-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Securely build and push Docker images #292
Conversation
Codecov Report
@@ Coverage Diff @@
## main #292 +/- ##
==========================================
- Coverage 51.43% 51.42% -0.01%
==========================================
Files 114 114
Lines 5448 5451 +3
==========================================
+ Hits 2802 2803 +1
- Misses 2229 2231 +2
Partials 417 417
Continue to review full report at Codecov.
|
.github/workflows/docker.yml
Outdated
# * We limit what third-party actions can be used. | ||
|
||
# We also tried a different approach: build Docker image in one normal, secure `pull_request` workflow, | ||
# upload artifact, and the download and publish in another workflow that has access to secrets, but treats |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# upload artifact, and the download and publish in another workflow that has access to secrets, but treats | |
# upload artifact, and then download and publish it in another workflow that has access to secrets, but treats |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, looks good to me. Too bad importing the image didn't work. With that caveat, this is the best that can be done.
switch s.Key { | ||
case "vcs.revision": | ||
info.Commit = s.Value | ||
if s.Value != info.Commit { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the way that this ensures that the version info which is used for builds is consistent with git.
Refs #70.
Closes #224.