update registry login logic #250
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: ci | |
| on: | |
| push: | |
| paths: | |
| - '**/Dockerfile' | |
| - '**/toolsets/*.json' | |
| - '**/.github/workflows/ci.yml' | |
| - '**/docker-bake.hcl' | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| env: | |
| REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }} | |
| REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
| GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
| BUILDKIT_PROGRESS: plain | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.matrix.outputs.targets }} | |
| steps: | |
| - name: Checkout code | |
| # kics-scan ignore-line | |
| uses: actions/[email protected] | |
| - name: Setup QEMU | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| - name: Setup Docker Buildx | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| - name: Get the docker binary path | |
| id: docker-binary-path | |
| run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT" | |
| - name: Print the bake file with a empty env | |
| id: bake-file-no-env | |
| run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | |
| - name: Verify the tag ends on -local | |
| run: | | |
| BAKE_TAG="$(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | jq -r '[.target[].tags[]][0]')" | |
| [[ "${BAKE_TAG}" == *"-local" ]] || exit 1 | |
| - name: Print the bake file with the runner env | |
| run: docker buildx bake --print | |
| - name: Validate tag ends on -${{ github.base_ref || github.ref_name }} | |
| run: | | |
| BAKE_TAG="$(docker buildx bake --print | jq -r '[.target[].tags[]][0]')" | |
| [[ "${BAKE_TAG}" == *"-${{ github.base_ref || github.ref_name}}" ]] || exit 1 | |
| - name: Create matrix | |
| id: matrix | |
| run: printf "targets=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" >>"${GITHUB_OUTPUT}" | |
| - name: Show matrix | |
| run: "echo '${{ steps.matrix.outputs.targets }}' | jq" | |
| build: | |
| needs: test | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| targets: ${{ fromJson(needs.test.outputs.targets) }} | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: Setup QEMU | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| - name: Setup Docker Buildx | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| with: | |
| driver: docker-container | |
| driver-opts: image=moby/buildkit:v0.12.2 | |
| # driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} | |
| # Login against a container registry | |
| # https://github.com/docker/login-action | |
| # kics-scan ignore-line | |
| - uses: docker/[email protected] | |
| name: Login to ${{ env.REGISTRY }} | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ env.REGISTRY_USER }} | |
| password: ${{ env.REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
| logout: true | |
| # Free up space on the runner | |
| - name: Free up disk space | |
| # kics-scan ignore-line | |
| uses: ./.github/actions/free-space | |
| with: | |
| deleteDotnet: 'true' | |
| deleteAndroid: 'true' | |
| # Bake the image | |
| - name: Build and Push | |
| # kics-scan ignore-line | |
| uses: docker/[email protected] | |
| id: bake | |
| with: | |
| files: docker-bake.hcl | |
| targets: ${{ matrix.targets }} | |
| sbom: true | |
| provenance: true | |
| push: ${{ github.event_name != 'pull_request' }} | |
| # # vulnerability scanning to verify PRs | |
| # - name: Docker Scout | |
| # id: docker-scout | |
| # uses: docker/[email protected] | |
| # if: github.event_name == 'pull_request' | |
| # with: | |
| # platform: ${{ matrix.platforms }} | |
| # command: quickview | |
| # image: ${{ env.FROM_IMAGE_PATH }} | |
| # type: archive | |
| # to: ${{ env.TO_TAG }} | |
| # ignore-unchanged: true | |
| # only-severities: critical | |
| # write-comment: ${{ github.actor != 'nektos/act' }} | |
| # summary: ${{ github.actor != 'nektos/act' }} | |
| # github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # organization: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
| approve-pr: | |
| name: Approve PR | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: >- | |
| ${{ github.actor != 'nektos/act' && | |
| contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && | |
| github.event_name == 'pull_request' && | |
| needs.build.result == 'success' }} | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| actions: write | |
| steps: | |
| # approve the PR (there is still a code-owner review necessary) | |
| - name: Approve PR | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |