Skip to content

Commit

Permalink
Remove pull_request_target triggers and minimize credential use [SAME…
Browse files Browse the repository at this point in the history 
… VERSION] [IGNORE INTERMEDIATE BUILDS] (#161)

* remove dockerhub credentials from workflows

* add link to repo to intermediate containers

* remove pull_request_target

* only log into docker when pushing changes to ghcr
  • Loading branch information
@bfjelds
bfjelds authored Dec 5, 2020
1 parent aaa8d8a commit 89b69bb
Show file tree
Hide file tree
Showing 22 changed files with 28 additions and 427 deletions.
8 changes: 1 addition & 7 deletions .github/actions/build-component-multi-arch/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,7 @@ inputs:
description: Component prefix used by Makefile
required: true
github_event_name:
description: Specify the github event name (push, pull_request_target, release, etc)
required: true
dockerhub_username:
description: Dockerhub name
required: true
dockerhub_password:
description: Dockerhub password
description: Specify the github event name (push, pull_request, release, etc)
required: true
runs:
using: 'node12'
Expand Down
3 changes: 0 additions & 3 deletions .github/actions/build-component-multi-arch/main.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,6 @@ async function shell_cmd(cmd) {
const latest_label = `latest${dev_suffix}`;
console.log(`Use labels: versioned=${versioned_label} latest=${latest_label}`);

console.log(`Log into dockerhub to avoid throttled anonymous dockerhub pulls user=${core.getInput('dockerhub_username')}`);
await shell_cmd(`echo "${core.getInput('dockerhub_password')}" | docker login -u ${core.getInput('dockerhub_username')} --password-stdin`);

console.log(`Login into Container Registry user=${core.getInput('container_registry_username')} repo=${core.getInput('container_registry_base_url')}`);
await shell_cmd(`echo "${core.getInput('container_registry_password')}" | docker login -u ${core.getInput('container_registry_username')} --password-stdin ${core.getInput('container_registry_base_url')}`);

Expand Down
8 changes: 1 addition & 7 deletions .github/actions/build-component-per-arch/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ inputs:
description: Specify whether rust is being built
required: true
github_event_name:
description: Specify the github event name (push, pull_request_target, release, etc)
description: Specify the github event name (push, pull_request, release, etc)
required: true
github_ref:
description: Specify the github ref
Expand All @@ -37,12 +37,6 @@ inputs:
github_merged:
description: Specify whether a PR has been merged
required: true
dockerhub_username:
description: Dockerhub name
required: true
dockerhub_password:
description: Dockerhub password
required: true
runs:
using: 'node12'
main: 'main.js'
9 changes: 3 additions & 6 deletions .github/actions/build-component-per-arch/main.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ async function shell_cmd(cmd) {
try {
console.log(`Start main.js`)

console.log(`Log into dockerhub to avoid throttled anonymous dockerhub pulls user=${core.getInput('dockerhub_username')}`);
await shell_cmd(`echo "${core.getInput('dockerhub_password')}" | docker login -u ${core.getInput('dockerhub_username')} --password-stdin`);

console.log(`Use multiarch/qemu-user-static to configure cross-plat`);
await shell_cmd('docker run --rm --privileged multiarch/qemu-user-static --reset -p yes');

Expand Down Expand Up @@ -67,9 +64,6 @@ async function shell_cmd(cmd) {
}
console.log(`Makefile build target suffix: ${makefile_target_suffix}`)

console.log(`Login into Container Registry user=${core.getInput('container_registry_username')} repo=${core.getInput('container_registry_base_url')}`);
await shell_cmd(`echo "${core.getInput('container_registry_password')}" | docker login -u ${core.getInput('container_registry_username')} --password-stdin ${core.getInput('container_registry_base_url')}`);

if (core.getInput('build_rust') == '1') {
console.log(`Install Rust`)
child_process.execSync(`curl https://sh.rustup.rs | sh -s -- -y --default-toolchain=1.41.0`);
Expand Down Expand Up @@ -102,6 +96,9 @@ async function shell_cmd(cmd) {
await shell_cmd(`docker run ${image_name} find container-images-legal-notice.md | wc -l | grep -v 0`)

if (push_containers == "1") {
console.log(`Login into Container Registry user=${core.getInput('container_registry_username')} repo=${core.getInput('container_registry_base_url')}`);
await shell_cmd(`echo "${core.getInput('container_registry_password')}" | docker login -u ${core.getInput('container_registry_username')} --password-stdin ${core.getInput('container_registry_base_url')}`);

