Skip to content
Docker

Fix Docker workflow: use static permissions value #376

Sign in to view logs

Fix Docker workflow: use static permissions value

Fix Docker workflow: use static permissions value #376

Workflow file for this run

.github/workflows/docker.yml at d5758dd
name: Docker
on:
push:
branches: [main]
tags:
- 'v*'
pull_request:
paths:
- 'Dockerfile'
- '.dockerignore'
- '.github/workflows/docker.yml'
- 'go.mod'
- 'go.sum'
- '**/*.go'
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
# PR validation: build and smoke-test only, no registry access
validate:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Build multi-arch (no push)
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: false
build-args: |
VERSION=test
COMMIT=${{ github.sha }}
BUILD_DATE=${{ github.event.head_commit.timestamp }}
- name: Smoke test (amd64)
run: |
docker buildx build \
--platform linux/amd64 \
--load \
--tag msgvault:test \
--build-arg VERSION=test \
--build-arg COMMIT=$(echo $GITHUB_SHA | cut -c1-8) \
--build-arg BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
.
docker run --rm msgvault:test version
docker run --rm msgvault:test --help
mkdir -p /tmp/msgvault-test && chmod 777 /tmp/msgvault-test
docker run --rm -v /tmp/msgvault-test:/data msgvault:test init-db
test -f /tmp/msgvault-test/msgvault.db || { echo "FATAL: database not created"; exit 1; }
rm -rf /tmp/msgvault-test
# Publish: build multi-arch and push to GHCR (main/tags only)
publish:
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to Container Registry
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
# latest tag for main branch
type=raw,value=latest,enable={{is_default_branch}}
# version tags (v1.2.3 -> 1.2.3, v1.2.3 -> 1.2, v1.2.3 -> 1)
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
# sha tag for traceability
type=sha,prefix=sha-
- name: Prepare build args
id: build_args
run: |
if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
VERSION="${GITHUB_REF#refs/tags/}"
else
VERSION="dev-$(echo $GITHUB_SHA | cut -c1-8)"
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "commit=$(echo $GITHUB_SHA | cut -c1-8)" >> $GITHUB_OUTPUT
echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_OUTPUT
- name: Build and push
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
VERSION=${{ steps.build_args.outputs.version }}
COMMIT=${{ steps.build_args.outputs.commit }}
BUILD_DATE=${{ steps.build_args.outputs.build_date }}
cache-from: type=gha
cache-to: type=gha,mode=max