From 6d207118cfbf6155dc331827d431e27399d5e6e1 Mon Sep 17 00:00:00 2001
From: Francesco Montorsi <f18m@users.noreply.github.com>
Date: Tue, 7 May 2024 23:00:26 +0200
Subject: [PATCH] Fix lack of secrets in dependabot PRs (#46)

This PR is fixing the lack of secrets in dependabot PRs, which makes dependabot PRs fail.
See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets for more info.

This PR also breaks up the pipeline in 3 parallel stages, so it runs faster.
---
 .github/workflows/main.yml | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index cdd492f..be735b4 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -7,7 +7,7 @@ on: [push]
 
 jobs:
 
-  build:
+  test_dependencies:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -18,10 +18,19 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
+
+  lint_code:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11' 
       - name: Lint code with flake8
         run: |
           pip install flake8
-          flake8
+          echo "Running flake8 on repo"
+          flake8 -v
 
       # TODO: it would be nice to have the project published on Pypi for easy installation via pip:
       #- name: Publish package
@@ -29,8 +38,27 @@ jobs:
       #  with:
       #    password: ${{ secrets.PYPI_API_TOKEN }}
 
+  build_docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image (no push)
+        # see https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets
+        # for the reason why DependaBot pull requests have no access to secrets like ${{ secrets.PAT_TOKEN_FOR_GITHUB }}
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        uses: mr-smithers-excellent/docker-build-push@v6
+        with:
+          # options related to BUILDing the docker image:
+          dockerfile: ./Dockerfile
+          multiPlatform: true
+          platform: linux/amd64,linux/arm64,linux/arm/v7
+          image: psmqtt
+          # options related to PUSHing the docker image:
+          pushImage: false
 
       - name: Build and push Docker image
+        if: ${{ github.actor != 'dependabot[bot]' }}
         uses: mr-smithers-excellent/docker-build-push@v6
         with:
           # options related to BUILDing the docker image:
@@ -40,5 +68,6 @@ jobs:
           image: psmqtt
           # options related to PUSHing the docker image:
           registry: ghcr.io
-          username: eschava
+          username: ${{ github.actor }}
           password: ${{ secrets.PAT_TOKEN_FOR_GITHUB }}
+          pushImage: true