Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: don't create docker images for users without org's secrets #2585

Merged
merged 10 commits into from
Apr 17, 2024
20 changes: 19 additions & 1 deletion .github/workflows/container-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ env:
MAKEFLAGS: "-j${NPROC}"
NIMFLAGS: "--parallelBuild:${NPROC}"

# This workflow should not run for outside contributors
# If org secrets are not available, we'll avoid building and publishing the docker image and we'll pass the workflow
jobs:
build-docker-image:
strategy:
Expand All @@ -29,15 +31,30 @@ jobs:
outputs:
image: ${{ steps.build.outputs.image }}
steps:
- name: Check secrets
id: secrets
continue-on-error: true
run: |
if [[ -z "$QUAY_PASSWORD" || -z "$QUAY_USER" ]]; then
echo "User does not have access to secrets, skipping workflow"
exit 1
fi
env:
QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }}
QUAY_USER: ${{ secrets.QUAY_USER }}

- name: Checkout code
if: ${{ steps.secrets.outcome == 'success' }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't we just willing to skip the image deployment part if the user doesn't have access to secrets?

In other words, are we willing to skip the following snippet?

          docker login -u ${QUAY_USER} -p ${QUAY_PASSWORD} quay.io
          docker build -t ${IMAGE} -f docker/binaries/Dockerfile.bn.amd64 --label quay.expires-after=30d .
          docker push ${IMAGE}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! So that was my initial approach. But then I noticed that the whole workflow doesn't make sense if the image is not being published. We already have separate workflows for builds, so there's no value in running another build, creating a docker-image and deleting it.

We could only skip the image deployment and the subsequent step which is writing in the PR the info of the image deployed, but in that case I don't think none of the previous add any value.

uses: actions/checkout@v3

- name: Get submodules hash
id: submodules
if: ${{ steps.secrets.outcome == 'success' }}
run: |
echo "hash=$(git submodule status | awk '{print $1}' | sort | shasum -a 256 | sed 's/[ -]*//g')" >> $GITHUB_OUTPUT

- name: Cache submodules
if: ${{ steps.secrets.outcome == 'success' }}
uses: actions/cache@v3
with:
path: |
Expand All @@ -47,6 +64,7 @@ jobs:

- name: Build binaries
id: build
if: ${{ steps.secrets.outcome == 'success' }}
run: |

make RLN_V2=${{matrix.rln_v2}} -j${NPROC} V=1 QUICK_AND_DIRTY_COMPILER=1 NIMFLAGS="-d:disableMarchNative -d:postgres" wakunode2
Expand All @@ -69,7 +87,7 @@ jobs:

- name: Comment PR
uses: thollander/actions-comment-pull-request@v2
if: ${{ github.event_name == 'pull_request' }}
if: ${{ github.event_name == 'pull_request' && steps.secrets.outcome == 'success' }}
with:
message: |
You can find the image built from this PR at
Expand Down
Loading