From 6f396100785a5829fe2f926662a29419547035ab Mon Sep 17 00:00:00 2001 From: Benjamin Pinchon Date: Tue, 10 Sep 2024 14:24:13 +0200 Subject: [PATCH] ci: fix the CI for PRs from forked projects (#11) * ci: add IS_FORK to skip some jobs on PRs from forked projects Signed-off-by: PINCHON Benjamin * ci: remove TARGETPLATFORM in Dockerfile as this is the default behavior Signed-off-by: PINCHON Benjamin --------- Signed-off-by: PINCHON Benjamin --- .github/workflows/build.yml | 13 +++++-------- .github/workflows/ci.yml | 28 +--------------------------- .github/workflows/sonar.yml | 31 +++++++++++++++++++++++++++++++ Dockerfile | 2 +- 4 files changed, 38 insertions(+), 36 deletions(-) create mode 100644 .github/workflows/sonar.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 79771fe..4388cb2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,11 +9,6 @@ on: build-platform: required: true type: string - secrets: - GHCR_USERNAME: - required: true - GHCR_TOKEN: - required: true jobs: build-and-push-image: @@ -35,10 +30,11 @@ jobs: - name: Log in to the Container registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + if: github.event_name != 'pull_request' with: registry: ghcr.io - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: ${{ github.actor }} + password: ${{ github.token }} - name: Extract metadata (tags, labels) for Docker id: meta @@ -58,7 +54,7 @@ jobs: uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . - push: true + push: ${{ github.event_name != 'pull_request' }} provenance: false platforms: ${{ inputs.build-platform }} tags: ${{ steps.meta.outputs.tags }} @@ -66,6 +62,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + if: github.event_name != 'pull_request' with: image-ref: ${{ inputs.image-name }}:${{ steps.meta.outputs.version }} format: 'table' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc5da0c..8cc3003 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,7 +3,7 @@ name: CI on: push: branches: - - main + - "*" pull_request: {} env: @@ -119,29 +119,6 @@ jobs: run: | make test - sonarqube: - name: SonarQube Trigger - runs-on: ubuntu-latest - needs: detect-noop - if: needs.detect-noop.outputs.noop != 'true' - continue-on-error: true - - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # Disabling shallow clone is recommended for improving relevancy of reporting - fetch-depth: 0 - - - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST }} - with: - args: > - -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} - repo-slug: runs-on: ubuntu-latest outputs: @@ -170,6 +147,3 @@ jobs: with: image-name: ${{ needs.repo-slug.outputs.repo_slug }} build-platform: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" - secrets: - GHCR_USERNAME: ${{ github.actor }} - GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml new file mode 100644 index 0000000..7ee10f5 --- /dev/null +++ b/.github/workflows/sonar.yml @@ -0,0 +1,31 @@ +name: Sonar + +on: + push: + branches: + - main + +permissions: + contents: read + +jobs: + sonarqube: + name: SonarQube Trigger + runs-on: ubuntu-latest + continue-on-error: true + + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + + - name: SonarQube Scan + uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST }} + with: + args: > + -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} diff --git a/Dockerfile b/Dockerfile index 4faac5d..5b73ceb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM --platform=$TARGETPLATFORM gcr.io/distroless/static:nonroot +FROM gcr.io/distroless/static:nonroot WORKDIR / COPY --from=builder /workspace/manager . USER 65532:65532