Apply security fixes to GitHub Actions #9171
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Docker | |
on: | |
push: | |
branches: | |
- "**" | |
paths-ignore: | |
- ".github/workflows/docs.yml" | |
- ".github/workflows/wheels*" | |
- ".gitmodules" | |
- "docs/**" | |
- "wheels/**" | |
pull_request: | |
paths-ignore: | |
- ".github/workflows/docs.yml" | |
- ".github/workflows/wheels*" | |
- ".gitmodules" | |
- "docs/**" | |
- "wheels/**" | |
workflow_dispatch: | |
permissions: | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
docker: [ | |
# Run slower jobs first to give them a headstart and reduce waiting time | |
ubuntu-22.04-jammy-arm64v8, | |
ubuntu-24.04-noble-ppc64le, | |
ubuntu-24.04-noble-s390x, | |
# Then run the remainder | |
alpine, | |
amazon-2-amd64, | |
amazon-2023-amd64, | |
arch, | |
centos-stream-9-amd64, | |
debian-12-bookworm-x86, | |
debian-12-bookworm-amd64, | |
fedora-40-amd64, | |
fedora-41-amd64, | |
gentoo, | |
ubuntu-22.04-jammy-amd64, | |
ubuntu-24.04-noble-amd64, | |
] | |
dockerTag: [main] | |
include: | |
- docker: "ubuntu-22.04-jammy-arm64v8" | |
qemu-arch: "aarch64" | |
- docker: "ubuntu-24.04-noble-ppc64le" | |
qemu-arch: "ppc64le" | |
- docker: "ubuntu-24.04-noble-s390x" | |
qemu-arch: "s390x" | |
name: ${{ matrix.docker }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Build system information | |
run: python3 .github/workflows/system-info.py | |
- name: Set up QEMU | |
if: "matrix.qemu-arch" | |
run: | | |
docker run --rm --privileged aptman/qus -s -- -p ${{ matrix.qemu-arch }} | |
- name: Docker pull | |
run: | | |
docker pull pythonpillow/${{ matrix.docker }}:${{ matrix.dockerTag }} | |
- name: Docker build | |
run: | | |
# The Pillow user in the docker container is UID 1001 | |
sudo chown -R 1001 $GITHUB_WORKSPACE | |
docker run --name pillow_container -v $GITHUB_WORKSPACE:/Pillow pythonpillow/${{ matrix.docker }}:${{ matrix.dockerTag }} | |
sudo chown -R runner $GITHUB_WORKSPACE | |
- name: After success | |
run: | | |
PATH="$PATH:~/.local/bin" | |
docker start pillow_container | |
pil_path=`docker exec pillow_container /vpy3/bin/python -c 'import os, PIL;print(os.path.realpath(os.path.dirname(PIL.__file__)))'` | |
docker stop pillow_container | |
sudo mkdir -p $pil_path | |
sudo cp src/PIL/*.py $pil_path | |
.ci/after_success.sh | |
env: | |
MATRIX_DOCKER: ${{ matrix.docker }} | |
- name: Upload coverage | |
uses: codecov/codecov-action@v4 | |
with: | |
flags: GHA_Docker | |
name: ${{ matrix.docker }} | |
token: ${{ secrets.CODECOV_ORG_TOKEN }} | |
success: | |
permissions: | |
contents: none | |
needs: build | |
runs-on: ubuntu-latest | |
name: Docker Test Successful | |
steps: | |
- name: Success | |
run: echo Docker Test Successful |