chore: build docker images in ci without pushing

Julusian · Julusian · commit 6da42ecd4605 · 2026-01-20T15:08:50.000Z
diff --git a/.github/workflows/node.yaml b/.github/workflows/node.yaml
@@ -106,118 +106,103 @@ jobs:
       - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - name: Determine if images should be published to DockerHub
-        id: dockerhub
-        run: |
-          # check if a release branch, or main, or a tag
-          if [[ "${{ github.ref }}" =~ ^refs/heads/release([0-9]+)$ || "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" == refs/tags/* ]]
-          then
-            DOCKERHUB_PUBLISH="1"
-          else
-            DOCKERHUB_PUBLISH="0"
-          fi
-          # debug output
-          echo "dockerhub-publish $DOCKERHUB_PUBLISH"
-          echo "dockerhub-publish=$DOCKERHUB_PUBLISH" >> $GITHUB_OUTPUT
-      - name: Check if push to GHCR is enabled
-        id: check-ghcr
-        env:
-          GHCR_ENABLED: ${{ secrets.GHCR_ENABLED }}
-        run: |
-          echo "Enable push to GHCR: ${{ env.GHCR_ENABLED != '' }}"
-          echo "enable=${{ env.GHCR_ENABLED != '' }}" >> $GITHUB_OUTPUT
-      - name: Check if there is access to repo secrets (needed for build and push)
-        if: steps.dockerhub.outputs.dockerhub-publish == '1' || steps.check-ghcr.outputs.enable == 'true'
-        id: check-build-and-push
-        env:
-          SECRET_ACCESS: ${{ secrets.DOCKERHUB_IMAGE_PREFIX }}
-        run: |
-          echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}"
-          echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT
-      - name: Get the Docker tag for GHCR
-        id: ghcr-tag
-        if: steps.check-build-and-push.outputs.enable == 'true'
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}-server-core
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=tag
-            type=raw,value=latest,enable={{is_default_branch}}
-      - name: Get the Docker tag for DockerHub
-        id: dockerhub-tag
-        if: steps.check-build-and-push.outputs.enable == 'true'
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ secrets.DOCKERHUB_IMAGE_PREFIX }}server-core
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=tag
-            type=raw,value=latest,enable={{is_default_branch}}
       - name: Use Node.js
-        if: steps.check-build-and-push.outputs.enable == 'true'
         uses: actions/setup-node@v6
         with:
           node-version-file: ".node-version"
       - uses: ./.github/actions/setup-meteor
-        if: steps.check-build-and-push.outputs.enable == 'true'
       - name: restore node_modules
         uses: actions/cache@v4
-        if: steps.check-build-and-push.outputs.enable == 'true'
         with:
           path: |
             node_modules
             meteor/node_modules
             packages/node_modules
           key: ${{ runner.os }}-${{ hashFiles('yarn.lock', 'meteor/yarn.lock', 'meteor/.meteor/release', 'packages/yarn.lock') }}
       - name: Prepare Environment
-        if: steps.check-build-and-push.outputs.enable == 'true'
         run: |
           corepack enable
 
-          yarn install
-
           # setup zodern:types. No linters are setup, so this simply installs the packages
           yarn meteor lint
+
+          yarn install
       - name: Build libs
-        if: steps.check-build-and-push.outputs.enable == 'true'
         run: |
           yarn build:packages
       - name: Persist Built Version information
-        if: steps.check-build-and-push.outputs.enable == 'true'
         run: |
           cd meteor
           yarn inject-git-hash
       - name: Prepare webui for meteor build
-        if: steps.check-build-and-push.outputs.enable == 'true'
         run: |
           rm -Rf meteor/public
           cp -R packages/webui/dist meteor/public
       - name: Meteor Build
-        if: steps.check-build-and-push.outputs.enable == 'true'
         run: |
           cd meteor
           NODE_OPTIONS="--max-old-space-size=4096" METEOR_DEBUG_BUILD=1 meteor build --allow-superuser --directory .
           mv bundle/programs/web.browser/assets/ bundle/programs/web.browser/app/assets/ || true
-
       - name: Meteor Bundle NPM Build
-        if: steps.check-build-and-push.outputs.enable == 'true'
         run: |
           cd meteor/bundle/programs/server
           meteor npm install
       - name: Set up Docker Buildx
-        if: steps.check-build-and-push.outputs.enable == 'true'
         uses: docker/setup-buildx-action@v3
-      - name: Login to DockerHub
-        if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
-        uses: docker/login-action@v3
+
+      # Check how the image should be built and pushed
+      - name: Determine if images should be published to DockerHub
+        id: dockerhub
+        run: |
+          # check if a release branch, or main, or a tag
+          if [[ "${{ github.ref }}" =~ ^refs/heads/release([0-9]+)$ || "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" == refs/tags/* ]]
+          then
+            DOCKERHUB_PUBLISH="1"
+          else
+            DOCKERHUB_PUBLISH="0"
+          fi
+          # debug output
+          echo "dockerhub-publish $DOCKERHUB_PUBLISH"
+          echo "dockerhub-publish=$DOCKERHUB_PUBLISH" >> $GITHUB_OUTPUT
+      - name: Check if push to GHCR is enabled
+        id: check-ghcr
+        env:
+          GHCR_ENABLED: ${{ secrets.GHCR_ENABLED }}
+        run: |
+          echo "Enable push to GHCR: ${{ env.GHCR_ENABLED != '' }}"
+          echo "enable=${{ env.GHCR_ENABLED != '' }}" >> $GITHUB_OUTPUT
+      - name: Check if there is access to repo secrets (needed for build and push)
+        if: steps.dockerhub.outputs.dockerhub-publish == '1' || steps.check-ghcr.outputs.enable == 'true'
+        id: check-build-and-push
+        env:
+          SECRET_ACCESS: ${{ secrets.DOCKERHUB_IMAGE_PREFIX }}
+        run: |
+          echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}"
+          echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT
+
+      # No-push build if no destination
+      - name: Build without push
+        if: steps.check-build-and-push.outputs.enable != 'true'
+        uses: docker/build-push-action@v6
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          context: .
