-
Notifications
You must be signed in to change notification settings - Fork 1.1k
130 lines (116 loc) · 5.43 KB
/
images-branch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Branch images
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
types:
- synchronize
pull_request_review:
types:
- submitted
workflow_dispatch:
inputs:
pr:
required: true
type: number
description: PR number
jobs:
approval:
# Skip when triggered by pull request events on PR's from forks because the GITHUB_TOKEN on
# those PR's does not have write access, and thus cannot deploy to GHCR.
# Running this workflow against PR's from forks requires manually triggering it via `workflow_dispatch`.
if: ${{ !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
outputs:
decision: ${{ steps.decision.outputs.decision }}
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: recursive
- name: Set PR
run: echo "PR=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
if: github.event_name != 'workflow_dispatch'
- name: Set PR when manually triggered (intended for forks)
run: echo "PR=${{ inputs.pr }}" >> $GITHUB_ENV
if: github.event_name == 'workflow_dispatch'
# Skips push-updater-images by setting an output
- name: Check if pull request is approved
id: decision
run: |
# For security, the `gh` call that retrieves the PR approval status *must* also retrieve the commit at the
# tip of the PR to ensure that any subsequent unreviewed commits are not pulled into this action workflow.
DECISION=$(gh pr view ${{ env.PR }} --json reviewDecision,state,commits --jq '"\(.reviewDecision):\(.state):\(.commits | last .oid)"')
echo "decision=$DECISION" >> $GITHUB_OUTPUT
push-updater-images:
runs-on: ubuntu-latest
needs: approval
if: startsWith(needs.approval.outputs.decision, 'APPROVED:OPEN')
strategy:
fail-fast: false
matrix:
suite:
- { name: bundler, ecosystem: bundler }
- { name: cargo, ecosystem: cargo }
- { name: composer, ecosystem: composer }
- { name: docker, ecosystem: docker }
- { name: dotnet_sdk, ecosystem: dotnet-sdk }
- { name: elm, ecosystem: elm }
- { name: git_submodules, ecosystem: gitsubmodule }
- { name: github_actions, ecosystem: github-actions }
- { name: go_modules, ecosystem: gomod }
- { name: gradle, ecosystem: gradle }
- { name: hex, ecosystem: mix }
- { name: maven, ecosystem: maven }
- { name: npm_and_yarn, ecosystem: npm }
- { name: nuget, ecosystem: nuget }
- { name: pub, ecosystem: pub }
- { name: python, ecosystem: pip }
- { name: swift, ecosystem: swift }
- { name: devcontainers, ecosystem: devcontainers }
- { name: terraform, ecosystem: terraform }
permissions:
contents: read
id-token: write
packages: write
env:
DEPENDABOT_UPDATER_VERSION: ${{ github.sha }}
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: recursive
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Prepare tag
run: echo "DEPENDABOT_UPDATER_VERSION=${{ github.sha }}" >> $GITHUB_ENV
if: github.event_name == 'pull_request' || github.event_name == 'pull_request_review'
- name: Prepare tag (forks)
run: |
gh pr checkout ${{ inputs.pr }}
# Ensure the commit we've checked out matches our expected SHA from when we checked the PR's approval status above.
# This is a security measure to prevent any unreviewed commits from getting pulled into this action workflow.
# The format is "APPROVED:OPEN:<PR_COMMIT_SHA>", so compare the end of the string to the current commit.
[[ ${{needs.approval.outputs.decision}} =~ $(git rev-parse HEAD)$ ]]
git fetch origin main
git merge origin/main --ff-only || exit 1
git submodule update --init --recursive
echo "DEPENDABOT_UPDATER_VERSION=$(git rev-parse HEAD)" >> $GITHUB_ENV
if: github.event_name == 'workflow_dispatch'
- name: Log in to GHCR
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Build ecosystem image
run: script/build ${{ matrix.suite.name }}
- name: Push branch image
run: |
docker tag "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}" "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION"
docker push "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION"
cosign sign --yes $(cosign triangulate --type=digest "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION")
- name: Set summary
run: |
echo "updater uploaded with tag \`$DEPENDABOT_UPDATER_VERSION\`" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY