DOMjudge · vmcj · Jun 3, 2024 · Jun 1, 2024 · Jun 2, 2024 · Jun 2, 2024
diff --git a/.github/workflows/build-contributor-container-PR.yml b/.github/workflows/build-contributor-container-PR.yml
@@ -4,17 +4,25 @@ name: 'Build Contributor container (PR)'
 
 on:
   push:
-  pull_request_target:
+    paths:
+      - docker-contributor
+      - .github/workflows/build-contributor-container-PR.yml
+  pull_request:
     branches:
       - main
+    paths:
+      - docker-contributor
+      - .github/workflows/build-contributor-container-PR.yml
 
 jobs:
   pr-contributor:
-    if: ${{ !(github.repository == 'domjudge/domjudge-packaging' &&
-              github.ref == 'refs/heads/main') &&
-            !contains(github.ref, 'gh-readonly-queue') &&
-            (github.event_name == 'pull_request_target' ||
-             github.event.pull_request.head.repo.full_name != github.repository) }}
+    # Stop processing if this is a merge-queue
+    # Stop processing if this is not against our repo
+    # Always run if this PR is not from our organization
+    # Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain))
+    if : ${{ !contains(github.ref, 'gh-readonly-queue') &&
+             github.repository == 'domjudge/domjudge-packaging' &&
+             !(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -41,7 +49,7 @@ jobs:
         with:
           context: docker-contributor
           platforms: linux/amd64,linux/arm64
-          push: true
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
diff --git a/.github/workflows/build-domjudge-container-PR.yml b/.github/workflows/build-domjudge-container-PR.yml
@@ -2,20 +2,28 @@ name: 'Build domjudge container (PR)'
 
 on:
   push:
-  pull_request_target:
+    paths:
+      - .github/workflows/build-domjudge-container-PR.yml
+      - docker
+  pull_request:
     branches:
       - main
+    paths:
+      - .github/workflows/build-domjudge-container-PR.yml
+      - docker
 
 env:
   DOMJUDGE_VERSION: M.m.p
 
 jobs:
   pr-domjudge:
-    if: ${{ !(github.repository == 'domjudge/domjudge-packaging' &&
-              github.ref == 'refs/heads/main') &&
-            !contains(github.ref, 'gh-readonly-queue') &&
-            (github.event_name == 'pull_request_target' ||
-             github.event.pull_request.head.repo.full_name != github.repository) }}
+    # Stop processing if this is a merge-queue
+    # Stop processing if this is not against our repo
+    # Always run if this PR is not from our organization
+    # Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain))
+    if : ${{ !contains(github.ref, 'gh-readonly-queue') &&
+             github.repository == 'domjudge/domjudge-packaging' &&
+             !(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -58,28 +66,29 @@ jobs:
         run: |
           cd docker
           set -x
-          sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" ${{ github.actor }}
+          sh ./build.sh "${{ env.DOMJUDGE_VERSION }}"
           set +x
 
-      - run: docker image list
-
       - name: Build and push
         run: |
           for IMG in domserver judgehost default-judgehost-chroot; do
+            echo "::group::$IMG"
             IMAGE_NAME="${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.DOMJUDGE_VERSION }}"
             docker image tag "$IMAGE_NAME" ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
             docker image tag "$IMAGE_NAME" ${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
-            docker push ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
+            echo "::endgroup::"
           done
 
+      - run: docker image list
+
       - name: Check for wrong permisions
         run: |
           docker image list
           set -x
           for IMG in domserver judgehost; do
-            files=$(docker run --rm --pull=never "${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
+            files=$(docker run --rm --pull=never "domjudge/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
             if [ -n "$files" ]; then
-              echo "error: image ${{ github.repository_owner }}/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2
+              echo "error: image domjudge/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2
               printf "%s\n" "$files" >&2
               exit 1
             fi

diff --git a/.github/workflows/build-gitlab-container-PR.yml b/.github/workflows/build-gitlab-container-PR.yml
@@ -2,17 +2,27 @@ name: 'Build GitLab CI container (PR)'
 
 on:
   push:
-  pull_request_target:
+    paths:
+      - docker-contributor/php-config
+      - docker-gitlabci
+      - .github/workflows/build-gitlab-container-PR.yml
+  pull_request:
     branches:
       - main
+    paths:
+      - docker-contributor/php-config
+      - docker-gitlabci
+      - .github/workflows/build-gitlab-container-PR.yml
 