+          file: ./meteor/Dockerfile.circle
+          push: false
+          provenance: false
+
+      # GHCR build
+      - name: Get the Docker tag for GHCR
+        id: ghcr-tag
+        if: steps.check-build-and-push.outputs.enable == 'true'
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}-server-core
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=tag
+            type=raw,value=latest,enable={{is_default_branch}}
       - name: Login to GitHub Container Registry
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
         uses: docker/login-action@v3
@@ -236,6 +221,26 @@ jobs:
           labels: ${{ steps.ghcr-tag.outputs.labels }}
           tags: "${{ steps.ghcr-tag.outputs.tags }}"
           github-token: ${{ github.token }}
+
+      # Dockerhub push
+      - name: Get the Docker tag for DockerHub
+        id: dockerhub-tag
+        if: steps.check-build-and-push.outputs.enable == 'true'
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ secrets.DOCKERHUB_IMAGE_PREFIX }}server-core
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=tag
+            type=raw,value=latest,enable={{is_default_branch}}
+      - name: Login to DockerHub
+        if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build and push to DockerHub
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
         uses: docker/build-push-action@v6
@@ -246,6 +251,8 @@ jobs:
           provenance: false
           labels: ${{ steps.dockerhub-tag.outputs.labels }}
           tags: ${{ steps.dockerhub-tag.outputs.tags }}
+
+      # Trivy scanning
       - name: Get image for Trivy scanning
         id: trivy-image
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
@@ -289,6 +296,30 @@ jobs:
       - uses: actions/checkout@v6
         with:
           persist-credentials: false
+
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".node-version"
+      - name: restore node_modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            packages/node_modules
+          key: ${{ runner.os }}-${{ hashFiles('packages/yarn.lock') }}
+      - name: Build
+        run: |
+          corepack enable
+
+          cd packages
+          yarn install
+          yarn build:single ${{ matrix.gateway-name }}/tsconfig.build.json
+          yarn run pinst --disable
+          yarn workspaces focus ${{ matrix.gateway-name }} --production
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Check how the image should be built and pushed
       - name: Determine if images should be published to DockerHub
         id: dockerhub
         run: |
@@ -317,6 +348,18 @@ jobs:
         run: |
           echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}"
           echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT
+
+      # No-push build if no destination
+      - name: Build without push
+        if: steps.check-build-and-push.outputs.enable != 'true'
+        uses: docker/build-push-action@v6
+        with:
+          context: ./packages
+          file: ./packages/${{ matrix.gateway-name }}/Dockerfile.circle
+          push: false
+          provenance: false
+
+      # GHCR build
       - name: Get the Docker tag for GHCR
         id: ghcr-tag
         if: steps.check-build-and-push.outputs.enable == 'true'
@@ -329,6 +372,25 @@ jobs:
             type=ref,event=branch
             type=ref,event=tag
             type=raw,value=latest,enable={{is_default_branch}}
+      - name: Login to GitHub Container Registry
+        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push to GHCR
+        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
+        uses: docker/build-push-action@v6
+        with:
+          context: ./packages
+          file: ./packages/${{ matrix.gateway-name }}/Dockerfile.circle
+          push: true
+          provenance: false
+          labels: ${{ steps.ghcr-tag.outputs.labels }}
+          tags: "${{ steps.ghcr-tag.outputs.tags }}"
+
+      # Dockerhub push
       - name: Get the Docker tag for DockerHub
         id: dockerhub-tag
         if: steps.check-build-and-push.outputs.enable == 'true'
@@ -341,54 +403,12 @@ jobs:
             type=ref,event=branch
             type=ref,event=tag
             type=raw,value=latest,enable={{is_default_branch}}
-      - name: Use Node.js
-        uses: actions/setup-node@v6
-        if: steps.check-build-and-push.outputs.enable == 'true'
-        with:
-          node-version-file: ".node-version"
-      - name: restore node_modules
-        if: steps.check-build-and-push.outputs.enable == 'true'
-        uses: actions/cache@v4
-        with:
-          path: |
-            packages/node_modules
-          key: ${{ runner.os }}-${{ hashFiles('packages/yarn.lock') }}
-      - name: Build
-        if: steps.check-build-and-push.outputs.enable == 'true'
-        run: |
-          corepack enable
-
-          cd packages
-          yarn install
-          yarn build:single ${{ matrix.gateway-name }}/tsconfig.build.json
-          yarn run pinst --disable
-          yarn workspaces focus ${{ matrix.gateway-name }} --production
-      - name: Set up Docker Buildx
-        if: steps.check-build-and-push.outputs.enable == 'true'
-        uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push to GHCR
-        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
-        uses: docker/build-push-action@v6
-        with:
-          context: ./packages
-          file: ./packages/${{ matrix.gateway-name }}/Dockerfile.circle
-          push: true
-          provenance: false
-          labels: ${{ steps.ghcr-tag.outputs.labels }}
-          tags: "${{ steps.ghcr-tag.outputs.tags }}"
       - name: Build and push to DockerHub
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
         uses: docker/build-push-action@v6
@@ -399,6 +419,8 @@ jobs:
           provenance: false
           labels: ${{ steps.dockerhub-tag.outputs.labels }}
           tags: "${{ steps.dockerhub-tag.outputs.tags }}"
+
+      # Trivy scanning
       - name: Get image for Trivy scanning
         id: trivy-image
         if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
