Bump express from 4.18.2 to 4.21.0 #1077
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##### This workflow uses pull_request target which allows forked and Dependabot | |
| ##### PRs access to our secrets. Be very careful with what you do here, and don't | |
| ##### ever check out and run the code unless you're absolutely sure it's bullet proof | |
| name: Build And Push Docker Containers | |
| on: | |
| push: | |
| branches: main | |
| pull_request_target: {} | |
| permissions: {} | |
| env: | |
| DOCKERHUB_USERNAME: emilgoldsmith | |
| jobs: | |
| get-ref-and-sha: | |
| name: Get Ref And SHA | |
| runs-on: ubuntu-20.04 | |
| outputs: | |
| sha: ${{ steps.output.outputs.sha }} | |
| ref: ${{ steps.output.outputs.ref }} | |
| # Dependabot doesn't receive secrets on a push event | |
| # so can't run our CI, so we just skip CI for it. | |
| # We have settings set up that ensure it can't be merged without | |
| # being up to date with main, so it shouldn't be an issue | |
| if: ${{ !( github.event_name == 'push' && github.event.sender.login == 'dependabot[bot]' ) }} | |
| steps: | |
| - name: Output the ref and sha depending on event type | |
| id: output | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| MAIN_REF: ${{ github.ref }} | |
| PR_REF: ${{ github.event.pull_request.head.ref }} | |
| run: > | |
| ( | |
| [[ "$EVENT_NAME" == 'push' ]] && | |
| ( | |
| echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT && | |
| echo "ref=$MAIN_REF" >> $GITHUB_OUTPUT | |
| ) | |
| ) || | |
| ( | |
| [[ "$EVENT_NAME" == 'pull_request_target' ]] && | |
| ( | |
| echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT && | |
| echo "ref=$PR_REF" >> $GITHUB_OUTPUT | |
| ) | |
| ) || | |
| ( | |
| echo "ERROR: Unexpected event name $EVENT_NAME" && | |
| exit 1 | |
| ) | |
| main: | |
| name: Build And Push All Our Docker Containers | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| contents: read | |
| needs: get-ref-and-sha | |
| env: | |
| repository: sctrainer/main | |
| ci-container-tag: ci-container-v7 | |
| ci-chrome-tag: ci-chrome-v4 | |
| production-tag: production-${{ needs.get-ref-and-sha.outputs.sha }} | |
| # Dependabot doesn't receive secrets on a push event | |
| # so can't run our CI, so we just skip CI for it. | |
| # We have settings set up that ensure it can't be merged without | |
| # being up to date with main, so it shouldn't be an issue | |
| if: ${{ !( github.event_name == 'push' && github.event.sender.login == 'dependabot[bot]' ) }} | |
| steps: | |
| # The only reason we checkout this unsafe code is because we are | |
| # certain that docker builds run in a fully secure contained environment | |
| # where it won't have access to our secrets. Don't do anything else with | |
| # this code! Especially don't allow it to execute in any way! | |
| - name: Checkout possibly unsafe code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.get-ref-and-sha.outputs.ref }} | |
| # Being extra sure that people can't tamper with anything related to these secrets | |
| - name: Ensure Dockerfile Wasn't Changed If Untrusted Source | |
| if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.author_association != 'OWNER' }} | |
| run: git fetch origin main && git diff --exit-code origin/main Dockerfile | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ env.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Check if CI Container image already up to date | |
| id: ci-container-up-to-date | |
| run: curl --silent -f -lSL https://hub.docker.com/v2/repositories/${{ env.repository }}/tags/${{ env.ci-container-tag }} | |
| continue-on-error: true | |
| - name: Build and Push CI Container image | |
| uses: docker/build-push-action@v5 | |
| if: ${{ steps.ci-container-up-to-date.outcome == 'failure' }} | |
| with: | |
| push: true | |
| context: . | |
| target: ci | |
| tags: ${{ env.repository }}:${{ env.ci-container-tag }} | |
| - name: Check if CI Chrome image already up to date | |
| id: ci-chrome-up-to-date | |
| run: curl --silent -f -lSL https://hub.docker.com/v2/repositories/${{ env.repository }}/tags/${{ env.ci-chrome-tag }} | |
| continue-on-error: true | |
| - name: Build and Push CI Chrome image | |
| uses: docker/build-push-action@v5 | |
| if: ${{ steps.ci-chrome-up-to-date.outcome == 'failure' }} | |
| with: | |
| push: true | |
| context: . | |
| target: ci-chrome | |
| tags: ${{ env.repository }}:${{ env.ci-chrome-tag }} | |
| - name: Check if Production image built and pushed previously | |
| id: production-up-to-date | |
| run: curl --silent -f -lSL https://hub.docker.com/v2/repositories/${{ env.repository }}/tags/${{ env.production-tag }} | |
| continue-on-error: true | |
| - name: Build and Push Production image | |
| uses: docker/build-push-action@v5 | |
| if: ${{ steps.production-up-to-date.outcome == 'failure' }} | |
| with: | |
| push: true | |
| context: . | |
| target: production | |
| tags: ${{ env.repository }}:${{ env.production-tag }} |