 jobs:
   pr-gitlab:
-    if: ${{ !(github.repository == 'domjudge/domjudge-packaging' &&
-              github.ref == 'refs/heads/main') &&
-            !contains(github.ref, 'gh-readonly-queue') &&
-            (github.event_name == 'pull_request_target' ||
-             github.event.pull_request.head.repo.full_name != github.repository) }}
+    # Stop processing if this is a merge-queue
+    # Stop processing if this is not against our repo
+    # Always run if this PR is not from our organization
+    # Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain))
+    if : ${{ !contains(github.ref, 'gh-readonly-queue') &&
+             github.repository == 'domjudge/domjudge-packaging' &&
+             !(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }}
     name: PR GitLab image
     runs-on: ubuntu-latest
     permissions:
@@ -42,7 +52,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: "./docker-gitlabci" 
-          push: true
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -7,9 +7,6 @@ on:
   pull_request:
     branches:
       - main
-  pull_request_target:
-    branches:
-      - main
 
 jobs:
   shellcheck:

diff --git a/docker/build.sh b/docker/build.sh
@@ -1,9 +1,43 @@
-#!/bin/sh -eu
+#!/bin/sh -eux
 
-if [ -n "${CI+}" ]
+# Placeholders to annotate the Github actions logs
+trace_on () { true; }
+trace_off () { true; }
+section_start () { true; }
+section_end () { true; }
+
+if [ -n "${CI+x}" ]
 then
+	if [ -n "${GITHUB_ACTION+x}" ]
 	set -x
-	export PS4='(${0}:${LINENO}): - [$?] $ '
+	then
+		# Functions to annotate the Github actions logs
+		trace_on () { set -x; }
+		trace_off () {
+			{ set +x; } 2>/dev/null
+		}
+
+		section_start_internal () {
+			echo "::group::$1"
+			trace_on
+		}
+
+		section_end_internal () {
+			echo "::endgroup::"
+			trace_on
+		}
+
+		section_start () {
+			trace_off
+			section_start_internal "$@"
+		}
+		section_end () {
+			trace_off
+			section_end_internal
+		}
+	else
+		export PS4='(${0}:${LINENO}): - [$?] $ '
+	fi
 fi
 
 if [ "$#" -eq 0 ] || [ "$#" -gt 2 ]
@@ -24,6 +58,7 @@ fi
 URL=https://www.domjudge.org/releases/domjudge-${VERSION}.tar.gz
 FILE=domjudge.tar.gz
 
+section_start "Download DOMjudge tarball"
 echo "[..] Downloading DOMjudge version ${VERSION}..."
 
 if ! wget --quiet "${URL}" -O ${FILE}
@@ -33,19 +68,27 @@ then
 fi
 
 echo "[ok] DOMjudge version ${VERSION} downloaded as domjudge.tar.gz"; echo
+section_end
 
+section_start "Build domserver container"
 echo "[..] Building Docker image for domserver..."
 ./build-domjudge.sh "${NAMESPACE}/domserver:${VERSION}"
 echo "[ok] Done building Docker image for domserver"
+section_end
 
+section_start "Build judgehost container (with intermediate image)"
 echo "[..] Building Docker image for judgehost using intermediate build image..."
 ./build-judgehost.sh "${NAMESPACE}/judgehost:${VERSION}"
 echo "[ok] Done building Docker image for judgehost"
+section_end
 
+section_start "Build judgehost container (judging chroot)"
 echo "[..] Building Docker image for judgehost chroot..."
 docker build -t "${NAMESPACE}/default-judgehost-chroot:${VERSION}" -f judgehost/Dockerfile.chroot .
 echo "[ok] Done building Docker image for judgehost chroot"
+section_end
 
+section_start "Push instructions"
 echo "All done. Image ${NAMESPACE}/domserver:${VERSION} and ${NAMESPACE}/judgehost:${VERSION} created"
 echo "If you are a DOMjudge maintainer with access to the domjudge organization on Docker Hub, you can now run the following command to push them to Docker Hub:"
 echo "$ docker push ${NAMESPACE}/domserver:${VERSION} && docker push ${NAMESPACE}/judgehost:${VERSION} && docker push $NAMESPACE}/default-judgehost-chroot:${VERSION}"
@@ -54,3 +97,4 @@ echo "$ docker tag ${NAMESPACE}/domserver:${VERSION} ${NAMESPACE}/domserver:late
 docker tag ${NAMESPACE}/judgehost:${VERSION} ${NAMESPACE}/judgehost:latest && \
 docker tag ${NAMESPACE}/default-judgehost-chroot:${VERSION} ${NAMESPACE}/default-judgehost-chroot:latest && \
 docker push ${NAMESPACE}/domserver:latest && docker push ${NAMESPACE}/judgehost:latest && docker push ${NAMESPACE}/default-judgehost-chroot:latest"
+section_end