Skip to content

Address CodeQL warnings #187

Address CodeQL warnings

Address CodeQL warnings #187

# Copyright (C) 2024 Roberto Rossini <roberros@uio.no>
#
# SPDX-License-Identifier: MIT
name: Build Dockerfile
on:
push:
branches: [main]
paths:
- ".github/workflows/cache-test-datasets.yml"
- ".github/workflows/build-dockerfile.yml"
- "src/**"
- "test/**"
- ".dockerignore"
- ".gitignore"
- "Dockerfile"
- "LICENCE"
- "pyproject.toml"
- "README.md"
tags:
- "v*.*.*"
pull_request:
paths:
- ".github/workflows/cache-test-datasets.yml"
- ".github/workflows/build-dockerfile.yml"
- "src/**"
- "test/**"
- ".dockerignore"
- ".gitignore"
- "Dockerfile"
- "LICENCE"
- "pyproject.toml"
- "README.md"
# https://stackoverflow.com/a/72408109
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
permissions:
contents: read
packages: ${{ github.event_name == 'pull_request' && 'read' || 'write' }}

Check failure on line 48 in .github/workflows/build-dockerfile.yml

View workflow run for this annotation

GitHub Actions / Build Dockerfile

Invalid workflow file

The workflow is not valid. .github/workflows/build-dockerfile.yml (Line: 48, Col: 13): Unrecognized named-value: 'github'. Located at position 1 within expression: github.event_name == 'pull_request' && 'read' || 'write' .github/workflows/build-dockerfile.yml (Line: 48, Col: 13): Unexpected value '${{ github.event_name == 'pull_request' && 'read' || 'write' }}'
jobs:
cache-test-datasets:
name: Cache test dataset
uses: paulsengroup/StripePy/.github/workflows/cache-test-datasets.yml@main
build-dockerfile:
name: Build Dockerfile
needs: [cache-test-datasets]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Generate build requirements
run: |
echo hatchling > requirements.txt
echo hatch_vcs >> requirements.txt
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: 3.12
cache: pip
- name: Install build requirements
run: pip install -r requirements.txt
- name: Restore test dataset
uses: actions/cache/restore@v4
with:
key: ${{ needs.cache-test-datasets.outputs.cache-key }}
path: test/data/
fail-on-cache-miss: true
enableCrossOsArchive: true
- name: Generate build args
id: build-args
run: |
set -e
set -u
set -o pipefail
BASE_IMAGE='docker.io/library/python:3.13'
docker pull "$BASE_IMAGE"
BASE_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "$BASE_IMAGE" | cut -f 2 -d '@')"
GIT_HASH="$(git rev-parse HEAD)"
GIT_SHORT_HASH="$(git rev-parse --short HEAD)"
CREATION_DATE="$(date --iso-8601)"
VERSION="$(hatchling version)"
REPO='${{ github.repository }}'
REPO_LOWERCASE="${REPO,,}"
CACHE_REGISTRY="ghcr.io/$REPO_LOWERCASE:buildcache"
echo "BASE_IMAGE=$BASE_IMAGE" | tee -a "$GITHUB_OUTPUT"
echo "BASE_IMAGE_DIGEST=$BASE_IMAGE_DIGEST" | tee -a "$GITHUB_OUTPUT"
echo "GIT_HASH=$GIT_HASH" | tee -a "$GITHUB_OUTPUT"
echo "CREATION_DATE=$CREATION_DATE" | tee -a "$GITHUB_OUTPUT"
echo "VERSION=$VERSION" | tee -a "$GITHUB_OUTPUT"
echo "CACHE_REGISTRY_X86=$CACHE_REGISTRY-x86" | tee -a "$GITHUB_OUTPUT"
echo "CACHE_REGISTRY_ARM64=$CACHE_REGISTRY-arm64" | tee -a "$GITHUB_OUTPUT"
echo "REPO_LOWERCASE=$REPO_LOWERCASE" | tee -a "$GITHUB_OUTPUT"
- name: Docker meta
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: ${{ steps.build-args.outputs.REPO_LOWERCASE }},ghcr.io/${{ steps.build-args.outputs.REPO_LOWERCASE }}
flavor: |
latest=true
tags: |
type=semver,priority=1000,pattern={{version}}
