mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Nick Vigilante
aa87d55a6d
Three workflows besides `deploy-docs.yaml` ([DOCS-124](https://linear.app/codercom/issue/DOCS-124), [#25285](https://github.com/coder/coder/pull/25285)) self-reference in their `paths:` triggers: `docker-base.yaml`, `docs-ci.yaml`, `dogfood.yaml`. This was flagged during review of #25285 ([DEREM-1](https://github.com/coder/coder/pull/25285#discussion_r3234975475)) as a bug class worth treating uniformly. This PR is the audit. Each self-reference is either justified inline or removed: * **`docker-base.yaml`** keeps the self-reference. It's PR-only and gated by `push: ${{ github.event_name != 'pull_request' }}` on the `depot/build-push-action`, so PRs build the base image without publishing. * **`docs-ci.yaml`** drops the self-reference. The `lint` and `fmt` steps gate on `tj-actions/changed-files` matching `docs/**` or `**.md`, so a workflow-only run no-ops. `actionlint` and `make lint/actions` catch YAML problems before merge regardless. * **`dogfood.yaml`** keeps the self-reference. PR runs build images without pushing and run `terraform init` + `validate` only; pushes to main retag rolling tags on `codercom/oss-dogfood`, `oss-dogfood-vscode-coder`, and `oss-dogfood-nix`, plus `terraform apply` against dev.coder.com which produces new `coderd_template` versions with unchanged content. Idempotent and bounded. Refs DOCS-121, DOCS-129. <details> <summary>Decision table</summary> | Workflow | Self-ref location | Effect on workflow-only edit | Decision | |---|---|---|---| | `deploy-docs.yaml` | push + workflow_dispatch | Destructive (DOCS-121) | Removed in [#25285](https://github.com/coder/coder/pull/25285) | | `docker-base.yaml` | PR-only | Build base image, never push | Keep with inline comment | | `docs-ci.yaml` | push + PR | Empty run; lint/fmt skipped by `if:` | Remove (wasted runner minutes) | | `dogfood.yaml` | push + PR | PR: build without push, terraform validate. Main: retag rolling tags, terraform apply, new cosmetic template versions | Keep with inline comment | </details> --- _Coder Agents on behalf of @nickvigilante._
114 lines
3.7 KiB
YAML
114 lines
3.7 KiB
YAML
name: docker-base
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- scripts/Dockerfile.base
|
|
- scripts/Dockerfile
|
|
|
|
pull_request:
|
|
# Self-reference on `pull_request` is intentional: a PR that edits this
|
|
# workflow runs the build to verify the YAML is well-formed and the
|
|
# base image still builds. Pushes are gated separately by
|
|
# `push: ${{ github.event_name != 'pull_request' }}` on the
|
|
# depot/build-push-action below, so a PR builds the image but never
|
|
# publishes it. See DOCS-129 for the broader workflow-self-reference
|
|
# audit.
|
|
paths:
|
|
- scripts/Dockerfile.base
|
|
- .github/workflows/docker-base.yaml
|
|
|
|
schedule:
|
|
# Run every week at 09:43 on Monday, Wednesday and Friday. We build this
|
|
# frequently to ensure that packages are up-to-date.
|
|
- cron: "43 9 * * 1,3,5"
|
|
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
# Avoid running multiple jobs for the same commit.
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-docker-base
|
|
|
|
jobs:
|
|
build:
|
|
permissions:
|
|
# Necessary for depot.dev authentication.
|
|
id-token: write
|
|
# Necessary to push docker images to ghcr.io.
|
|
packages: write
|
|
runs-on: ubuntu-latest
|
|
if: github.repository_owner == 'coder'
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Docker login
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Create empty base-build-context directory
|
|
run: mkdir base-build-context
|
|
|
|
- name: Install depot.dev CLI
|
|
uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
|
|
|
|
# This uses OIDC authentication, so no auth variables are required.
|
|
- name: Build base Docker image via depot.dev
|
|
uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
|
|
with:
|
|
project: wl5hnrrkns
|
|
context: base-build-context
|
|
file: scripts/Dockerfile.base
|
|
platforms: linux/amd64,linux/arm64,linux/arm/v7
|
|
provenance: true
|
|
pull: true
|
|
no-cache: true
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: |
|
|
ghcr.io/coder/coder-base:latest
|
|
|
|
- name: Verify that images are pushed properly
|
|
if: github.event_name != 'pull_request'
|
|
run: |
|
|
# retry 10 times with a 5 second delay as the images may not be
|
|
# available immediately
|
|
for i in {1..10}; do
|
|
rc=0
|
|
raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
|
|
if [[ "$rc" -eq 0 ]]; then
|
|
break
|
|
fi
|
|
if [[ "$i" -eq 10 ]]; then
|
|
echo "Failed to pull manifests after 10 retries"
|
|
exit 1
|
|
fi
|
|
echo "Failed to pull manifests, retrying in 5 seconds"
|
|
sleep 5
|
|
done
|
|
|
|
manifests=$(
|
|
echo "$raw_manifests" | \
|
|
jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
|
|
)
|
|
|
|
# Verify all 3 platforms are present.
|
|
set -euxo pipefail
|
|
echo "$manifests" | grep -q linux/amd64
|
|
echo "$manifests" | grep -q linux/arm64
|
|
echo "$manifests" | grep -q linux/arm/v7
|