docs: add yml syntax highlighting to code block

Copilot · neilime · neilime · commit d53eede8e732 · 2025-11-18T13:01:33.000+01:00
Co-authored-by: neilime &lt;314088+neilime@users.noreply.github.com&gt;
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/linters/actionlint.yml b/.github/linters/actionlint.yml
@@ -0,0 +1,7 @@
+# FIXME: Temporary ignores to bypass actionlint limitations. See https://github.com/rhysd/actionlint/issues/590.
+paths:
+  .github/workflows/continuous-integration.yml:
+    ignore:
+      - 'both "username" and "password" must be specified in "credentials" section'
+      - '"credentials" section is scalar node but mapping node is expected'
+      - '"container" section is alias node but mapping node is expected'
diff --git a/.github/workflows/__test-workflow-continuous-integration.yml b/.github/workflows/__test-workflow-continuous-integration.yml
@@ -128,7 +128,10 @@ jobs:
             "NODE_ENV": "test",
             "CI": "true"
           },
-          "options": "--cpus 1"
+          "options": "--cpus 1",
+          "credentials": {
+            "username": "${{ github.actor }}"
+          }
         }
       working-directory: /usr/src/app/
       build: |
@@ -137,6 +140,8 @@ jobs:
         }
       test: |
         {"coverage": "codecov"}
+    secrets:
+      container-password: ${{ secrets.GITHUB_TOKEN }}
 
   assert-with-container-advanced:
     name: Assert - Ensure build artifact has been uploaded (with container advanced)
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -88,7 +88,7 @@ on:
           Accepts either a string (container image name) or a JSON object with container options.
 
           String format (simple):
-          ```
+          ```yml
           container: "node:18"
           ```
 
@@ -123,6 +123,12 @@ on:
           SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}
           ```
         required: false
+      container-password:
+        description: |
+          Password for container registry authentication, if required.
+          Used when the container image is hosted in a private registry.
+          See https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/run-jobs-in-a-container#defining-credentials-for-a-container-registry.
+        required: false
     outputs:
       build-artifact-id:
         description: "ID of the build artifact) uploaded during the build step."
@@ -131,56 +137,72 @@ on:
 permissions: {}
 
 jobs:
-  parse-container:
-    name: 📦 Parse Container Configuration
-    if: inputs.container != ''
+  prepare:
+    name: 📦 Prepare configuration
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
     permissions: {}
     outputs:
-      config: ${{ steps.parse.outputs.config }}
+      container-image: ${{ steps.parse.outputs.container-image }}
+      container-options: ${{ steps.parse.outputs.container-options }}
+      container-username: ${{ steps.parse.outputs.container-username }}
     steps:
       - id: parse
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           CONTAINER_INPUT: ${{ inputs.container }}
+          CONTAINER_PASSWORD: ${{ secrets.container-password }}
         with:
           script: |
             const containerInput = process.env.CONTAINER_INPUT.trim();
+            if (!containerInput) {
+              return;
+            }
+            core.debug(`Container input: ${containerInput}`);
 
             // Check if input is a JSON object or a simple string
             const isJson = containerInput.startsWith('{');
 
-            let config = {
-              image: '',
+            let container = {
               options: '--user root:root'
             };
 
             if (isJson) {
               try {
-                const container = JSON.parse(containerInput);
-                
-                // Set image
-                config.image = container.image || '';
-                
-                // Add env if provided
-                if (container.env && Object.keys(container.env).length > 0) {
-                  config.env = container.env;
-                }
-                
-                // Merge user options with default --user root:root
-                if (container.options) {
-                  config.options = `${config.options} ${container.options}`;
-                }
+                const parsedContainer = JSON.parse(containerInput);
+                core.debug(`Parsed container input as JSON: ${JSON.stringify(parsedContainer)}`);
+                container = { 
+                  ...container, 
+                  ...parsedContainer,
+                  options: `${container.options} ${parsedContainer.options || ''}`.trim()
+                };
+
               } catch (error) {
-                core.setFailed(`Failed to parse container input as JSON: ${error.message}`);
-                return;
+                return core.setFailed(`Failed to parse container input as JSON: ${error.message}`,{ cause: error });
               }
             } else {
               // Simple string format - just the image name
-              config.image = containerInput;
+              container.image = containerInput;
             }
 
-            core.setOutput('config', JSON.stringify(config));
+            core.debug(`Parsed container configuration: ${JSON.stringify(container)}`);
+
+            if (!container.image) {
+              return core.setFailed('Container image must be specified in the container input.');
+            }
+            core.setOutput('container-image', container.image);
+
+            if (container.options) {
+              core.setOutput('container-options', container.options);
+            }
+
+            if (container.credentials?.username) {
+              core.setOutput('container-username', container.credentials.username);
+              if (!process.env.CONTAINER_PASSWORD) {
+                return core.setFailed('Container password must be provided when container credentials username is specified.');
+              }
+            } else if (process.env.CONTAINER_PASSWORD) {
+              return core.setFailed('Container credentials username must be provided when container password is specified.');
+            }
 
