Skip to content

Bump unzip-stream from 0.3.1 to 0.3.4 #1070

Bump unzip-stream from 0.3.1 to 0.3.4

Bump unzip-stream from 0.3.1 to 0.3.4 #1070

##### This workflow uses pull_request target which allows forked and Dependabot
##### PRs access to our secrets. Be very careful with what you do here, and don't
##### ever check out and run the code unless you're absolutely sure it's bullet proof
name: Build And Push Docker Containers
on:
push:
branches: main
pull_request_target: {}
permissions: {}
env:
DOCKERHUB_USERNAME: emilgoldsmith
jobs:
get-ref-and-sha:
name: Get Ref And SHA
runs-on: ubuntu-20.04
outputs:
sha: ${{ steps.output.outputs.sha }}
ref: ${{ steps.output.outputs.ref }}
# Dependabot doesn't receive secrets on a push event
# so can't run our CI, so we just skip CI for it.
# We have settings set up that ensure it can't be merged without
# being up to date with main, so it shouldn't be an issue
if: ${{ !( github.event_name == 'push' && github.event.sender.login == 'dependabot[bot]' ) }}
steps:
- name: Output the ref and sha depending on event type
id: output
env:
EVENT_NAME: ${{ github.event_name }}
MAIN_REF: ${{ github.ref }}
PR_REF: ${{ github.event.pull_request.head.ref }}
run: >
(
[[ "$EVENT_NAME" == 'push' ]] &&
(
echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT &&
echo "ref=$MAIN_REF" >> $GITHUB_OUTPUT
)
) ||
(
[[ "$EVENT_NAME" == 'pull_request_target' ]] &&
(
echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT &&
echo "ref=$PR_REF" >> $GITHUB_OUTPUT
)
) ||
(
echo "ERROR: Unexpected event name $EVENT_NAME" &&
exit 1
)
main:
name: Build And Push All Our Docker Containers
runs-on: ubuntu-20.04
permissions:
contents: read
needs: get-ref-and-sha
env:
repository: sctrainer/main
ci-container-tag: ci-container-v7
ci-chrome-tag: ci-chrome-v4
production-tag: production-${{ needs.get-ref-and-sha.outputs.sha }}
# Dependabot doesn't receive secrets on a push event
# so can't run our CI, so we just skip CI for it.
# We have settings set up that ensure it can't be merged without
# being up to date with main, so it shouldn't be an issue
if: ${{ !( github.event_name == 'push' && github.event.sender.login == 'dependabot[bot]' ) }}
steps:
# The only reason we checkout this unsafe code is because we are
# certain that docker builds run in a fully secure contained environment
# where it won't have access to our secrets. Don't do anything else with
# this code! Especially don't allow it to execute in any way!
- name: Checkout possibly unsafe code
uses: actions/checkout@v4
with:
ref: ${{ needs.get-ref-and-sha.outputs.ref }}
# Being extra sure that people can't tamper with anything related to these secrets
- name: Ensure Dockerfile Wasn't Changed If Untrusted Source
if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.author_association != 'OWNER' }}
run: git fetch origin main && git diff --exit-code origin/main Dockerfile
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Check if CI Container image already up to date
id: ci-container-up-to-date
run: curl --silent -f -lSL https://hub.docker.com/v2/repositories/${{ env.repository }}/tags/${{ env.ci-container-tag }}
continue-on-error: true
- name: Build and Push CI Container image
uses: docker/build-push-action@v5
if: ${{ steps.ci-container-up-to-date.outcome == 'failure' }}
with:
push: true
context: .
target: ci
tags: ${{ env.repository }}:${{ env.ci-container-tag }}
- name: Check if CI Chrome image already up to date
id: ci-chrome-up-to-date
run: curl --silent -f -lSL https://hub.docker.com/v2/repositories/${{ env.repository }}/tags/${{ env.ci-chrome-tag }}
continue-on-error: true
- name: Build and Push CI Chrome image
uses: docker/build-push-action@v5
if: ${{ steps.ci-chrome-up-to-date.outcome == 'failure' }}
with:
push: true
context: .
target: ci-chrome
tags: ${{ env.repository }}:${{ env.ci-chrome-tag }}
- name: Check if Production image built and pushed previously
id: production-up-to-date
run: curl --silent -f -lSL https://hub.docker.com/v2/repositories/${{ env.repository }}/tags/${{ env.production-tag }}
continue-on-error: true
- name: Build and Push Production image
uses: docker/build-push-action@v5
if: ${{ steps.production-up-to-date.outcome == 'failure' }}
with:
push: true
context: .
target: production
tags: ${{ env.repository }}:${{ env.production-tag }}