From 6768f5739bf0703e83c0d7eb820ebe03a3454907 Mon Sep 17 00:00:00 2001 From: Oleg Date: Tue, 25 Mar 2025 12:55:09 +0100 Subject: [PATCH 1/4] Compute image name inside reusable workflow --- .github/workflows/build-image.yml | 12 +++++++----- .github/workflows/build.yml | 3 --- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 961e853..4fe8a5f 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -3,10 +3,6 @@ name: Build test harness image on: workflow_call: inputs: - image-name: - type: string - required: true - description: 'Name for the image to build' publish-image: type: boolean default: false @@ -46,6 +42,12 @@ jobs: - name: Install bowtie uses: bowtie-json-schema/bowtie@main + - name: Compute implementation name + id: impl + env: + GH_REPOSITORY: ${{ github.repository }} + run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + - name: Build id: build_image uses: redhat-actions/buildah-build@v2 @@ -53,7 +55,7 @@ jobs: context: '.' containerfiles: | Dockerfile - image: ${{ inputs.image-name }} + image: ${{ steps.impl.outputs.name }} tags: ${{ github.sha }} ${{ inputs.is-latest && 'latest' || '' }} archs: amd64, arm64 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d831528..cf0cdef 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,6 @@ jobs: runs-on: ubuntu-latest outputs: latest-version: ${{ steps.version.outputs.value }} - implementation-name: ${{ steps.impl.outputs.name }} steps: - name: Install bowtie @@ -55,7 +54,6 @@ jobs: uses: ./.github/workflows/build-image.yml with: - image-name: ${{ needs.meta.outputs.implementation-name }} is-latest: ${{ github.ref == 'refs/heads/main' }} publish-image: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} @@ -128,6 +126,5 @@ jobs: uses: ./.github/workflows/build-image.yml with: - image-name: ${{ needs.meta.outputs.implementation-name }} is-latest: ${{ github.event.pull_request.base.ref == 'main' }} publish-image: true From a53b77718373f7413c55f340a5e4a042e39bf208 Mon Sep 17 00:00:00 2001 From: Oleg Date: Tue, 25 Mar 2025 12:55:48 +0100 Subject: [PATCH 2/4] Remove build and publish job from build workflow --- .github/workflows/build.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cf0cdef..1d6f9c4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -111,20 +111,3 @@ jobs: env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # Job is required to automatically publish an image for successfully merged dependabot's PR. - # PR is merged with GITHUB_TOKEN and it does not trigger the workflow run on 'push'. - # Executes only if 'automerge' is not skipped - publish-on-automerge: - needs: [meta, automerge] - - permissions: - id-token: write - contents: read - attestations: write - packages: write - - uses: ./.github/workflows/build-image.yml - with: - is-latest: ${{ github.event.pull_request.base.ref == 'main' }} - publish-image: true From 2831b3a74db31f960d1835fccd013dac51ffba31 Mon Sep 17 00:00:00 2001 From: Oleg Date: Tue, 25 Mar 2025 13:15:19 +0100 Subject: [PATCH 3/4] Build and publish image after successfull dependabot PR --- .github/workflows/dependabot-build.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml index 6d499aa..8088199 100644 --- a/.github/workflows/dependabot-build.yml +++ b/.github/workflows/dependabot-build.yml @@ -7,11 +7,25 @@ on: permissions: {} +concurrency: + # in this case if several dependabot PRs are merged only the latest one will build and publish the image + group: dependabot-${{ github.event.workflow_run.event }}-${{ github.event.workflow_run.triggering_actor.login }} + cancel-in-progress: true + jobs: build-and-publish: - runs-on: ubuntu-latest - steps: - - name: Print trigger event - env: - EVENT_PAYLOAD: ${{ toJson(github.event) }} - run: echo $EVENT_PAYLOAD + if: | + github.event.workflow_run.event == 'pull_request' + && github.event.workflow_run.conclusion == 'success' + && github.event.workflow_run.triggering_actor.login == 'dependabot[bot]' + + permissions: + id-token: write + contents: read + attestations: write + packages: write + + uses: ./.github/workflows/build-image.yml + with: + is-latest: true + publish-image: true From d57532221a756c04574f3b3f3bb9e3bb00403f12 Mon Sep 17 00:00:00 2001 From: Oleg Date: Tue, 25 Mar 2025 16:38:56 +0100 Subject: [PATCH 4/4] Add filter to trigger only on events from dependabot branches --- .github/workflows/dependabot-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml index 8088199..b1f7bb5 100644 --- a/.github/workflows/dependabot-build.yml +++ b/.github/workflows/dependabot-build.yml @@ -4,6 +4,8 @@ on: workflow_run: # zizmor: ignore[dangerous-triggers] we are aware that it is a dengerouse trigger but we need a way to build an image after Dependabot PR types: [ completed ] workflows: [ 'Rebuild Bowtie Image' ] + branches: + - 'dependabot/**' permissions: {}