Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix failing docker CI due to permission issues on PRs #94

Merged
merged 4 commits into from
Feb 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/workflows/dockerfile_workflow_test.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
#
# This workflow is used to test the `reusable_dockerfile_pipeline` action used
# to build and push the Docker image to the container registries.
#
# The reason this workflow targets the develop branch is so that we can test the
# action in the PR. If we targeted main, we would need to merge changes into main
# before being able to test them.
#
name: Build Using Reusable Workflow
on: [push, pull_request]
jobs:
# reusable-build tests calling the reusable_dockerfile_pipeline while
# providing a custom packageName
reusable-build:
permissions:
contents: write
Expand All @@ -10,6 +20,9 @@ jobs:
dockerfile: docker-action-test/Dockerfile
packageName: docker-test
secrets: inherit

# reusable-build-defaults tests calling the reusable_dockerfile_pipeline with
# the defaults
reusable-build-defaults:
permissions:
contents: write
Expand Down
21 changes: 18 additions & 3 deletions .github/workflows/reusable_dockerfile_pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ jobs:
severity: "CRITICAL,HIGH"

docker-build:
name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}:${{ needs.prepare-env.outputs.output_short_sha }})
name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }})
runs-on: "ubuntu-latest"
# wait until the jobs are finished.
needs: ["prepare-env", "logic-check", "docker-security"]
Expand All @@ -181,35 +181,48 @@ jobs:
packages: write
strategy:
matrix:
# run-on-pr is used to skip running registries that are expected to fail
# due to github permission issues with org wide secrets.
registry:
- name: DockerHub
user-secret: DOCKERHUB_USERNAME
token-secret: DOCKERHUB_TOKEN
registry-url: docker.io
registry-owner: celestiaorg
run-on-pr: "false"
- name: GHCR
user-secret: ${{ github.repository_owner }}
token-secret: GITHUB_TOKEN
registry-url: ghcr.io
registry-owner: ${{ needs.prepare-env.outputs.repo_owner }}
run-on-pr: "true"
- name: ScaleWay
user-secret: SCALEWAY_USERNAME
token-secret: SCW_SECRET_KEY
registry-url: rg.fr-par.scw.cloud
registry-owner: celestiaorg
run-on-pr: "false"
fail-fast: false
steps:
- name: Check run conditions
id: run_check
# We only want to run when the registry is able to run on PR or if it is a merge event
run: echo "run=${{ matrix.registry.run-on-pr == needs.prepare-env.outputs.build_for_pr || needs.prepare-env.outputs.build_for_merge == 'true'}}" >> "$GITHUB_OUTPUT"

- name: Checkout
if: ${{ steps.run_check.outputs.run == 'true'}}
uses: "actions/checkout@v4"

- name: Login to ${{ matrix.registry.name }}
if: ${{ steps.run_check.outputs.run == 'true'}}
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry.registry-url }}
username: ${{ matrix.registry.registry-url == env.GITHUB_REG && matrix.registry.user-secret || secrets[matrix.registry.user-secret] }}
password: ${{ secrets[matrix.registry.token-secret] }}

- name: Extract Docker Metadata
if: ${{ steps.run_check.outputs.run == 'true'}}
id: meta
uses: docker/metadata-action@v5
env:
Expand All @@ -233,9 +246,11 @@ jobs:
# yamllint enable

- name: Set up QEMU
if: ${{ steps.run_check.outputs.run == 'true'}}
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
if: ${{ steps.run_check.outputs.run == 'true'}}
uses: docker/setup-buildx-action@v3

# Build and Publish images on main, master, and versioned branches.
Expand All @@ -245,7 +260,7 @@ jobs:
# the amd64 image since building the arm64 image takes significantly
# longer.
- name: "Merge on Main Trigger: Build and Push All Docker Images"
if: ${{ needs.prepare-env.outputs.build_for_merge == 'true' }}
if: ${{ needs.prepare-env.outputs.build_for_merge == 'true' && steps.run_check.outputs.run == 'true'}}
uses: docker/build-push-action@v5
env:
OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
Expand All @@ -265,7 +280,7 @@ jobs:
# forks can't push, we still want to try and build the image to catch
# bugs. For testing purposes we only need an amd64 image.
- name: "Pull Request Trigger: Build and Push amd64 Docker Image"
if: ${{ needs.prepare-env.outputs.build_for_pr == 'true' }}
if: ${{ needs.prepare-env.outputs.build_for_pr == 'true' && steps.run_check.outputs.run == 'true'}}
uses: docker/build-push-action@v5
env:
OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
Expand Down
Loading