Skip to content
CI/CD

Bump tj-actions/changed-files from 45.0.2 to 45.0.3 #112

Sign in to view logs

Bump tj-actions/changed-files from 45.0.2 to 45.0.3

Bump tj-actions/changed-files from 45.0.2 to 45.0.3 #112

Workflow file for this run

.github/workflows/cicd.yml at 7916f09
name: CI/CD
on:
workflow_dispatch:
push:
branches:
- "**"
- "!dependabot/**"
tags:
- "release-**"
pull_request:
branches:
- "**"
permissions:
contents: read
jobs:
changed-files:
name: Detect Changed Files
runs-on: ubuntu-latest
outputs:
run-ci: ${{ github.ref_type == 'tag' || (github.ref_type != 'tag' && steps.ci-files-changed.outputs.paths_any_changed == 'true') }}
run-tag-for-release: ${{ github.ref == 'refs/heads/main' && env.COMMIT_IS_TAGGED != 'true' && steps.release-files-changed.outputs.paths_any_changed == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Check for Tag
run: |
if git describe --contains "$GITHUB_SHA"; then
echo 'COMMIT_IS_TAGGED=true' >> "$GITHUB_ENV";
else
echo 'COMMIT_IS_TAGGED=false' >> "$GITHUB_ENV";
fi
- name: CI Files Changed
id: ci-files-changed
if: ${{ github.ref_type != 'tag' }}
uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3
with:
files_yaml: |
paths:
- "**"
- "!*.md"
- "!.github/**"
- ".github/workflows/*.yml"
- name: Release Files Changed
id: release-files-changed
if: ${{ github.ref_type != 'tag' }}
uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3
with:
files_yaml: |
paths:
- "make-release"
- "src/image/entrypoint"
- "src/user-mirror"
ci:
name: Continuous Integration
runs-on: ubuntu-latest
needs: changed-files
if: ${{ needs.changed-files.outputs.run-ci == 'true' }}
strategy:
matrix:
container-context: ["docker-default", "docker-rootless", "podman"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: ${{ matrix.container-context != 'docker-rootless' }}
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
dl-cdn.alpinelinux.org:443
download.docker.com:443
files.pythonhosted.org:443
get.docker.com:443
github.com:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
pypi.org:443
quay.io:443
registry-1.docker.io:443
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Use Rootless Docker
if: ${{ matrix.container-context == 'docker-rootless' }}
uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2
- name: Install Podman Compose
if: ${{ matrix.container-context == 'podman' }}
# Podman in the GitHub runner is out of date, so we either need to upgrade it ourselves or install an older version of podman-compose.
# https://github.com/containers/podman-compose/issues/980#issuecomment-2199531338
run: |
echo 'podman-compose == 1.0.6 --hash=sha256:48c92e6cdac1732422c6cfa803d8a905a61be4119dc0d41f9ed42c66826e9a78' > /tmp/requirements.txt
echo 'python-dotenv == 1.0.1 --hash=sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a' >> /tmp/requirements.txt
pip3 install --require-hashes --requirement /tmp/requirements.txt
rm /tmp/requirements.txt
- name: Docker Cache
id: docker-cache
uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0
with:
key: docker-${{ runner.os }}-${{ hashFiles('./images/**/Dockerfile') }}
- name: Run Tests
run: |
grep -e '^#!/bin/sh' --exclude-dir=.git -lR | xargs chmod --changes +x
COMPOSE_ENGINE='${{ contains(matrix.container-context, 'podman') && 'podman-compose' || 'docker compose' }}' TESTING_ENVIRONMENT_DIR='/tmp/docker-user-mirror/' ./ci
- name: Test Release Script
run: |
chmod --changes +x ./make-release
./make-release
tag-for-release:
name: Tag for Release
runs-on: ubuntu-latest
needs: [changed-files, ci]
environment: elevated-workflow
concurrency:
group: tag-for-release
if: ${{ needs.changed-files.outputs.run-tag-for-release == 'true' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:22
github.com:443
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
fetch-tags: true
filter: tree:0
ssh-key: ${{ secrets.ELEVATED_WORKFLOW_DEPLOY_KEY }}
- name: Get Latest Release Tag
run: echo "LATEST_RELEASE_TAG=$(git tag --list --sort=-v:refname release-* | head -1)" >> $GITHUB_ENV
- name: Increment Tag
id: increment-tag
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
LATEST_RELEASE_TAG: ${{ env.LATEST_RELEASE_TAG }}
with:
script: |
const latestReleaseTag = process.env.LATEST_RELEASE_TAG;
if (latestReleaseTag.length === 0) {
throw new Error("LATEST_RELEASE_TAG is empty!");
}
const incrementReleaseTag = latestReleaseTag.replace(/(\d+)([^\.]*)$/, (_, x, y) => (Number(x) + 1).toString() + y);
if (latestReleaseTag === incrementReleaseTag) {
throw new Error("Tag increment failed! (proposed tag matches LATEST_RELEASE_TAG)");
}
if (incrementReleaseTag.length < latestReleaseTag.length) {
throw new Error(`Tag increment failed! (proposed tag ${incrementReleaseTag} is shorter than ${latestReleaseTag}`);
}
return incrementReleaseTag;
- name: Tag Release
env:
NEW_RELEASE_TAG: ${{ fromJson(steps.increment-tag.outputs.result) }}
run: |
git config --global user.email "<>"
git config --global user.name "$RUNNER_NAME"
git tag -m "Automated Release" "$NEW_RELEASE_TAG";
git push origin tag "$NEW_RELEASE_TAG";
cd:
name: Continuous Deployment
runs-on: ubuntu-latest
needs: ci
permissions:
contents: write # Needed to create a release https://docs.github.com/en/rest/releases/releases#create-a-release
concurrency:
group: cd-${{ github.ref }}
cancel-in-progress: true
if: ${{ startsWith(github.ref, 'refs/tags/release-') }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
uploads.github.com:443
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
fetch-tags: true
filter: tree:0
- name: Get Latest Release Tag
run: echo "LATEST_RELEASE_TAG=$(git tag --list --sort=-v:refname release-* | head -1)" >> $GITHUB_ENV
- name: Extract Version
run: echo "RELEASE_VERSION=$(echo "$GITHUB_REF" | cut -c 19-)" >> $GITHUB_ENV
- name: Generate Release Artifacts
run: |
chmod --changes +x ./make-release
./make-release
- name: Create Release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
artifactErrorsFailBuild: true
artifacts: "release/entrypoint,release/user-mirror,release/version"
generateReleaseNotes: true
makeLatest: ${{ github.ref_name == env.LATEST_RELEASE_TAG }}
name: Release ${{ env.RELEASE_VERSION }}