Merge pull request #1475 from netomi/fix-ci-workflow

netomi · web-flow · commit cfd17ae06ec1 · 2025-12-08T22:18:06.000+01:00
Improve CI workflow
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -9,61 +9,133 @@ on:
       - master
 
 env:
-  SERVER_TAG: ghcr.io/eclipse/openvsx-server
-  WEBUI_TAG: ghcr.io/eclipse/openvsx-webui
+  REGISTRY: ghcr.io
+  SERVER_IMAGE: openvsx-server
+  WEBUI_IMAGE: openvsx-webui
 
 jobs:
-  build:
+  build-and-push-cli-and-webui:
     permissions:
-      contents: none
+      contents: read
+      packages: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      with:
+        persist-credentials: false
+
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 18.x
-    - name: Set up JDK
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'temurin'
-        java-version: 25
+
     - name: Install Yarn
       run: |
         corepack enable
         corepack prepare yarn@stable --activate
-    - uses: actions/checkout@v4
-    - name: Set Image Version
-      run: echo "IMAGE_VERSION=${GITHUB_SHA:0:7}" >> $GITHUB_ENV
+
     - name: Build CLI
       run: yarn --cwd cli
-    - name: Build Web UI Image
-      run: docker build -t $WEBUI_TAG:$IMAGE_VERSION webui
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+      with:
+        images: |
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.WEBUI_IMAGE }}
+        tags:
+          type=sha,prefix=
+        labels: |
+          org.opencontainers.image.title=OpenVSX WebUI
+
+    - name: Build and push Web UI Image
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      with:
+        context: webui
+        # only push to ghcr.io in the upstream repo when pushing to the master branch
+        push: ${{ github.repository_owner == 'eclipse' && github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+
+  build-and-push-server:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      with:
+        persist-credentials: false
+
+    - name: Set up JDK
+      uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
+      with:
+        distribution: 'temurin'
+        java-version: 25
+
     - name: Get all changed server files
       id: changed_server_files
-      uses: tj-actions/changed-files@v46.0.5
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: server/**
+
     - name: Run Server Tests
       if: steps.changed_server_files.outputs.any_changed == 'true'
       run: server/gradlew --no-daemon -p server check
       env:
         DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_API_TOKEN }}
-    - name: Build Server Image
-      run: docker build -t $SERVER_TAG:$IMAGE_VERSION server --secret id=dv-key,env=DEVELOCITY_ACCESS_KEY
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+      with:
+        images: |
+          ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.SERVER_IMAGE }}
+        tags:
+          type=sha,prefix=
+        labels: |
+          org.opencontainers.image.title=OpenVSX Server
+
+    - name: Build and push Server Image
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       env:
         DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_API_TOKEN }}
-    - name: Push Docker Images
-      run: |
-        echo ${{ secrets.BOT_ACCESS_TOKEN }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
-        docker push $SERVER_TAG:$IMAGE_VERSION
-        docker push $WEBUI_TAG:$IMAGE_VERSION
-      if: github.repository == 'eclipse/openvsx' && github.ref == 'refs/heads/master'
+      with:
+        context: server
+        # only push to ghcr.io in the upstream repo when pushing to the master branch
+        push: ${{ github.repository_owner == 'eclipse' && github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        secrets: |
+          "dv-key=${{ secrets.DEVELOCITY_ACCESS_KEY }}"
+
+  save-pr-number:
+    permissions:
+      contents: none
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
     - name: Save PR number to file
-      if: github.event_name == 'pull_request'
       run: echo ${{ github.event.number }} > PR_NUMBER.txt
+
     - name: Archive PR number
-      if: github.event_name == 'pull_request'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: PR_NUMBER
         path: PR_NUMBER.txt
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -37,14 +37,13 @@ jobs:
         full_name: ${{ github.event.repository.full_name }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Checkout head branch on push
+    - name: Checkout head branch
       uses: actions/checkout@v4
-      if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.event.repository.full_name
       with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0
-    - name: Checkout head branch on pull_request
+    - name: Checkout head branch of pull_request
       if: github.event.workflow_run.event == 'pull_request'
       env:
         HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
diff --git a/webui/package.json b/webui/package.json
@@ -96,7 +96,8 @@
         "rimraf": "^6.1.2",
         "source-map-loader": "^4.0.1",
         "style-loader": "^3.3.3",
-        "ts-mocha": "^10.0.0",
+        "ts-mocha": "^11.1.0",
+        "ts-node": "^10.9.2",
         "typescript": "~5.1.6",
         "webpack": "^5.88.1",
         "webpack-cli": "^5.1.4"
diff --git a/webui/yarn.lock b/webui/yarn.lock