console.log(`Push the versioned container: make ${core.getInput('makefile_component_name')}-docker-per-arch-${makefile_target_suffix}`)
process.env.LABEL_PREFIX = `${versioned_label}`
await exec.exec(`make ${core.getInput('makefile_component_name')}-docker-per-arch-${makefile_target_suffix}`)
Expand Down
8 changes: 1 addition & 7 deletions .github/actions/build-intermediate/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ inputs:
description: Platform to build (amd64|arm64|arm32)
required: true
github_event_name:
description: Specify the github event name (push, pull_request_target, release, etc)
description: Specify the github event name (push, pull_request, release, etc)
required: true
github_ref:
description: Specify the github ref
Expand All @@ -34,12 +34,6 @@ inputs:
github_merged:
description: Specify whether a PR has been merged
required: true
dockerhub_username:
description: Dockerhub name
required: true
dockerhub_password:
description: Dockerhub password
required: true
runs:
using: 'node12'
main: 'main.js'
9 changes: 3 additions & 6 deletions .github/actions/build-intermediate/main.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ async function shell_cmd(cmd) {
try {
console.log(`Start main.js`)

console.log(`Log into dockerhub to avoid throttled anonymous dockerhub pulls user=${core.getInput('dockerhub_username')}`);
await shell_cmd(`echo "${core.getInput('dockerhub_password')}" | docker login -u ${core.getInput('dockerhub_username')} --password-stdin`);

console.log(`Use multiarch/qemu-user-static to configure cross-plat`);
child_process.execSync('docker run --rm --privileged multiarch/qemu-user-static --reset -p yes');

Expand Down Expand Up @@ -62,15 +59,15 @@ async function shell_cmd(cmd) {
}
console.log(`Makefile build target suffix: ${makefile_target_suffix}`)

console.log(`Login into Container Registry user=${core.getInput('container_registry_username')} repo=${core.getInput('container_registry_base_url')}`);
await shell_cmd(`echo "${core.getInput('container_registry_password')}" | docker login -u ${core.getInput('container_registry_username')} --password-stdin ${core.getInput('container_registry_base_url')}`);

process.env.PREFIX = `${core.getInput('container_prefix')}`

console.log(`Build the versioned container: make ${core.getInput('makefile_component_name')}-build-${makefile_target_suffix}`)
await exec.exec(`make ${core.getInput('makefile_component_name')}-build-${makefile_target_suffix}`)

if (push_containers == "1") {
console.log(`Login into Container Registry user=${core.getInput('container_registry_username')} repo=${core.getInput('container_registry_base_url')}`);
await shell_cmd(`echo "${core.getInput('container_registry_password')}" | docker login -u ${core.getInput('container_registry_username')} --password-stdin ${core.getInput('container_registry_base_url')}`);

console.log(`Push the versioned container: make ${core.getInput('makefile_component_name')}-docker-per-arch-${makefile_target_suffix}`)
await exec.exec(`make ${core.getInput('makefile_component_name')}-docker-per-arch-${makefile_target_suffix}`)
} else {
Expand Down
32 changes: 0 additions & 32 deletions .github/workflows/build-agent-container.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,6 @@ on:
- version.txt
- build/akri-containers.mk
- Makefile
pull_request_target:
branches: [ main ]
paths:
- .github/actions/build-component-per-arch/**
- .github/actions/build-component-multi-arch/**
- .github/workflows/build-agent-container.yml
- build/containers/Dockerfile.agent
- agent/**
- shared/**
- version.txt
- build/akri-containers.mk
- Makefile
pull_request:
branches: [ main ]
paths:
Expand All @@ -48,11 +36,6 @@ env:
jobs:

per-arch:
# Run workflow pull_request if it is NOT a fork, as pull_request_target if it IS a fork
if: >-
( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork == true ) ||
( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false ) ||
( !(startsWith(github.event_name, 'pull_request')) )
runs-on: ubuntu-latest
timeout-minutes: 40
strategy:
Expand All @@ -63,18 +46,7 @@ jobs:
- amd64

steps:
- name: Checkout the merged commit from PR and base branch
uses: actions/checkout@v2
if: github.event_name == 'pull_request_target'
with:
# pull_request_target is run in the context of the base repository
# of the pull request, so the default ref is master branch and
# ref should be manually set to the head of the PR
ref: refs/pull/${{ github.event.pull_request.number }}/head
persist-credentials: false

- name: Checkout the head commit of the branch
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v2
with:
persist-credentials: false
Expand All @@ -100,8 +72,6 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
platform: ${{ matrix.arch }}
build_rust: "1"
Expand Down Expand Up @@ -136,6 +106,4 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
32 changes: 0 additions & 32 deletions .github/workflows/build-controller-container.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,18 +25,6 @@ on:
- version.txt
- build/akri-containers.mk
- Makefile
pull_request_target:
branches: [ main ]
paths:
- .github/actions/build-component-per-arch/**
- .github/actions/build-component-multi-arch/**
- .github/workflows/build-controller-container.yml
- build/containers/Dockerfile.controller
- controller/**
- shared/**
- version.txt
- build/akri-containers.mk
- Makefile
release:
types:
- published
Expand All @@ -48,11 +36,6 @@ env:
jobs:

