From 9e223b56505b8fd3fff44313cee9867818383d82 Mon Sep 17 00:00:00 2001
From: Felipe M <me@fmartingr.com>
Date: Thu, 11 Aug 2022 17:44:54 +0200
Subject: [PATCH] ci: fixed buildx support, containerfile and workflows

fixed #10
---
 .github/workflows/_build.yml         |  2 ++
 .github/workflows/_docker-buildx.yml | 14 ++++++++++----
 .github/workflows/_golangci-lint.yml |  6 +++---
 .github/workflows/_goreleaser.yml    |  5 ++---
 .github/workflows/_test.yml          |  2 ++
 .github/workflows/push_version.yml   |  3 ---
 Containerfile                        |  4 ++--
 scripts/buildx.sh                    |  2 +-
 8 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
index 62a2c53..b4e0e33 100644
--- a/.github/workflows/_build.yml
+++ b/.github/workflows/_build.yml
@@ -10,6 +10,8 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
diff --git a/.github/workflows/_docker-buildx.yml b/.github/workflows/_docker-buildx.yml
index f4b7f3e..dcbcff0 100644
--- a/.github/workflows/_docker-buildx.yml
+++ b/.github/workflows/_docker-buildx.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   buildx:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Required to read dist files (and repository)
+      packages: write # Required to push packages to GHCR
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     name: Build Docker
@@ -20,15 +23,18 @@ jobs:
           name: dist
           path: dist
 
+      - name: Log in to registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+
       - name: Buildx
         run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u "${{ github.repository_owner }}" --password-stdin ghcr.io
           REPOSITORY=ghcr.io/${{ github.repository }}
 
-          TAG=latest
+          TAG_COMMIT=$(git describe --tag)
+          TAG_MAIN=latest
           if [ -z "$(git tag --points-at HEAD)" ]
           then
-            TAG="dev"
+          TAG_MAIN="dev"
           fi
 
-          CONTAINER_BUILDX_OPTIONS="--push --output=type=registry --tag $REPOSITORY:$(git describe --tags) --tag $REPOSITORY:$TAG" make buildx
+          CONTAINER_BUILDX_OPTIONS="--push --output=type=registry --tag $REPOSITORY:$TAG_COMMIT --tag $REPOSITORY:$TAG_MAIN" make buildx
diff --git a/.github/workflows/_golangci-lint.yml b/.github/workflows/_golangci-lint.yml
index 066c8d7..5817faa 100644
--- a/.github/workflows/_golangci-lint.yml
+++ b/.github/workflows/_golangci-lint.yml
@@ -2,11 +2,11 @@ name: "golangci-lint"
 
 on: workflow_call
 
-permissions:
-  contents: read
-  pull-requests: read
 jobs:
   golangci:
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
diff --git a/.github/workflows/_goreleaser.yml b/.github/workflows/_goreleaser.yml
index 9d40b79..88a4039 100644
--- a/.github/workflows/_goreleaser.yml
+++ b/.github/workflows/_goreleaser.yml
@@ -3,12 +3,11 @@ name: goreleaser
 on:
   workflow_call:
 
-permissions:
-  contents: write # Required to upload dist files
-
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to upload dist files
     steps:
       - name: Checkout
         uses: actions/checkout@v2
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
index 33c3993..24ab1ba 100644
--- a/.github/workflows/_test.yml
+++ b/.github/workflows/_test.yml
@@ -10,6 +10,8 @@ on:
 
 jobs:
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       matrix:
diff --git a/.github/workflows/push_version.yml b/.github/workflows/push_version.yml
index 7af0b7b..06dcd85 100644
--- a/.github/workflows/push_version.yml
+++ b/.github/workflows/push_version.yml
@@ -5,9 +5,6 @@ on:
     branches: [latest]
     tags: ["v*"]
 
-permissions:
-  contents: write # Required to upload dist files
-
 concurrency:
   group: ci-push-version-${{ github.ref }}
   cancel-in-progress: true
diff --git a/Containerfile b/Containerfile
index 9d51d2a..9d22658 100644
--- a/Containerfile
+++ b/Containerfile
@@ -6,7 +6,8 @@ ARG TARGETARCH
 ARG TARGETOS
 ARG TARGETVARIANT
 COPY dist/bazaar_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}/bazaar /usr/bin/bazaar
-RUN apk add --no-cache ca-certificates tzdata make
+RUN apk add --no-cache ca-certificates tzdata && \
+    chmod +x /usr/bin/bazaar
 
 # Server image
 FROM scratch
@@ -19,5 +20,4 @@ COPY --from=builder /usr/bin/bazaar /usr/bin/bazaar
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
-
 ENTRYPOINT ["/usr/bin/bazaar"]
diff --git a/scripts/buildx.sh b/scripts/buildx.sh
index 3ac5d2f..cea46c4 100644
--- a/scripts/buildx.sh
+++ b/scripts/buildx.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -e
+set -ex
 
 if [ -z "$FROM_MAKEFILE" ]; then
     echo "Do not call this file directly - use the make command"