   code-ql:
     name: 🛡️ CodeQL Analysis
@@ -208,9 +230,11 @@ jobs:
   setup:
     name: ⚙️ Setup
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
-    needs: parse-container
-    if: ${{ always() && !cancelled() && !failure() }}
+    needs: prepare
+    container: &container-setup
+      image: ${{ needs.prepare.outputs.container-image || '' }}
+      options: ${{ needs.prepare.outputs.container-options || ' ' }}
+      credentials: ${{ fromJSON(needs.prepare.outputs.container-username && format('{{"username":{0},"password":{1}}}',toJSON(needs.prepare.outputs.container-username),toJSON(secrets.container-password)) || '{}') }}
     permissions:
       contents: read
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
@@ -220,7 +244,7 @@ jobs:
       build-commands: ${{ steps.build-variables.outputs.commands }}
       build-artifact: ${{ steps.build-variables.outputs.artifact }}
     steps:
-      - if: inputs.container == ''
+      - if: needs.prepare.outputs.container-image == null
         uses: hoverkraft-tech/ci-github-common/actions/checkout@753288393de1f3d92f687a6761d236ca800f5306 # 0.28.1
 
       - id: build-variables
@@ -324,22 +348,21 @@ jobs:
 
   lint:
     name: 👕 Lint
-    if: inputs.checks == true && inputs.lint && always() && !cancelled() && !failure()
-    runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
+    if: inputs.checks == true && inputs.lint
     needs:
-      - parse-container
+      - prepare
       - setup
+    runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
+    container: *container-setup
     # jscpd:ignore-start
     permissions:
       contents: read
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       id-token: write
     steps:
       - uses: hoverkraft-tech/ci-github-common/actions/checkout@753288393de1f3d92f687a6761d236ca800f5306 # 0.28.1
-        if: inputs.container == ''
+        if: needs.prepare.outputs.container-image == null
 
-      # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       - id: oidc
         uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -375,16 +398,16 @@ jobs:
       - uses: ./self-workflow/actions/lint
         with:
           working-directory: ${{ inputs.working-directory }}
-          container: ${{ inputs.container != '' }}
+          container: ${{ needs.prepare.outputs.container-image && 'true' || 'false' }}
 
   build:
     name: 🏗️ Build
-    if: inputs.checks == true && always() && !cancelled() && !failure()
+    if: inputs.checks == true
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
+    container: *container-setup
     # jscpd:ignore-start
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
     needs:
-      - parse-container
+      - prepare
       - setup
     permissions:
       contents: read
@@ -394,7 +417,7 @@ jobs:
       artifact-id: ${{ steps.build.outputs.artifact-id }}
     steps:
       - uses: hoverkraft-tech/ci-github-common/actions/checkout@753288393de1f3d92f687a6761d236ca800f5306 # 0.28.1
-        if: needs.setup.outputs.build-commands && inputs.container == ''
+        if: needs.setup.outputs.build-commands && needs.prepare.outputs.container-image == null
 
       # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
       - id: oidc
@@ -422,15 +445,15 @@ jobs:
           build-env: ${{ needs.setup.outputs.build-env }}
           build-secrets: ${{ secrets.build-secrets }}
           build-artifact: ${{ needs.setup.outputs.build-artifact }}
-          container: ${{ inputs.container != '' }}
+          container: ${{ needs.prepare.outputs.container-image && 'true' || 'false' }}
 
   test:
     name: 🧪 Test
-    if: inputs.checks == true && inputs.test && always() && !cancelled() && !failure()
+    if: inputs.checks == true && inputs.test
     runs-on: ${{ inputs.runs-on && fromJson(inputs.runs-on) || 'ubuntu-latest' }}
-    container: ${{ inputs.container != '' && fromJSON(needs.parse-container.outputs.config) || null }}
+    container: *container-setup
     needs:
-      - parse-container
+      - prepare
       - setup
       - build
     permissions:
@@ -440,9 +463,9 @@ jobs:
       id-token: write
     steps:
       - uses: hoverkraft-tech/ci-github-common/actions/checkout@753288393de1f3d92f687a6761d236ca800f5306 # 0.28.1
-        if: inputs.container == ''
+        if: needs.prepare.outputs.container-image == null
 
-      - if: needs.build.outputs.artifact-id && inputs.container == ''
+      - if: needs.build.outputs.artifact-id && needs.prepare.outputs.container-image == null
         uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           artifact-ids: ${{ needs.build.outputs.artifact-id }}
@@ -491,7 +514,7 @@ jobs:
       - uses: ./self-workflow/actions/test
         with:
           working-directory: ${{ inputs.working-directory }}
-          container: ${{ inputs.container != '' }}
+          container: ${{ needs.prepare.outputs.container-image && 'true' || 'false' }}
           coverage: ${{ steps.prepare-test-options.outputs.coverage }}
-          coverage-files: ${{ steps.prepare-test-options.outputs['coverage-files'] }}
+          coverage-files: ${{ steps.prepare-test-options.outputs.coverage-files }}
           github-token: ${{ github.token }}
