From 8495dcf55f286cd55b951cda1f5177f6a4a21dd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=99=B3=E9=88=9E?= Date: Fri, 24 May 2024 21:59:46 +0800 Subject: [PATCH] ci: refactor GitHub Actions and Docker build-push-action settings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed the necessity for CR_PAT input from the docker setup steps. - GitHub token is now used for GitHub Container Registry login. - Set contents read and packages write permissions for GITHUB_TOKEN in docker_publish.yml and docker_publish_latest.yml workflows. - Enabled submodules checkouts during docker setup in docker_publish.yml and docker_publish_latest.yml workflows. - Build arguments have been changed to set VERSION and RELEASE separately. - Cache is now stored in registry rather than GitHub actions to avoid the capacity limit. - Software Bill of Materials (sbom) and provenance output have been enabled for docker builds. - Instructions on managing write and read access of GitHub Actions for repositories in the container settings, have been included. Signed-off-by: 陳鈞 --- .../docker-reused-setup-steps/action.yml | 7 +--- .github/workflows/docker_publish.yml | 41 ++++++++++++++++--- .github/workflows/docker_publish_latest.yml | 16 +++++++- 3 files changed, 52 insertions(+), 12 deletions(-) diff --git a/.github/workflows/docker-reused-setup-steps/action.yml b/.github/workflows/docker-reused-setup-steps/action.yml index ff2981a..ee721ba 100644 --- a/.github/workflows/docker-reused-setup-steps/action.yml +++ b/.github/workflows/docker-reused-setup-steps/action.yml @@ -11,8 +11,6 @@ inputs: required: true QUAY_TOKEN: required: true - CR_PAT: - required: true tag: required: true @@ -55,14 +53,13 @@ runs: username: ${{ inputs.DOCKERHUB_USERNAME }} password: ${{ inputs.DOCKERHUB_TOKEN }} - # Create a Access Token with `read:packages` and `write:packages` scopes - # CR_PAT + # You may need to manage write and read access of GitHub Actions for repositories in the container settings. - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ inputs.CR_PAT }} + password: ${{ github.token }} - name: Login to Quay Container Registry uses: docker/login-action@v3 diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index 2b8214b..8a084ca 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -7,6 +7,11 @@ on: workflow_dispatch: +# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job. +permissions: + contents: read + packages: write + jobs: docker-alpine: runs-on: ubuntu-latest @@ -14,6 +19,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + submodules: 'true' - name: Setup docker id: setup @@ -23,7 +30,6 @@ jobs: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - CR_PAT: ${{ secrets.CR_PAT }} tag: alpine - name: Build and push @@ -35,8 +41,15 @@ jobs: target: final tags: ${{ steps.setup.outputs.tags }} labels: ${{ steps.setup.outputs.labels }} - build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }} + build-args: | + VERSION=${{ github.head_ref || github.ref_name }} + RELEASE=${{ github.run_number }} platforms: linux/amd64,linux/arm64 + # Cache to regietry instead of gha to avoid the capacity limit. + cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache + cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max + sbom: true + provenance: true docker-ubi: runs-on: ubuntu-latest @@ -44,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + submodules: 'true' - name: Setup docker id: setup @@ -53,7 +68,6 @@ jobs: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - CR_PAT: ${{ secrets.CR_PAT }} tag: ubi - name: Build and push @@ -65,8 +79,15 @@ jobs: target: final tags: ${{ steps.setup.outputs.tags }} labels: ${{ steps.setup.outputs.labels }} - build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }} + build-args: | + VERSION=${{ github.head_ref || github.ref_name }} + RELEASE=${{ github.run_number }} platforms: linux/amd64,linux/arm64 + # Cache to regietry instead of gha to avoid the capacity limit. + cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache + cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max + sbom: true + provenance: true docker-distroless: runs-on: ubuntu-latest @@ -74,6 +95,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + submodules: 'true' - name: Setup docker id: setup @@ -83,7 +106,6 @@ jobs: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - CR_PAT: ${{ secrets.CR_PAT }} tag: distroless - name: Build and push @@ -95,5 +117,12 @@ jobs: target: final tags: ${{ steps.setup.outputs.tags }} labels: ${{ steps.setup.outputs.labels }} - build-args: BUILD_VERSION=${{ github.head_ref || github.ref_name }} + build-args: | + VERSION=${{ github.head_ref || github.ref_name }} + RELEASE=${{ github.run_number }} platforms: linux/amd64,linux/arm64 + # Cache to regietry instead of gha to avoid the capacity limit. + cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache + cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max + sbom: true + provenance: true diff --git a/.github/workflows/docker_publish_latest.yml b/.github/workflows/docker_publish_latest.yml index 63e6423..077df2b 100644 --- a/.github/workflows/docker_publish_latest.yml +++ b/.github/workflows/docker_publish_latest.yml @@ -9,6 +9,11 @@ on: workflow_dispatch: +# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job. +permissions: + contents: read + packages: write + jobs: docker-latest: runs-on: ubuntu-latest @@ -16,6 +21,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + submodules: 'true' - name: Setup docker id: setup @@ -25,7 +32,6 @@ jobs: DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }} QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }} - CR_PAT: ${{ secrets.CR_PAT }} tag: latest - name: Build and push @@ -37,4 +43,12 @@ jobs: target: final tags: ${{ steps.setup.outputs.tags }} labels: ${{ steps.setup.outputs.labels }} + build-args: | + VERSION=latest + RELEASE=${{ github.run_number }} platforms: linux/amd64,linux/arm64 + # Cache to regietry instead of gha to avoid the capacity limit. + cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache + cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/streamlink:cache,mode=max + sbom: true + provenance: true