From 7b71139613414351ccf293331201b6d19fb93d16 Mon Sep 17 00:00:00 2001 From: innovaker <66737976+innovaker@users.noreply.github.com> Date: Tue, 11 May 2021 22:03:46 +0100 Subject: [PATCH] feat: add guards for absent registry credentials The original design assumed that every user would configure login credentials with appropriate write permissions for the Docker Hub repository. Consequently, forks or pull requests fail on the first step. This change allows the build to complete without login credentials. It skips pushing the cache or pushing the candidate image. The release (docker tag) step still requires login credentials and fails if they are absent. This guarantees that git tagging is only possible once all images have been pushed out to all container registries. PR: #24 --- .github/workflows/containers.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/containers.yml b/.github/workflows/containers.yml index f265609..17e7a5d 100644 --- a/.github/workflows/containers.yml +++ b/.github/workflows/containers.yml @@ -22,13 +22,25 @@ jobs: - dev - build steps: + - name: Check for GitHub Container Registry credentials (secrets) + id: ghcr-credentials + run: if [ ${{ secrets.GHCR_USERNAME == null || secrets.GHCR_TOKEN == null }} = true ]; then exit 1; fi + continue-on-error: true - name: Login to GitHub Container Registry + id: ghcr-login + if: ${{ steps.ghcr-credentials.outcome == 'success' }} uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ secrets.GHCR_USERNAME }} password: ${{ secrets.GHCR_TOKEN }} + - name: Check for Docker Hub credentials (secrets) + id: docker-hub-credentials + run: if [ ${{ secrets.DOCKER_HUB_USERNAME == null || secrets.DOCKER_HUB_TOKEN == null }} = true ]; then exit 1; fi + continue-on-error: true - name: Login to Docker Hub + id: docker-hub-login + if: ${{ steps.docker-hub-credentials.outcome == 'success' }} uses: docker/login-action@v1 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} @@ -80,14 +92,22 @@ jobs: tags: | docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }} cache-from: type=registry,ref=docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ env.cache-repository-name }}:dev - cache-to: type=registry,ref=docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ env.cache-repository-name }}:${{ matrix.target }},mode=max - push: true + cache-to: ${{ (steps.docker-hub-login.outcome == 'success') && format('type=registry,ref=docker.io/{0}/{1}:{2},mode=max', steps.vars.outputs.docker-hub-namespace, env.cache-repository-name, matrix.target) || null }} + push: ${{ steps.docker-hub-login.outcome == 'success' }} - name: Image digest if: ${{ !startsWith(github.ref, 'refs/tags') }} run: echo ${{ steps.build-push.outputs.digest }} - name: Release (pull candidate, tag, push) if: ${{ github.ref == steps.vars.outputs.tag-trigger-ref }} run: | + if [ "${{ steps.docker-hub-login.outcome }}" != "success" ]; then + echo "Docker Hub must be authenticated to perform a release!" + exit 1 + fi + if [ "${{ steps.ghcr-login.outcome }}" != "success" ]; then + echo "GitHub Container Registry must be authenticated to perform a release!" + exit 1 + fi docker pull docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }} docker tag docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }} docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.versions-tag }} docker tag docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.candidate-tag }} docker.io/${{ steps.vars.outputs.docker-hub-namespace }}/${{ steps.vars.outputs.latest-tag }}