chore(lint): fix UX audit false positives and add accessible labels t… #212
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| push: | |
| branches: ["dev", "main"] | |
| tags: ["v*.*.*"] | |
| pull_request: | |
| branches: ["dev", "main"] | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| detect-changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| has-changes: ${{ steps.set-matrix.outputs.has-changes }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| - name: Detect changed paths | |
| id: set-matrix | |
| run: | | |
| # Initialize empty matrix | |
| MATRIX_INCLUDE="[]" | |
| HAS_CHANGES=false | |
| # Function to add to matrix | |
| add_to_matrix() { | |
| local context=$1 | |
| local suffix=$2 | |
| local dockerfile=$3 | |
| local component=$4 | |
| # Use jq to robustly add the object to the array | |
| MATRIX_INCLUDE=$(echo "$MATRIX_INCLUDE" | jq -c ". + [{\"context\":\"$context\",\"image-suffix\":\"$suffix\",\"dockerfile\":\"$dockerfile\",\"component\":\"$component\"}]") | |
| HAS_CHANGES=true | |
| } | |
| # Check if we should build everything (tags, PRs, or workflow change) | |
| # Check if we should build everything | |
| FORCE_BUILD=false | |
| BASE_REF="HEAD~1" | |
| # Intelligent Tag Handling | |
| if [[ "${{ github.ref }}" == refs/tags/* ]]; then | |
| # Try to find the previous tag (abbrev=0 to get clean tag name) | |
| PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "") | |
| if [ -z "$PREV_TAG" ]; then | |
| # No previous tag found (first release), force full build | |
| echo "No previous tag found. Forcing full build." | |
| FORCE_BUILD=true | |
| else | |
| # Diff against the previous tag | |
| BASE_REF="$PREV_TAG" | |
| echo "Comparing this tag (${{ github.ref_name }}) against previous tag: $PREV_TAG" | |
| fi | |
| elif [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| # For PRs, we currently force build to ensure stability, | |
| # though this could be optimized to compare against target branch in future. | |
| FORCE_BUILD=true | |
| fi | |
| # Check for workflow changes (always rebuild if pipeline changes) | |
| # We use BASE_REF here to catch workflow changes in the range | |
| if git diff --name-only "$BASE_REF" HEAD | grep -q "\.github/workflows/docker-publish\.yml"; then | |
| echo "Workflow file changed. Forcing full build." | |
| FORCE_BUILD=true | |
| fi | |
| if [ "$FORCE_BUILD" = true ]; then | |
| add_to_matrix "." "" "Dockerfile" "core" | |
| add_to_matrix "./rf-engine" "-rf-engine" "./rf-engine/Dockerfile" "rf-engine" | |
| add_to_matrix "opentopodata" "-opentopodata" "opentopodata/docker/Dockerfile" "opentopodata" | |
| else | |
| echo "Checking for changes relative to: $BASE_REF" | |
| # Core/root image changes | |
| if git diff --name-only "$BASE_REF" HEAD | grep -E '(Dockerfile|\.go$|\.py$|requirements|package\.json|\.ts$|\.js$)' | grep -qv "rf-engine\|opentopodata"; then | |
| add_to_matrix "." "" "Dockerfile" "core" | |
| fi | |
| # rf-engine changes | |
| if git diff --name-only "$BASE_REF" HEAD | grep -q "^rf-engine/"; then | |
| add_to_matrix "./rf-engine" "-rf-engine" "./rf-engine/Dockerfile" "rf-engine" | |
| fi | |
| # opentopodata changes | |
| if git diff --name-only "$BASE_REF" HEAD | grep -E -q "^opentopodata(/|$)"; then | |
| add_to_matrix "opentopodata" "-opentopodata" "opentopodata/docker/Dockerfile" "opentopodata" | |
| fi | |
| fi | |
| # finalize matrix JSON | |
| MATRIX=$(echo "{}" | jq -c ".include = $MATRIX_INCLUDE") | |
| echo "Detected changes: $HAS_CHANGES" | |
| echo "Matrix: $MATRIX" | |
| echo "matrix=$MATRIX" >> $GITHUB_OUTPUT | |
| echo "has-changes=$HAS_CHANGES" >> $GITHUB_OUTPUT | |
| build: | |
| needs: detect-changes | |
| if: ${{ needs.detect-changes.outputs.has-changes == 'true' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.detect-changes.outputs.matrix) }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Verify Submodules | |
| run: | | |
| git submodule update --init --recursive | |
| ls -R opentopodata | |
| - name: Lowercase Image Name | |
| run: | | |
| echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.image-suffix }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ${{ matrix.context }} | |
| file: ${{ matrix.dockerfile }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: | | |
| type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.image-suffix }}:buildcache | |
| type=gha | |
| cache-to: type=gha,mode=max |