type=sha,priority=900
type=ref,priority=700,event=branch
type=ref,priority=600,event=pr
- name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # 3.8.0
with:
platforms: linux/amd64,linux/arm64
- name: Set up QEMU
if: github.event_name != 'pull_request'
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # 3.3.0
with:
platforms: arm64
- name: Build Docker image (x86)
if: github.event_name != 'pull_request'
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
with:
context: ${{ github.workspace }}
load: true
push: false
cache-from: type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_X86 }}
cache-to: type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_X86 }},mode=max,compression=zstd
tags: stripepy:x86
platforms: linux/amd64
build-args: |
BASE_IMAGE=${{ steps.build-args.outputs.BASE_IMAGE }}
BASE_IMAGE_DIGEST=${{ steps.build-args.outputs.BASE_IMAGE_DIGEST }}
GIT_HASH=${{ steps.build-args.outputs.GIT_HASH }}
CREATION_DATE=${{ steps.build-args.outputs.CREATION_DATE }}
VERSION=${{ steps.build-args.outputs.VERSION }}
- name: Build Docker image (x86; PR)
if: github.event_name == 'pull_request'
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
with:
context: ${{ github.workspace }}
load: true
push: false
cache-from: type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_X86 }}
tags: stripepy:x86
platforms: linux/amd64
build-args: |
BASE_IMAGE=${{ steps.build-args.outputs.BASE_IMAGE }}
BASE_IMAGE_DIGEST=${{ steps.build-args.outputs.BASE_IMAGE_DIGEST }}
GIT_HASH=${{ steps.build-args.outputs.GIT_HASH }}
CREATION_DATE=${{ steps.build-args.outputs.CREATION_DATE }}
VERSION=${{ steps.build-args.outputs.VERSION }}
- name: Test Docker image (x86)
run: utils/devel/test_docker_image.sh stripepy:x86
- name: Build Docker image (arm64)
if: github.event_name != 'pull_request'
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
with:
context: ${{ github.workspace }}
push: false
cache-from: type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_ARM64 }}
cache-to: type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_ARM64 }},mode=max,compression=zstd
tags: stripepy:arm64
platforms: linux/arm64
build-args: |
BASE_IMAGE=${{ steps.build-args.outputs.BASE_IMAGE }}
BASE_IMAGE_DIGEST=${{ steps.build-args.outputs.BASE_IMAGE_DIGEST }}
GIT_HASH=${{ steps.build-args.outputs.GIT_HASH }}
CREATION_DATE=${{ steps.build-args.outputs.CREATION_DATE }}
VERSION=${{ steps.build-args.outputs.VERSION }}
- name: Push image to registries
if: github.event_name != 'pull_request'
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
with:
context: ${{ github.workspace }}
push: true
cache-from: |
type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_X86 }}
type=registry,ref=${{ steps.build-args.outputs.CACHE_REGISTRY_ARM64 }}
tags: ${{ steps.meta.outputs.tags }}
platforms: linux/amd64,linux/arm64
build-args: |
BASE_IMAGE=${{ steps.build-args.outputs.BASE_IMAGE }}
BASE_IMAGE_DIGEST=${{ steps.build-args.outputs.BASE_IMAGE_DIGEST }}
GIT_HASH=${{ steps.build-args.outputs.GIT_HASH }}
CREATION_DATE=${{ steps.build-args.outputs.CREATION_DATE }}
VERSION=${{ steps.build-args.outputs.VERSION }}
build-dockerfile-status-check:
name: Status Check (Build Dockerfile)
if: ${{ always() }}
runs-on: ubuntu-latest
needs:
- build-dockerfile
steps:
- name: Collect job results
if: needs.build-dockerfile.result != 'success'
run: exit 1