ci: fixed buildx support, containerfile and workflows

fixed #10
2022-08-11 17:44:54 +02:00 · 2022-08-11 17:44:54 +02:00 · 9e223b5650
parent 99845f1ad6
commit 9e223b5650
8 changed files with 22 additions and 16 deletions
--- a/.github/workflows/_build.yml
+++ b/.github/workflows/_build.yml
@ -10,6 +10,8 @@ on:

 jobs:
  build:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    strategy:
      matrix:
--- a/.github/workflows/_docker-buildx.yml
+++ b/.github/workflows/_docker-buildx.yml
@ -7,6 +7,9 @@ on:
 jobs:
  buildx:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read # Required to read dist files (and repository)
+      packages: write # Required to push packages to GHCR
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    name: Build Docker
@ -20,15 +23,18 @@ jobs:
          name: dist
          path: dist

+      - name: Log in to registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+
      - name: Buildx
        run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u "${{ github.repository_owner }}" --password-stdin ghcr.io
          REPOSITORY=ghcr.io/${{ github.repository }}

-          TAG=latest
+          TAG_COMMIT=$(git describe --tag)
+          TAG_MAIN=latest
          if [ -z "$(git tag --points-at HEAD)" ]
          then
-            TAG="dev"
+          TAG_MAIN="dev"
          fi

-          CONTAINER_BUILDX_OPTIONS="--push --output=type=registry --tag $REPOSITORY:$(git describe --tags) --tag $REPOSITORY:$TAG" make buildx
+          CONTAINER_BUILDX_OPTIONS="--push --output=type=registry --tag $REPOSITORY:$TAG_COMMIT --tag $REPOSITORY:$TAG_MAIN" make buildx
--- a/.github/workflows/_golangci-lint.yml
+++ b/.github/workflows/_golangci-lint.yml
@ -2,11 +2,11 @@ name: "golangci-lint"

 on: workflow_call

-permissions:
-  contents: read
-  pull-requests: read
 jobs:
  golangci:
+    permissions:
+      contents: read
+      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
--- a/.github/workflows/_goreleaser.yml
+++ b/.github/workflows/_goreleaser.yml
@ -3,12 +3,11 @@ name: goreleaser
 on:
  workflow_call:

-permissions:
-  contents: write # Required to upload dist files
-
 jobs:
  goreleaser:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to upload dist files
    steps:
      - name: Checkout
        uses: actions/checkout@v2
--- a/.github/workflows/_test.yml
+++ b/.github/workflows/_test.yml
@ -10,6 +10,8 @@ on:

 jobs:
  test:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    strategy:
      matrix:
--- a/.github/workflows/push_version.yml
+++ b/.github/workflows/push_version.yml
@ -5,9 +5,6 @@ on:
    branches: [latest]
    tags: ["v*"]

-permissions:
-  contents: write # Required to upload dist files
-
 concurrency:
  group: ci-push-version-${{ github.ref }}
  cancel-in-progress: true
--- a/4
+++ b/4
@ -6,7 +6,8 @@ ARG TARGETARCH
 ARG TARGETOS
 ARG TARGETVARIANT
 COPY dist/bazaar_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}/bazaar /usr/bin/bazaar
-RUN apk add --no-cache ca-certificates tzdata make
+RUN apk add --no-cache ca-certificates tzdata && \
+    chmod +x /usr/bin/bazaar

 # Server image
 FROM scratch
@ -19,5 +20,4 @@ COPY --from=builder /usr/bin/bazaar /usr/bin/bazaar
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

-
 ENTRYPOINT ["/usr/bin/bazaar"]
--- a/scripts/buildx.sh
+++ b/scripts/buildx.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -e
+set -ex

 if [ -z "$FROM_MAKEFILE" ]; then
    echo "Do not call this file directly - use the make command"