Skip to content

Prevent setting of the MySQL isolation #145

Prevent setting of the MySQL isolation

Prevent setting of the MySQL isolation #145

name: 'Build domjudge container (PR)'
on:
push:
paths:
- .github/workflows/build-domjudge-container-PR.yml
- docker/**
pull_request:
branches:
- main
paths:
- .github/workflows/build-domjudge-container-PR.yml
- docker/**
env:
DOMJUDGE_VERSION: M.m.p
jobs:
pr-domjudge:
# Stop processing if this is a merge-queue
# Stop processing if this is not against our repo
# Always run if this PR is not from our organization
# Or run if this PR is not `main` (So notQueue && ourRepo && (notPROurOrg || notMain))
if : ${{ !contains(github.ref, 'gh-readonly-queue') &&
github.repository == 'domjudge/domjudge-packaging' &&
!(github.event.pull_request.head.repo.full_name == 'domjudge/domjudge-packaging' && github.ref == 'main') }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- run: docker system prune -a -f
- name: Get an unique tag for when people PR often
run: |
GHR=${{ github.ref }}
echo "PR_TAG=${GHR///}${{ github.actor }}" >> $GITHUB_ENV
- name: If needed overwrite the DOMJUDGE_VERSION for this run
run: |
if [ ${{ env.DOMJUDGE_VERSION }} != "M.m.p" ]; then
exit 0
fi
sudo apt-get update; sudo apt-get install -y jq curl
set -x
HUBURL="https://registry.hub.docker.com/v2/repositories/domjudge/domserver/tags"
TAG=$(curl $HUBURL|jq '.results | sort_by(.name) | .[-2].name')
DJ_TAG=${TAG//\"}
set +x
echo "DOMJUDGE_VERSION=$DJ_TAG" >> $GITHUB_ENV
- name: Build the container
run: |
cd docker
./build.sh "${{ env.DOMJUDGE_VERSION }}"
- name: Build and push
run: |
for IMG in domserver judgehost default-judgehost-chroot; do
echo "::group::$IMG"
IMAGE_NAME="${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.DOMJUDGE_VERSION }}"
docker image tag "$IMAGE_NAME" ghcr.io/${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
docker image tag "$IMAGE_NAME" ${GITHUB_REPOSITORY_OWNER@L}/$IMG:${{ env.PR_TAG }}
echo "::endgroup::"
done
- run: docker image list
- name: Check for wrong permisions
run: |
docker image list
set -x
for IMG in domserver judgehost; do
files=$(docker run --rm --pull=never "domjudge/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
if [ -n "$files" ]; then
echo "error: image domjudge/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2
printf "%s\n" "$files" >&2
exit 1
fi
done