ci: refactor GitHub Actions and Docker build-push-action settings

- Removed the necessity for CR_PAT input from the docker setup steps. - GitHub token is now used for GitHub Container Registry login. - Set contents read and packages write permissions for GITHUB_TOKEN in docker_publish.yml and docker_publish_latest.yml workflows. - Enabled submodules checkouts during docker setup in docker_publish.yml and docker_publish_latest.yml workflows. - Build arguments have been changed to set VERSION and RELEASE separately. - Cache is now stored in registry rather than GitHub actions to avoid the capacity limit. - Software Bill of Materials (sbom) and provenance output have been enabled for docker builds. - Instructions on managing write and read access of GitHub Actions for repositories in the container settings, have been included. Signed-off-by: 陳鈞 <[email protected]>
jim60105 · May 24, 2024 · 8495dcf · 8495dcf
1 parent ab017de
commit 8495dcf
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 12 deletions.
diff --git a/.github/workflows/docker-reused-setup-steps/action.yml b/.github/workflows/docker-reused-setup-steps/action.yml
@@ -11,8 +11,6 @@ inputs:
     required: true
   QUAY_TOKEN:
     required: true
-  CR_PAT:
-    required: true
   tag:
     required: true
 
@@ -55,14 +53,13 @@ runs:
         username: ${{ inputs.DOCKERHUB_USERNAME }}
         password: ${{ inputs.DOCKERHUB_TOKEN }}
 
-    # Create a Access Token with `read:packages` and `write:packages` scopes
-    # CR_PAT
+    # You may need to manage write and read access of GitHub Actions for repositories in the container settings.
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
-        password: ${{ inputs.CR_PAT }}
+        password: ${{ github.token }}
 
     - name: Login to Quay Container Registry
       uses: docker/login-action@v3

diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
@@ -7,13 +7,20 @@ on:
 
   workflow_dispatch:
 
+# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   docker-alpine:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
 
       - name: Setup docker
         id: setup
@@ -23,7 +30,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: alpine
 
       - name: Build and push
@@ -35,15 +41,24 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
-          build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }}
+          build-args: |
+            VERSION=${{ github.head_ref || github.ref_name }}
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max
+          sbom: true
+          provenance: true
 
   docker-ubi:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
 
       - name: Setup docker
         id: setup
@@ -53,7 +68,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: ubi
 
       - name: Build and push
@@ -65,15 +79,24 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
-          build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }}
+          build-args: |
+            VERSION=${{ github.head_ref || github.ref_name }}
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max
+          sbom: true
+          provenance: true
 
   docker-distroless:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
 
       - name: Setup docker
         id: setup
@@ -83,7 +106,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: distroless
 
       - name: Build and push
@@ -95,5 +117,12 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
-          build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }}
+          build-args: |
+            VERSION=${{ github.head_ref || github.ref_name }}
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max
+          sbom: true
+          provenance: true
diff --git a/.github/workflows/docker_publish_latest.yml b/.github/workflows/docker_publish_latest.yml
@@ -9,13 +9,20 @@ on:
 
   workflow_dispatch:
 
+# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   docker-latest:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: 'true'
 
       - name: Setup docker
         id: setup
@@ -25,7 +32,6 @@ jobs:
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
           QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
           QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
-          CR_PAT: ${{ secrets.CR_PAT }}
           tag: latest
 
       - name: Build and push
@@ -37,4 +43,12 @@ jobs:
           target: final
           tags: ${{ steps.setup.outputs.tags }}
           labels: ${{ steps.setup.outputs.labels }}
+          build-args: |
+            VERSION=latest
+            RELEASE=${{ github.run_number }}
           platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max
+          sbom: true
+          provenance: true