Revert "Remove failing docker publish line" (#64)

celestiaorg · Jul 11, 2023 · 84d7d3c · 84d7d3c
1 parent 911f77b
commit 84d7d3c
Showing 1 changed file with 36 additions and 7 deletions.
diff --git a/.github/workflows/reusable_dockerfile_pipeline.yml b/.github/workflows/reusable_dockerfile_pipeline.yml
@@ -83,12 +83,12 @@ jobs:
           OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }}
         with:
           # here we use the local tag that we've built before
-          image-ref: '${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}'
-          format: 'table'
+          image-ref: "${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}"
+          format: "table"
           #exit-code: '1' # uncomment to stop the CI if the scanner fails
           ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
 
   docker-build:
     runs-on: "ubuntu-latest"
@@ -135,9 +135,38 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
-      # We always build the image but we only push if we are on the `main`,
-      # `master` branch or a versioned `v*` branch
-      - name: Build and Push Docker Image (amd64 and arm64)
+      # Build amd64 images always, and publish when it is not a fork. The Github
+      # security model prevents forks from pushing to the registry so we can
+      # only push if the branch/PR is not generated from a fork. Even though
+      # forks can't push, we still want to try and build the image to catch
+      # bugs. For testing purposes we only need an amd64 image.
+      - name: Build and Push Docker Image amd64
+        uses: docker/build-push-action@v4
+        env:
+          OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}
+          OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }}
+        with:
+          context: .
+          platforms: linux/amd64
+          # Only push if the head and base repos match, meaning it is not a fork
+          # yamllint disable
+          push: ${{ github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name }}
+          # yamllint enable
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: ${{ inputs.dockerfile }}
+
+      # Build and Publish images on main, master, and versioned branches.
+      #
+      # NOTES:
+      # This step overrides the tag from the previous step. It will re-use
+      # the cached image that was built and only build the remaining images.
+      #
+      # The reason we split out these steps into 2 is for better handling of
+      # forks when building amd64 images and to enable faster availability of
+      # the amd64 image since building the arm64 image takes significantly
+      # longer.
+      - name: Build and Push Docker Images
         uses: docker/build-push-action@v4
         # yamllint disable
         # only run when the branch is main, master or starts with v*