From 813fe4729dd8c6bd7d08b4fe686cf03c4017b96e Mon Sep 17 00:00:00 2001 From: Matthew Sevey Date: Wed, 7 Feb 2024 10:33:27 -0500 Subject: [PATCH 1/2] fix: fix failing docker CI due to permission issues on PRs (#94) Co-authored-by: Rootul P --- .../workflows/dockerfile_workflow_test.yaml | 13 ++++++++++++ .../reusable_dockerfile_pipeline.yml | 21 ++++++++++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dockerfile_workflow_test.yaml b/.github/workflows/dockerfile_workflow_test.yaml index e8173a2..390d7cf 100644 --- a/.github/workflows/dockerfile_workflow_test.yaml +++ b/.github/workflows/dockerfile_workflow_test.yaml @@ -1,6 +1,16 @@ +# +# This workflow is used to test the `reusable_dockerfile_pipeline` action used +# to build and push the Docker image to the container registries. +# +# The reason this workflow targets the develop branch is so that we can test the +# action in the PR. If we targeted main, we would need to merge changes into main +# before being able to test them. +# name: Build Using Reusable Workflow on: [push, pull_request] jobs: + # reusable-build tests calling the reusable_dockerfile_pipeline while + # providing a custom packageName reusable-build: permissions: contents: write @@ -10,6 +20,9 @@ jobs: dockerfile: docker-action-test/Dockerfile packageName: docker-test secrets: inherit + + # reusable-build-defaults tests calling the reusable_dockerfile_pipeline with + # the defaults reusable-build-defaults: permissions: contents: write diff --git a/.github/workflows/reusable_dockerfile_pipeline.yml b/.github/workflows/reusable_dockerfile_pipeline.yml index 5b5ef61..1b8c404 100644 --- a/.github/workflows/reusable_dockerfile_pipeline.yml +++ b/.github/workflows/reusable_dockerfile_pipeline.yml @@ -172,7 +172,7 @@ jobs: severity: "CRITICAL,HIGH" docker-build: - name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}:${{ needs.prepare-env.outputs.output_short_sha }}) + name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}) runs-on: "ubuntu-latest" # wait until the jobs are finished. needs: ["prepare-env", "logic-check", "docker-security"] @@ -181,28 +181,40 @@ jobs: packages: write strategy: matrix: + # run-on-pr is used to skip running registries that are expected to fail + # due to github permission issues with org wide secrets. registry: - name: DockerHub user-secret: DOCKERHUB_USERNAME token-secret: DOCKERHUB_TOKEN registry-url: docker.io registry-owner: celestiaorg + run-on-pr: "false" - name: GHCR user-secret: ${{ github.repository_owner }} token-secret: GITHUB_TOKEN registry-url: ghcr.io registry-owner: ${{ needs.prepare-env.outputs.repo_owner }} + run-on-pr: "true" - name: ScaleWay user-secret: SCALEWAY_USERNAME token-secret: SCW_SECRET_KEY registry-url: rg.fr-par.scw.cloud registry-owner: celestiaorg + run-on-pr: "false" fail-fast: false steps: + - name: Check run conditions + id: run_check + # We only want to run when the registry is able to run on PR or if it is a merge event + run: echo "run=${{ matrix.registry.run-on-pr == needs.prepare-env.outputs.build_for_pr || needs.prepare-env.outputs.build_for_merge == 'true'}}" >> "$GITHUB_OUTPUT" + - name: Checkout + if: ${{ steps.run_check.outputs.run == 'true'}} uses: "actions/checkout@v4" - name: Login to ${{ matrix.registry.name }} + if: ${{ steps.run_check.outputs.run == 'true'}} uses: docker/login-action@v3 with: registry: ${{ matrix.registry.registry-url }} @@ -210,6 +222,7 @@ jobs: password: ${{ secrets[matrix.registry.token-secret] }} - name: Extract Docker Metadata + if: ${{ steps.run_check.outputs.run == 'true'}} id: meta uses: docker/metadata-action@v5 env: @@ -233,9 +246,11 @@ jobs: # yamllint enable - name: Set up QEMU + if: ${{ steps.run_check.outputs.run == 'true'}} uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx + if: ${{ steps.run_check.outputs.run == 'true'}} uses: docker/setup-buildx-action@v3 # Build and Publish images on main, master, and versioned branches. @@ -245,7 +260,7 @@ jobs: # the amd64 image since building the arm64 image takes significantly # longer. - name: "Merge on Main Trigger: Build and Push All Docker Images" - if: ${{ needs.prepare-env.outputs.build_for_merge == 'true' }} + if: ${{ needs.prepare-env.outputs.build_for_merge == 'true' && steps.run_check.outputs.run == 'true'}} uses: docker/build-push-action@v5 env: OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} @@ -265,7 +280,7 @@ jobs: # forks can't push, we still want to try and build the image to catch # bugs. For testing purposes we only need an amd64 image. - name: "Pull Request Trigger: Build and Push amd64 Docker Image" - if: ${{ needs.prepare-env.outputs.build_for_pr == 'true' }} + if: ${{ needs.prepare-env.outputs.build_for_pr == 'true' && steps.run_check.outputs.run == 'true'}} uses: docker/build-push-action@v5 env: OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} From 1cb27a6391ad2dd677ee944efcf863920dcc621f Mon Sep 17 00:00:00 2001 From: Matthew Sevey Date: Mon, 18 Mar 2024 11:55:22 -0400 Subject: [PATCH 2/2] chore (ci): rename step within docker security job (#97) --- .github/workflows/reusable_dockerfile_pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable_dockerfile_pipeline.yml b/.github/workflows/reusable_dockerfile_pipeline.yml index 1b8c404..1a1da6c 100644 --- a/.github/workflows/reusable_dockerfile_pipeline.yml +++ b/.github/workflows/reusable_dockerfile_pipeline.yml @@ -141,7 +141,7 @@ jobs: - name: Checkout uses: "actions/checkout@v4" - - name: Build and Push + - name: Build uses: docker/build-push-action@v5 env: OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}