ci: improve Docker CI pipeline dispatched on PRs (#52)

Author: Djaytan

.github/semantic-release/release.sh

@@ -2,26 +2,23 @@
 
 set -Eeuo pipefail
 
-SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)
-
 RELEASE_VERSION=$1
 RELEASE_CHANNEL=${2:-'default'}
 
+if [[ -z "$ROOT_PROJECT_DIR" ]]; then
+  echo 'Error: environment variable "ROOT_PROJECT_DIR" is not set.'
+  exit 1
+fi
+
+cd "$ROOT_PROJECT_DIR/src/main"
+
 export REGISTRY='docker.io'
-export BUILD_CONTEXT="$SCRIPT_DIR"
 export IMAGE_VERSION="$RELEASE_VERSION"
 
 # The default channel binds to the default Git branch (i.e. "main")
 # If we release from "main" branch -> we add the "latest" tag
 IS_LATEST_RELEASE="$([ "$RELEASE_CHANNEL" == 'default' ] && echo 'true' || echo 'false')"
 export IS_LATEST_RELEASE
 
-if [[ -z "$ROOT_PROJECT_DIR" ]]; then
-  echo 'Error: environment variable "ROOT_PROJECT_DIR" is not set.'
-  exit 1
-fi
-
-cd "$ROOT_PROJECT_DIR/src"
-
 docker buildx bake release --print
 docker buildx bake release --push

.github/workflows/ci.yml

@@ -11,8 +11,6 @@ on:
 
 permissions: {}
 
-# TODO: rework CI - Use the test.sh script and rely on the generated tag
-# TODO: fail if container run fails
 # TODO: do we want to test multi-arch build?
 # TODO: what about cache?
 jobs:
@@ -25,9 +23,6 @@ jobs:
       contents: read
       security-events: write # Required to upload found security gaps
 
-    env:
-      IMAGE_TAG: 'djaytan/papermc-server:${{ github.sha }}'
-
     steps:
       # Firewall rules:
       # -> "*.github.com": Standard interactions with GitHub
@@ -37,6 +32,8 @@ jobs:
       # -> "*.ubuntu.com": Standard interactions with Ubuntu APT repositories
       # -> "api.papermc.io": Dynamic retrieval of the PaperMC server
       # -> "mirror.gcr.io": Downloading of the Trivy security scanner
+      # -> "piston-data.mojang.com": Downloading of the Mojang server
+      # -> "api.minecraftservices.com": Downloading Yggdrasil public key for Reobfuscation
       - name: Harden runner
         uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
@@ -55,6 +52,8 @@ jobs:
             security.ubuntu.com:80
             api.papermc.io:443
             mirror.gcr.io:443
+            piston-data.mojang.com:443
+            api.minecraftservices.com:443
 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,17 +66,13 @@ jobs:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
-        with:
-          context: src/
-          tags: ${{ env.IMAGE_TAG }}
-          load: true # Load into daemon for test usage in next step
+      - name: Build & Test
+        run: src/test/build-and-test.sh
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
         with:
-          image-ref: ${{ env.IMAGE_TAG }}
+          image-ref: djaytan/papermc-server:dev
           format: sarif
           output: results.sarif
 

src/Dockerfile src/main/Dockerfilesrc/Dockerfile renamed to src/main/Dockerfile

@@ -38,7 +38,7 @@ RUN apt-get update && \
     apt-get clean
 
 # Retrieve latest Paper server for the given version
-COPY --chmod=500 build/get-papermc-server.sh .
+COPY --chmod=500 get-papermc-server.sh .
 RUN ./get-papermc-server.sh "$MINECRAFT_VERSION"
 
 FROM docker.io/eclipse-temurin:21-jre-noble@sha256:3ef64ec531571987f58ccc90bd3d7f92950539f1baa00a5c45b660d6faccf37d
@@ -68,7 +68,6 @@ WORKDIR /home/papermc
 COPY --from=build --chown=papermc --chmod=500 /build/papermc-server-*.jar ./
 
 # Copy license file
-# TODO: rely on named build context instead: https://docs.docker.com/build/concepts/context/#named-contexts
 ADD --chmod=444 https://raw.githubusercontent.com/Djaytan/docker-papermc-server/refs/heads/main/LICENSE.md .
 
 # Copy the configuration files
@@ -85,3 +84,5 @@ EXPOSE 25565/tcp
 EXPOSE 25565/udp
 
 ENTRYPOINT ["./start.sh"]
+
+# TODO: healthcheck