto-merge option for the repo | |
# - name: Merge PR | |
# run: gh pr merge --auto --merge "$PR_URL" | |
# env: | |
# PR_URL: ${{github.event.pull_request.html_url}} | |
# GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
# # Disabling this since github-actions-cache is currently not used | |
# - name: Clean cache | |
# run: | | |
# gh extension install actions/gh-actions-cache | |
# REPO=${{ github.repository }} | |
# BRANCH=refs/heads/${{ github.head_ref }} | |
# echo "Fetching list of cache key" | |
# cacheKeysForPR=$(gh actions-cache list -R "${REPO}" -B "${BRANCH}" | cut -f 1) | |
# if [ -n "$cacheKeysForPR" ]; then | |
# ## Setting this to not fail the workflow while deleting cache keys. | |
# set +e | |
# echo "Deleting caches..." | |
# for cacheKey in $cacheKeysForPR; do | |
# gh actions-cache delete "${cacheKey}" -R "${REPO}" -B "${BRANCH}" --confirm | |
# done | |
# echo "Done" | |
# ## Restore the fail on error. | |
# set -e | |
# else | |
# echo "No cache keys found for this PR" | |
# fi | |
# env: | |
# GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |