diff --git a/.github/workflows/build-contributor-container-PR.yml b/.github/workflows/build-contributor-container-PR.yml index a45a825..ecd2e2c 100644 --- a/.github/workflows/build-contributor-container-PR.yml +++ b/.github/workflows/build-contributor-container-PR.yml @@ -4,17 +4,25 @@ name: 'Build Contributor container (PR)' on: push: - pull_request_target: + paths: + - docker-contributor + - .github/workflows/build-contributor-container-PR.yml + pull_request: branches: - main + paths: + - docker-contributor + - .github/workflows/build-contributor-container-PR.yml jobs: pr-contributor: - if: ${{ !(github.repository == 'domjudge/domjudge-packaging' && - github.ref == 'refs/heads/main') && - !contains(github.ref, 'gh-readonly-queue') && - (github.event_name == 'pull_request_target' || - github.event.pull_request.head.repo.full_name != github.repository) }} + # Stop processing if this is a merge-queue + # Stop processing if this is not against our repo + # Always run if this PR is not from our organization + # Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain)) + if : ${{ !contains(github.ref, 'gh-readonly-queue') && + github.repository == 'domjudge/domjudge-packaging' && + !(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }} runs-on: ubuntu-latest steps: - name: Checkout @@ -41,7 +49,7 @@ jobs: with: context: docker-contributor platforms: linux/amd64,linux/arm64 - push: true + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-domjudge-container-PR.yml b/.github/workflows/build-domjudge-container-PR.yml index 4914122..b40a377 100644 --- a/.github/workflows/build-domjudge-container-PR.yml +++ b/.github/workflows/build-domjudge-container-PR.yml @@ -2,20 +2,28 @@ name: 'Build domjudge container (PR)' on: push: - pull_request_target: + paths: + - .github/workflows/build-domjudge-container-PR.yml + - docker + pull_request: branches: - main + paths: + - .github/workflows/build-domjudge-container-PR.yml + - docker env: DOMJUDGE_VERSION: M.m.p jobs: pr-domjudge: - if: ${{ !(github.repository == 'domjudge/domjudge-packaging' && - github.ref == 'refs/heads/main') && - !contains(github.ref, 'gh-readonly-queue') && - (github.event_name == 'pull_request_target' || - github.event.pull_request.head.repo.full_name != github.repository) }} + # Stop processing if this is a merge-queue + # Stop processing if this is not against our repo + # Always run if this PR is not from our organization + # Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain)) + if : ${{ !contains(github.ref, 'gh-readonly-queue') && + github.repository == 'domjudge/domjudge-packaging' && + !(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }} runs-on: ubuntu-latest steps: - name: Checkout @@ -58,28 +66,29 @@ jobs: run: | cd docker set -x - sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" ${{ github.actor }} + sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" set +x - - run: docker image list - - name: Build and push run: | for IMG in domserver judgehost default-judgehost-chroot; do + echo "::group::$IMG" IMAGE_NAME="${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.DOMJUDGE_VERSION }}" docker image tag "$IMAGE_NAME" ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }} docker image tag "$IMAGE_NAME" ${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }} - docker push ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }} + echo "::endgroup::" done + - run: docker image list + - name: Check for wrong permisions run: | docker image list set -x for IMG in domserver judgehost; do - files=$(docker run --rm --pull=never "${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c) + files=$(docker run --rm --pull=never "domjudge/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c) if [ -n "$files" ]; then - echo "error: image ${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2 + echo "error: image domjudge/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2 printf "%s\n" "$files" >&2 exit 1 fi diff --git a/.github/workflows/build-gitlab-container-PR.yml b/.github/workflows/build-gitlab-container-PR.yml index b2e7877..776830c 100644 --- a/.github/workflows/build-gitlab-container-PR.yml +++ b/.github/workflows/build-gitlab-container-PR.yml @@ -2,17 +2,27 @@ name: 'Build GitLab CI container (PR)' on: push: - pull_request_target: + paths: + - docker-contributor/php-config + - docker-gitlabci + - .github/workflows/build-gitlab-container-PR.yml + pull_request: branches: - main + paths: + - docker-contributor/php-config + - docker-gitlabci + - .github/workflows/build-gitlab-container-PR.yml jobs: pr-gitlab: - if: ${{ !(github.repository == 'domjudge/domjudge-packaging' && - github.ref == 'refs/heads/main') && - !contains(github.ref, 'gh-readonly-queue') && - (github.event_name == 'pull_request_target' || - github.event.pull_request.head.repo.full_name != github.repository) }} + # Stop processing if this is a merge-queue + # Stop processing if this is not against our repo + # Always run if this PR is not from our organization + # Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain)) + if : ${{ !contains(github.ref, 'gh-readonly-queue') && + github.repository == 'domjudge/domjudge-packaging' && + !(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }} name: PR GitLab image runs-on: ubuntu-latest permissions: @@ -42,7 +52,7 @@ jobs: uses: docker/build-push-action@v5 with: context: "./docker-gitlabci" - push: true + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 99cb18c..c6fd65e 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -7,9 +7,6 @@ on: pull_request: branches: - main - pull_request_target: - branches: - - main jobs: shellcheck: diff --git a/docker/build.sh b/docker/build.sh index 525576e..1079e33 100755 --- a/docker/build.sh +++ b/docker/build.sh @@ -1,9 +1,43 @@ -#!/bin/sh -eu +#!/bin/sh -eux -if [ -n "${CI+}" ] +# Placeholders to annotate the Github actions logs +trace_on () { true; } +trace_off () { true; } +section_start () { true; } +section_end () { true; } + +if [ -n "${CI+x}" ] then + if [ -n "${GITHUB_ACTION+x}" ] set -x - export PS4='(${0}:${LINENO}): - [$?] $ ' + then + # Functions to annotate the Github actions logs + trace_on () { set -x; } + trace_off () { + { set +x; } 2>/dev/null + } + + section_start_internal () { + echo "::group::$1" + trace_on + } + + section_end_internal () { + echo "::endgroup::" + trace_on + } + + section_start () { + trace_off + section_start_internal "$@" + } + section_end () { + trace_off + section_end_internal + } + else + export PS4='(${0}:${LINENO}): - [$?] $ ' + fi fi if [ "$#" -eq 0 ] || [ "$#" -gt 2 ] @@ -24,6 +58,7 @@ fi URL=https://www.domjudge.org/releases/domjudge-${VERSION}.tar.gz FILE=domjudge.tar.gz +section_start "Download DOMjudge tarball" echo "[..] Downloading DOMjudge version ${VERSION}..." if ! wget --quiet "${URL}" -O ${FILE} @@ -33,19 +68,27 @@ then fi echo "[ok] DOMjudge version ${VERSION} downloaded as domjudge.tar.gz"; echo +section_end +section_start "Build domserver container" echo "[..] Building Docker image for domserver..." ./build-domjudge.sh "${NAMESPACE}/domserver:${VERSION}" echo "[ok] Done building Docker image for domserver" +section_end +section_start "Build judgehost container (with intermediate image)" echo "[..] Building Docker image for judgehost using intermediate build image..." ./build-judgehost.sh "${NAMESPACE}/judgehost:${VERSION}" echo "[ok] Done building Docker image for judgehost" +section_end +section_start "Build judgehost container (judging chroot)" echo "[..] Building Docker image for judgehost chroot..." docker build -t "${NAMESPACE}/default-judgehost-chroot:${VERSION}" -f judgehost/Dockerfile.chroot . echo "[ok] Done building Docker image for judgehost chroot" +section_end +section_start "Push instructions" echo "All done. Image ${NAMESPACE}/domserver:${VERSION} and ${NAMESPACE}/judgehost:${VERSION} created" echo "If you are a DOMjudge maintainer with access to the domjudge organization on Docker Hub, you can now run the following command to push them to Docker Hub:" echo "$ docker push ${NAMESPACE}/domserver:${VERSION} && docker push ${NAMESPACE}/judgehost:${VERSION} && docker push $NAMESPACE}/default-judgehost-chroot:${VERSION}" @@ -54,3 +97,4 @@ echo "$ docker tag ${NAMESPACE}/domserver:${VERSION} ${NAMESPACE}/domserver:late docker tag ${NAMESPACE}/judgehost:${VERSION} ${NAMESPACE}/judgehost:latest && \ docker tag ${NAMESPACE}/default-judgehost-chroot:${VERSION} ${NAMESPACE}/default-judgehost-chroot:latest && \ docker push ${NAMESPACE}/domserver:latest && docker push ${NAMESPACE}/judgehost:latest && docker push ${NAMESPACE}/default-judgehost-chroot:latest" +section_end