Merge pull request #1116 from alltilla/github-actions-hardening #1351
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Compile dbld-images | |
| permissions: | |
| contents: read | |
| on: | |
| pull_request: | |
| paths: | |
| - 'dbld/**' | |
| - 'packaging/rhel/**' | |
| - 'packaging/debian/**' | |
| - '.github/workflows/dbld-images.yml' | |
| push: | |
| paths: | |
| - 'dbld/**' | |
| - 'packaging/rhel/**' | |
| - 'packaging/debian/**' | |
| - '.github/workflows/dbld-images.yml' | |
| schedule: | |
| - cron: '00 22 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| testing_image_upload: | |
| description: Should we upload the images into GitHub Packages? (true/false) | |
| required: false | |
| default: "false" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # checkout source | |
| packages: write # push dbld images to GHCR | |
| strategy: | |
| matrix: | |
| image: | |
| - almalinux-8 | |
| - almalinux-9 | |
| - almalinux-10 | |
| - fedora-44 | |
| - debian-bullseye | |
| - debian-bookworm | |
| - debian-sid | |
| - debian-testing | |
| - debian-trixie | |
| - ubuntu-focal | |
| - ubuntu-jammy | |
| - ubuntu-noble | |
| - ubuntu-plucky | |
| - ubuntu-questing | |
| - ubuntu-resolute | |
| - devshell | |
| - tarball | |
| fail-fast: false | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set container registry | |
| env: | |
| REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| run: | | |
| CONTAINER_REGISTRY="ghcr.io/${REPOSITORY_OWNER}" | |
| CONTAINER_REGISTRY="$(echo "$CONTAINER_REGISTRY" | tr '[:upper:]' '[:lower:]')" | |
| . .github/workflows/gh-tools.sh | |
| gh_export CONTAINER_REGISTRY | |
| - name: Build the images | |
| env: | |
| IMAGE: ${{ matrix.image }} | |
| run: dbld/rules image-${IMAGE} | |
| - name: Should we upload the images? | |
| env: | |
| TESTING_IMAGE_UPLOAD: ${{ github.event.inputs.testing_image_upload }} | |
| REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| GITHUB_REF: ${{ github.ref }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| run: | | |
| if [ "${TESTING_IMAGE_UPLOAD}" = "true" ] || \ | |
| ( \ | |
| [ "${REPOSITORY_OWNER}" = "axoflow" ] && \ | |
| [ "${GITHUB_REF}" = "refs/heads/main" ] && \ | |
| [[ "${EVENT_NAME}" =~ ^(push|workflow_dispatch|schedule)$ ]] \ | |
| ) | |
| then | |
| UPLOAD_IMAGES_INTERNAL="true" | |
| else | |
| UPLOAD_IMAGES_INTERNAL="false" | |
| fi | |
| . .github/workflows/gh-tools.sh | |
| gh_export UPLOAD_IMAGES_INTERNAL | |
| - name: Log in to the Container registry | |
| if: env.UPLOAD_IMAGES_INTERNAL == 'true' | |
| uses: docker/login-action@v4.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push the images | |
| if: env.UPLOAD_IMAGES_INTERNAL == 'true' | |
| env: | |
| IMAGE: ${{ matrix.image }} | |
| run: | | |
| dbld/rules push-image-${IMAGE} |