[release-1.0] chore: add authorize job for pr build image workflow #10031
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2023 The Janus IDP Authors | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| name: PR Docker Build | |
| on: | |
| pull_request_target: | |
| paths-ignore: | |
| - 'docs/**' | |
| - 'showcase-docs/**' | |
| - '.changeset/**' | |
| branches-ignore: | |
| - 'changeset-release/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }} | |
| cancel-in-progress: true | |
| env: | |
| REGISTRY: quay.io | |
| jobs: | |
| check-commit-author: | |
| # This job is used to check if the commit author is an active member of the rhdh team. | |
| # It is used to determine if the PR should be run with the internal or external environment. | |
| # The job is run on the main branch to ensure that the action is not tampered with. | |
| runs-on: ubuntu-latest | |
| outputs: | |
| is_active_team_member: ${{ steps.team-check.outputs.is_active_member }} | |
| steps: | |
| - name: Generate GitHub App Token | |
| id: app-token | |
| uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1 | |
| with: | |
| app-id: ${{ secrets.RHDH_GITHUB_APP_ID }} | |
| private-key: ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }} | |
| - name: Checkout main branch for secure version of check-author action | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 1 | |
| ref: main # Always use main branch for security-critical action | |
| persist-credentials: false | |
| - name: Check if commit author is an active member of the team | |
| id: team-check | |
| uses: ./.github/actions/check-author | |
| with: | |
| author: ${{ github.actor }} | |
| organization: redhat-developer | |
| team: rhdh | |
| gh_token: ${{ steps.app-token.outputs.token }} | |
| authorize: | |
| # The 'external' environment is configured with the maintainers team as required reviewers. | |
| # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks. | |
| # Use 'internal' environment if the author is in the team OR if it's an internal PR (not from a fork) | |
| # see list of approvers in OWNERS file | |
| environment: | |
| ${{ (needs.check-commit-author.outputs.is_active_team_member == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }} | |
| runs-on: ubuntu-latest | |
| needs: check-commit-author | |
| steps: | |
| - name: Check if internal PR | |
| id: check | |
| run: | | |
| if [[ "${{ needs.check-commit-author.outputs.is_active_team_member }}" == "true" ]]; then | |
| echo "✓ Commit author is in rhdh team - using internal environment" | |
| elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then | |
| echo "✓ Internal PR (not from fork) - using internal environment" | |
| else | |
| echo "✓ External PR from fork from non-rhdh team member - using external environment for security" | |
| fi | |
| pr-docker-build: | |
| name: PR Docker Build | |
| runs-on: ubuntu-latest | |
| needs: authorize | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| - name: Get the last commit short SHA of the PR | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha }}) | |
| echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV | |
| - name: Build and Push with Buildx | |
| uses: ./.github/actions/docker-build | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ vars.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_TOKEN }} | |
| imageName: ${{ github.repository }} | |
| imageTags: | | |
| type=ref,prefix=pr-,event=pr | |
| type=ref,prefix=pr-,suffix=-${{ env.SHORT_SHA }},event=pr | |
| # to autodelete PR image tags, set an expiry date | |
| imageLabels: quay.expires-after=14d | |
| push: true | |
| - name: Comment the image pull link | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: 'The image is available at: `quay.io/${{ github.repository }}:pr-${{ github.event.number }}`!' | |
| }) |