feat: add guards for absent registry credentials

The original design assumed that every user would configure login credentials with appropriate write permissions for the Docker Hub repository.  Consequently, forks or pull requests fail on the first step.

This change allows the build to complete without login credentials.  It skips pushing the cache or pushing the candidate image.

The release (docker tag) step still requires login credentials and fails if they are absent.  This guarantees that git tagging is only possible once all images have been pushed out to all container registries.

PR: #24
This commit is contained in:
innovaker 2021-05-11 22:03:46 +01:00
parent 560e9163d5
commit 7b71139613

View File

@ -22,13 +22,25 @@ jobs:
- dev
- build
steps:
- name: Check for GitHub Container Registry credentials (secrets)
id: ghcr-credentials
run: if [ ${{ secrets.GHCR_USERNAME == null || secrets.GHCR_TOKEN == null }} = true ]; then exit 1; fi
continue-on-error: true
- name: Login to GitHub Container Registry
id: ghcr-login
if: ${{ steps.ghcr-credentials.outcome == 'success' }}
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Check for Docker Hub credentials (secrets)
id: docker-hub-credentials
run: if [ ${{ secrets.DOCKER_HUB_USERNAME == null || secrets.DOCKER_HUB_TOKEN == null }} = true ]; then exit 1; fi
continue-on-error: true
- name: Login to Docker Hub
id: docker-hub-login
if: ${{ steps.docker-hub-credentials.outcome == 'success' }}
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
@ -80,14 +92,22 @@ jobs:
tags: |
docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }}
cache-from: type=registry,ref=docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ env.cache-repository-name }}:dev
cache-to: type=registry,ref=docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ env.cache-repository-name }}:${{ matrix.target }},mode=max
push: true
cache-to: ${{ (steps.docker-hub-login.outcome == 'success') && format('type=registry,ref=docker.io/{0}/{1}:{2},mode=max', steps.vars.outputs.docker-hub-namespace, env.cache-repository-name, matrix.target) || null }}
push: ${{ steps.docker-hub-login.outcome == 'success' }}
- name: Image digest
if: ${{ !startsWith(github.ref, 'refs/tags') }}
run: echo ${{ steps.build-push.outputs.digest }}
- name: Release (pull candidate, tag, push)
if: ${{ github.ref == steps.vars.outputs.tag-trigger-ref }}
run: |
if [ "${{ steps.docker-hub-login.outcome }}" != "success" ]; then
echo "Docker Hub must be authenticated to perform a release!"
exit 1
fi
if [ "${{ steps.ghcr-login.outcome }}" != "success" ]; then
echo "GitHub Container Registry must be authenticated to perform a release!"
exit 1
fi
docker pull docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }}
docker tag docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }} docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.versions-tag }}
docker tag docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }} docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.latest-tag }}