per-arch:
# Run workflow pull_request if it is NOT a fork, as pull_request_target if it IS a fork
if: >-
( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork == true ) ||
( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false ) ||
( !(startsWith(github.event_name, 'pull_request')) )
runs-on: ubuntu-latest
timeout-minutes: 40
strategy:
Expand All @@ -62,18 +45,7 @@ jobs:
- arm32v7
- amd64
steps:
- name: Checkout the merged commit from PR and base branch
uses: actions/checkout@v2
if: github.event_name == 'pull_request_target'
with:
# pull_request_target is run in the context of the base repository
# of the pull request, so the default ref is master branch and
# ref should be manually set to the head of the PR
ref: refs/pull/${{ github.event.pull_request.number }}/head
persist-credentials: false

- name: Checkout the head commit of the branch
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v2
with:
persist-credentials: false
Expand All @@ -99,8 +71,6 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
platform: ${{ matrix.arch }}
build_rust: "1"
Expand Down Expand Up @@ -135,6 +105,4 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
31 changes: 0 additions & 31 deletions .github/workflows/build-onvif-video-broker-container.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,17 +23,6 @@ on:
- version.txt
- build/akri-containers.mk
- Makefile
pull_request_target:
branches: [ main ]
paths:
- .github/actions/build-component-per-arch/**
- .github/actions/build-component-multi-arch/**
- .github/workflows/build-onvif-video-broker-container.yml
- build/containers/Dockerfile.onvif-video-broker
- samples/brokers/onvif-video-broker/**
- version.txt
- build/akri-containers.mk
- Makefile
release:
types:
- published
Expand All @@ -45,11 +34,6 @@ env:
jobs:

per-arch:
# Run workflow pull_request if it is NOT a fork, as pull_request_target if it IS a fork
if: >-
( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork == true ) ||
( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false ) ||
( !(startsWith(github.event_name, 'pull_request')) )
runs-on: ubuntu-latest
timeout-minutes: 20
strategy:
Expand All @@ -60,18 +44,7 @@ jobs:
- amd64

steps:
- name: Checkout the merged commit from PR and base branch
uses: actions/checkout@v2
if: github.event_name == 'pull_request_target'
with:
# pull_request_target is run in the context of the base repository
# of the pull request, so the default ref is master branch and
# ref should be manually set to the head of the PR
ref: refs/pull/${{ github.event.pull_request.number }}/head
persist-credentials: false

- name: Checkout the head commit of the branch
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v2
with:
persist-credentials: false
Expand All @@ -97,8 +70,6 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
platform: ${{ matrix.arch }}
build_rust: "0"
Expand Down Expand Up @@ -133,6 +104,4 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
26 changes: 1 addition & 25 deletions .github/workflows/build-opencv-base-container.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,6 @@ on:
- build/containers/intermediate/Dockerfile.opencvsharp-build
- build/intermediate-containers.mk
- Makefile
pull_request_target:
branches: [ main ]
paths:
- .github/actions/build-intermediate/**
- .github/workflows/build-opencv-base-container.yml
- build/containers/intermediate/Dockerfile.opencvsharp-build
- build/intermediate-containers.mk
- Makefile

env:
AKRI_COMPONENT: opencvsharp-build
Expand All @@ -35,10 +27,7 @@ jobs:
per-arch:
if: >-
!contains(github.event.pull_request.title, '[IGNORE INTERMEDIATE BUILDS]') &&
!contains(github.event.commits[0].message, '[IGNORE INTERMEDIATE BUILDS]') &&
(( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork == true ) ||
( github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false ) ||
( !(startsWith(github.event_name, 'pull_request')) ))
!contains(github.event.commits[0].message, '[IGNORE INTERMEDIATE BUILDS]')
runs-on: ubuntu-latest
strategy:
matrix:
Expand All @@ -47,18 +36,7 @@ jobs:
- arm32v7
- amd64
steps:
- name: Checkout the merged commit from PR and base branch
uses: actions/checkout@v2
if: github.event_name == 'pull_request_target'
with:
# pull_request_target is run in the context of the base repository
# of the pull request, so the default ref is master branch and
# ref should be manually set to the head of the PR
ref: refs/pull/${{ github.event.pull_request.number }}/head
persist-credentials: false

- name: Checkout the head commit of the branch
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v2
with:
persist-credentials: false
Expand Down Expand Up @@ -104,7 +82,5 @@ jobs:
container_registry_base_url: ghcr.io
container_registry_username: ${{ secrets.crUsername }}
container_registry_password: ${{ secrets.crPassword }}
dockerhub_username: ${{ secrets.dhUsername }}
dockerhub_password: ${{ secrets.dhPassword }}
makefile_component_name: ${{ env.MAKEFILE_COMPONENT }}
platform: ${{ matrix.arch }}
Loading

0 comments on commit 89b69bb

Please sign in to comment.