refactor: checkout step #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Build and Test and PR Container' | |
inputs: | |
job-name: | |
description: "Job name to display on Slack messages." | |
required: true | |
type: string | |
build-file: | |
description: "Path to the container file." | |
required: true | |
type: string | |
build-context: | |
description: "Path to the build root dir." | |
default: '.' | |
type: string | |
pr-filters: | |
description: "YAML dictionary of lists of path filters." | |
required: true | |
type: string | |
test-flags: | |
description: "Arguments passed to docker run." | |
default: '' | |
type: string | |
test-args: | |
description: "Arguments passed to the container." | |
default: '' | |
type: string | |
registry: | |
description: "URL of the container registry." | |
required: true | |
type: string | |
registry-user: | |
description: "Username for the container registry." | |
required: true | |
type: string | |
registry-repo: | |
description: "Repo within container registry project." | |
required: true | |
type: string | |
registry-tag-prefix: | |
description: "Prefix to use when tagging container" | |
default: '' | |
type: string | |
registry-tag-suffix: | |
description: "Suffix to use when tagging container" | |
default: '' | |
type: string | |
release-rules: | |
description: "JSON list of rule dicts for what commit types trigger releases." | |
default: | | |
[ | |
{"type": "major", "release": "major"}, | |
{"type": "minor", "release": "minor"}, | |
{"type": "patch", "release": "patch"}, | |
{"type": "no-release", "release": false}, | |
{"type": "chore", "release": "patch"}, | |
{"type": "refactor", "release": "patch"}, | |
{"type": "style", "release": "patch"}, | |
{"type": "docs", "release": false}, | |
{"type": "test", "release": false}, | |
{"type": "ci", "release": false}, | |
{"type": "feat", "release": "minor"}, | |
{"type": "revert", "release": "patch"}, | |
{"type": "perf", "release": "patch"}, | |
{"type": "fix", "release": "patch"}, | |
{"type": "build", "release": "patch"}, | |
] | |
type: string | |
release-branches: | |
description: "JSON list of regex branch filters." | |
default: | | |
[ | |
'+([0-9])?(.{+([0-9]),x}).x', | |
'main' | |
] | |
type: string | |
release-tag-format: | |
description: "Semantic-release Github release tag format." | |
default: '${version}' | |
type: string | |
slack-channel: | |
description: "ID of the Slack channel to post updates to." | |
required: true | |
type: string | |
status-failure: | |
description: "Failure status for the message header." | |
default: ':no_entry:' | |
type: string | |
cosign-public-key: | |
description: "Public key for cosigning images." | |
required: false | |
type: string | |
slack-token: | |
description: "Authentication token for Slack." | |
required: true | |
registry-token: | |
description: "Authentication token for the container registry." | |
required: true | |
cosign-private-key: | |
description: "Private key for cosigning images." | |
required: false | |
cosign-password: | |
description: "Private key password for cosigning images." | |
required: false | |
runs: | |
using: "composite" | |
steps: | |
- name: clone repo | |
uses: actions/checkout@v3 | |
- name: detect changed files | |
uses: dorny/paths-filter@v2 | |
id: changes | |
with: | |
token: ${{ github.token }} | |
filters: ${{ inputs.release-filters }} | |
- name: annotate the ci run with changes | |
run: >- | |
echo "::notice title=Job: ${{ github.job }}::%0A | |
Changes: ${{ steps.changes.outputs.changes }}" | |
# setup | |
- name: install cosign | |
if: inputs.cosign-public-key != '' | |
uses: sigstore/cosign-installer@v3.1.2 | |
- name: forward proxy settings | |
run: | | |
echo "HTTP_PROXY=$HTTP_PROXY" >> $GITHUB_ENV | |
echo "HTTPS_PROXY=$HTTPS_PROXY" >> $GITHUB_ENV | |
echo "NO_PROXY=$NO_PROXY" >> $GITHUB_ENV | |
- name: install buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver-opts: | | |
env.http_proxy=${{ env.HTTP_PROXY }} | |
env.https_proxy=${{ env.HTTPS_PROXY }} | |
"env.no_proxy='${{ env.NO_PROXY }}'" | |
- name: login to container registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ inputs.registry }} | |
username: ${{ inputs.registry-user }} | |
password: ${{ inputs.registry-token }} | |
- name: container metadata | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: | | |
${{ inputs.registry }}/${{ inputs.registry-repo }} | |
tags: | | |
type=ref,event=pr | |
- name: build and push | |
uses: docker/build-push-action@v5 | |
id: build | |
with: | |
file: ${{ inputs.build-file }} | |
context: ${{ inputs.build-context }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
push: true | |
github-token: ${{ github.token }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
provenance: true | |
- name: cosign image with key | |
if: inputs.cosign-public-key != '' | |
run: | | |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY "${TAGS}@${DIGEST}" | |
env: | |
COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }} | |
COSIGN_PASSWORD: ${{ inputs.cosign-password }} | |
TAGS: ${{ steps.meta.outputs.tags }} | |
DIGEST: ${{ steps.build.outputs.digest }} | |
- name: cosign verify image | |
if: inputs.cosign-public-key != '' | |
env: | |
COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }} | |
TAGS: ${{ steps.meta.outputs.tags }} | |
DIGEST: ${{ steps.build.outputs.digest }} | |
run: | | |
cosign verify --key env://COSIGN_PUBLIC_KEY "${TAGS}@${DIGEST}" | |
- name: annotate the ci run with container tags | |
run: >- | |
echo "::notice title=Job: ${{ github.job }} / ${{ inputs.job-name }}::%0A | |
Pushed PR container assets!%0A | |
- %0A | |
docker pull ${{ steps.meta.outputs.tags }}%0A | |
${{ steps.build.outputs.digest }}" | |
- name: test | |
if: ${{ inputs.test-flags != '' || inputs.test-args != '' }} | |
run: | | |
docker run \ | |
${{ inputs.test-flags }} \ | |
${{ inputs.registry }}/${{ inputs.registry-repo }}@${{ steps.build.outputs.digest }} \ | |
${{ inputs.test-args }} |