Create separate build and publish workflows

welteki · welteki · commit d553776ce95d · 2024-06-18T15:19:01.000+02:00
- Prevent failing CI for PRs bacause of missing permission to push
  images.
- Prevent image builds from users with sufficient permission to get
  published on PRs and branches other than master.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) &lt;han@openfaas.com&gt;
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -34,29 +34,21 @@ jobs:
         id: get_repo_owner
         run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" > $GITHUB_ENV
 
-      - name: Docker Login
-        run: > 
-          echo ${{ secrets.GITHUB_TOKEN }} | 
-          docker login ghcr.io --username 
-          ${{ env.REPO_OWNER  }} 
-          --password-stdin
-      - name: Publish multi-arch functions
+      - name: Build multi-arch functions
         run: >
           OWNER="${{ env.REPO_OWNER  }}" 
           TAG="latest"
           SERVER="ghcr.io"
-          faas-cli publish
-          --extra-tag ${{ github.sha }}
+          faas-cli build
           --build-arg GO111MODULE=on
           --platforms linux/arm/v7,linux/arm64,linux/amd64
 
-      - name: Publish amd64-only functions
+      - name: Build amd64-only functions
         run: >
           OWNER="${{ env.REPO_OWNER  }}" 
           TAG="latest"
           SERVER="ghcr.io"
-          faas-cli publish
-          --extra-tag ${{ github.sha }}
+          faas-cli build
           --platforms linux/amd64
           -f stack-amd64.yml
 
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -0,0 +1,58 @@
+name: publish
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  build:
+    concurrency: 
+      group: ${{ github.ref }}
+      cancel-in-progress: true
+
+    permissions:
+      packages: write
+      checks: write
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+      - name: Get faas-cli
+        run: curl -sLSf https://cli.openfaas.com | sudo sh
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get Repo Owner
+        id: get_repo_owner
+        run: echo "REPO_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" > $GITHUB_ENV
+
+      - name: Docker Login
+        run: > 
+          echo ${{ secrets.GITHUB_TOKEN }} | 
+          docker login ghcr.io --username 
+          ${{ env.REPO_OWNER  }} 
+          --password-stdin
+      - name: Publish multi-arch functions
+        run: >
+          OWNER="${{ env.REPO_OWNER  }}" 
+          TAG="latest"
+          SERVER="ghcr.io"
+          faas-cli publish
+          --extra-tag ${{ github.sha }}
+          --build-arg GO111MODULE=on
+          --platforms linux/arm/v7,linux/arm64,linux/amd64
+
+      - name: Publish amd64-only functions
+        run: >
+          OWNER="${{ env.REPO_OWNER  }}" 
+          TAG="latest"
+          SERVER="ghcr.io"
+          faas-cli publish
+          --extra-tag ${{ github.sha }}
+          --platforms linux/amd64
+          -f stack-amd64.yml
