Add guard to tj-actions/changed-files #105
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- "**" | |
- "!dependabot/**" | |
tags: | |
- "release-**" | |
pull_request: | |
branches: | |
- "**" | |
permissions: | |
contents: read | |
jobs: | |
changed-files: | |
name: Detect Changed Files | |
runs-on: ubuntu-latest | |
outputs: | |
run-ci: ${{ github.ref_type == 'tag' || (github.ref_type != 'tag' && steps.ci-files-changed.outputs.paths_any_changed == 'true') }} | |
run-tag-for-release: ${{ github.ref == 'refs/heads/main' && env.COMMIT_IS_TAGGED != 'true' && steps.release-files-changed.outputs.paths_any_changed == 'true' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
github.com:443 | |
- name: Checkout | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Check for Tag | |
run: | | |
if git describe --contains "$GITHUB_SHA"; then | |
echo 'COMMIT_IS_TAGGED=true' >> "$GITHUB_ENV"; | |
else | |
echo 'COMMIT_IS_TAGGED=false' >> "$GITHUB_ENV"; | |
fi | |
- name: CI Files Changed | |
id: ci-files-changed | |
if: ${{ github.ref_type != 'tag' }} | |
uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2 | |
with: | |
files_yaml: | | |
paths: | |
- "**" | |
- "!*.md" | |
- "!.github/**" | |
- ".github/workflows/*.yml" | |
- name: Release Files Changed | |
id: release-files-changed | |
if: ${{ github.ref_type != 'tag' }} | |
uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2 | |
with: | |
files_yaml: | | |
paths: | |
- "make-release" | |
- "src/image/entrypoint" | |
- "src/user-mirror" | |
ci: | |
name: Continuous Integration | |
runs-on: ubuntu-latest | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.run-ci == 'true' }} | |
strategy: | |
matrix: | |
container-context: ["docker-default", "docker-rootless", "podman"] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: ${{ matrix.container-context != 'docker-rootless' }} | |
egress-policy: block | |
allowed-endpoints: > | |
auth.docker.io:443 | |
dl-cdn.alpinelinux.org:443 | |
download.docker.com:443 | |
files.pythonhosted.org:443 | |
get.docker.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
quay.io:443 | |
registry-1.docker.io:443 | |
- name: Checkout | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Use Rootless Docker | |
if: ${{ matrix.container-context == 'docker-rootless' }} | |
uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2 | |
- name: Install Podman Compose | |
if: ${{ matrix.container-context == 'podman' }} | |
# Podman in the GitHub runner is out of date, so we either need to upgrade it ourselves or install an older version of podman-compose. | |
# https://github.com/containers/podman-compose/issues/980#issuecomment-2199531338 | |
run: | | |
echo 'podman-compose == 1.0.6 --hash=sha256:48c92e6cdac1732422c6cfa803d8a905a61be4119dc0d41f9ed42c66826e9a78' > /tmp/requirements.txt | |
echo 'python-dotenv == 1.0.1 --hash=sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a' >> /tmp/requirements.txt | |
pip3 install --require-hashes --requirement /tmp/requirements.txt | |
rm /tmp/requirements.txt | |
- name: Docker Cache | |
id: docker-cache | |
uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0 | |
with: | |
key: docker-${{ runner.os }}-${{ hashFiles('./images/**/Dockerfile') }} | |
- name: Run Tests | |
run: | | |
grep -e '^#!/bin/sh' --exclude-dir=.git -lR | xargs chmod --changes +x | |
COMPOSE_ENGINE='${{ contains(matrix.container-context, 'podman') && 'podman-compose' || 'docker compose' }}' TESTING_ENVIRONMENT_DIR='/tmp/docker-user-mirror/' ./ci | |
- name: Test Release Script | |
run: | | |
chmod --changes +x ./make-release | |
./make-release | |
tag-for-release: | |
name: Tag for Release | |
runs-on: ubuntu-latest | |
needs: [changed-files, ci] | |
environment: elevated-workflow | |
concurrency: | |
group: tag-for-release | |
if: ${{ needs.changed-files.outputs.run-tag-for-release == 'true' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:22 | |
github.com:443 | |
- name: Checkout | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
filter: tree:0 | |
ssh-key: ${{ secrets.ELEVATED_WORKFLOW_DEPLOY_KEY }} | |
- name: Get Latest Release Tag | |
run: echo "LATEST_RELEASE_TAG=$(git tag --list --sort=-v:refname release-* | head -1)" >> $GITHUB_ENV | |
- name: Increment Tag | |
id: increment-tag | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
LATEST_RELEASE_TAG: ${{ env.LATEST_RELEASE_TAG }} | |
with: | |
script: | | |
const latestReleaseTag = process.env.LATEST_RELEASE_TAG; | |
if (latestReleaseTag.length === 0) { | |
throw new Error("LATEST_RELEASE_TAG is empty!"); | |
} | |
const incrementReleaseTag = latestReleaseTag.replace(/(\d+)([^\.]*)$/, (_, x, y) => (Number(x) + 1).toString() + y); | |
if (latestReleaseTag === incrementReleaseTag) { | |
throw new Error("Tag increment failed! (proposed tag matches LATEST_RELEASE_TAG)"); | |
} | |
if (incrementReleaseTag.length < latestReleaseTag.length) { | |
throw new Error(`Tag increment failed! (proposed tag ${incrementReleaseTag} is shorter than ${latestReleaseTag}`); | |
} | |
return incrementReleaseTag; | |
- name: Tag Release | |
env: | |
NEW_RELEASE_TAG: ${{ fromJson(steps.increment-tag.outputs.result) }} | |
run: | | |
git config --global user.email "<>" | |
git config --global user.name "$RUNNER_NAME" | |
git tag -m "Automated Release" "$NEW_RELEASE_TAG"; | |
git push origin tag "$NEW_RELEASE_TAG"; | |
cd: | |
name: Continuous Deployment | |
runs-on: ubuntu-latest | |
needs: ci | |
permissions: | |
contents: write # Needed to create a release https://docs.github.com/en/rest/releases/releases#create-a-release | |
concurrency: | |
group: cd-${{ github.ref }} | |
cancel-in-progress: true | |
if: ${{ startsWith(github.ref, 'refs/tags/release-') }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
uploads.github.com:443 | |
- name: Checkout | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
filter: tree:0 | |
- name: Get Latest Release Tag | |
run: echo "LATEST_RELEASE_TAG=$(git tag --list --sort=-v:refname release-* | head -1)" >> $GITHUB_ENV | |
- name: Extract Version | |
run: echo "RELEASE_VERSION=$(echo "$GITHUB_REF" | cut -c 19-)" >> $GITHUB_ENV | |
- name: Generate Release Artifacts | |
run: | | |
chmod --changes +x ./make-release | |
./make-release | |
- name: Create Release | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
artifactErrorsFailBuild: true | |
artifacts: "release/entrypoint,release/user-mirror,release/version" | |
generateReleaseNotes: true | |
makeLatest: ${{ github.ref_name == env.LATEST_RELEASE_TAG }} | |
name: Release ${{ env.RELEASE_VERSION }} |