-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: don't create docker images for users without org's secrets #2585
chore: don't create docker images for users without org's secrets #2585
Conversation
You can find the image built from this PR at
Built from b151b61 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not pretty sure if it is possible to use the local docker repo instead of publishing to quay in case creds are missing....?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! Just added a question :)
- name: Checkout code | ||
if: ${{ steps.secrets.outcome == 'success' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't we just willing to skip the image deployment part if the user doesn't have access to secrets?
In other words, are we willing to skip the following snippet?
docker login -u ${QUAY_USER} -p ${QUAY_PASSWORD} quay.io
docker build -t ${IMAGE} -f docker/binaries/Dockerfile.bn.amd64 --label quay.expires-after=30d .
docker push ${IMAGE}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! So that was my initial approach. But then I noticed that the whole workflow doesn't make sense if the image is not being published. We already have separate workflows for builds, so there's no value in running another build, creating a docker-image and deleting it.
We could only skip the image deployment and the subsequent step which is writing in the PR the info of the image deployed, but in that case I don't think none of the previous add any value.
Allowing users outside of the org to pass the CI by omitting the workflow of creating and publishing a docker image of the PR.
Were not able to find a cleaner approach. Apparently it's not possible to run a job only if an env variable exists.
Also tried to create a job that checks if the secret exists and run the
build-docker-image
only if the previous job succeeded, but either the CI failed or it did not skip the subsequent job.WDYT? Any better ideas?
Changes
container-image
workflow with secret existence checksIssue
closes #2497