From 231e44a29f531333876eb3bdda8071794a01875f Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 14 Aug 2025 10:47:51 +0100 Subject: [PATCH 1/8] Correct syntax in docker.yaml workflow This broke very quietly in https://github.com/matrix-org/rust-synapse-compress-state/actions/runs/16938635005 --- .github/workflows/docker.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 2693b5d..e0144ef 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -38,9 +38,9 @@ jobs: type=sha,prefix=,format=long type=semver,pattern=v{{version}} type=semver,pattern=v{{major}}.{{minor}} - + - name: Don't push to registry if this is a PR - if: "${{ github.event_name }}" = "pull_request" + if: github.event_name == 'pull_request' run: | echo "Not pushing the image to any container registry as this workflow is running on a pull request" exit 0 From 332ce2c88b7ad4cb4e1e200cdafbc12596630ba6 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 14 Aug 2025 10:52:36 +0100 Subject: [PATCH 2/8] Skip steps individually instead of bailing out `exit 0` does not bail out early it seems: https://github.com/matrix-org/rust-synapse-compress-state/actions/runs/16961790179/job/48076133728 We have to individually skip every step instead. --- .github/workflows/docker.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index e0144ef..0e9608c 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -39,19 +39,15 @@ jobs: type=semver,pattern=v{{version}} type=semver,pattern=v{{major}}.{{minor}} - - name: Don't push to registry if this is a PR - if: github.event_name == 'pull_request' - run: | - echo "Not pushing the image to any container registry as this workflow is running on a pull request" - exit 0 - - name: Log in to DockerHub + if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - name: Log in to GHCR + if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ghcr.io @@ -59,6 +55,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push all platforms + if: github.event_name != 'pull_request' uses: docker/build-push-action@v4 with: push: true From 6d4ce64d4e9e36218276cf3fb50b886c174f65c4 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 14 Aug 2025 17:41:54 +0100 Subject: [PATCH 3/8] Fix build being skipped --- .github/workflows/docker.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 0e9608c..2242939 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -55,10 +55,10 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push all platforms - if: github.event_name != 'pull_request' uses: docker/build-push-action@v4 with: - push: true + # Always build, but don't push to container registries on PRs. + push: ${{ github.event_name != 'pull_request' }} labels: "gitsha1=${{ github.sha }}" tags: "${{ steps.set-tag.outputs.tags }}" platforms: linux/amd64,linux/arm64 From e2b591a3f9ac35924f790e65f1f250a3672cf7ff Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Thu, 14 Aug 2025 17:42:28 +0100 Subject: [PATCH 4/8] Fix `pull_request` comment and justify reasoning --- .github/workflows/docker.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 2242939..60057b6 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -7,8 +7,11 @@ on: tags: ["v*"] branches: [ main ] workflow_dispatch: - # Run on pull requests to test docker build. - # We explicitly do not push on pull requests (the job below is ended early). + # Run on pull requests so that the docker build is tested. + # + # We explicitly do not push on pull requests (see `if` conditionals and `push` + # attribute of `docker/build-push-action` below). This prevents us from filling + # up the container registries with in-progress builds. # # note: secrets will not be populated on pull requests from external authors. pull_request: From fa9122a23ffc779a236fa797031797cd49f7cb65 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Fri, 15 Aug 2025 09:49:11 +0100 Subject: [PATCH 5/8] Switch docker cache to github actions backend We were failing to push cached images to the registry, because we're no longer logging to the GHCR. In addition, secrets.GITHUB_TOKEN would need to be expanded to support writing to the container registry, and giving that to arbitrary PRs isn't great. The GitHub Actions build cache is auto-clearing after 7 days, and requires no auth. --- .github/workflows/docker.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 60057b6..9290ac9 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -65,5 +65,5 @@ jobs: labels: "gitsha1=${{ github.sha }}" tags: "${{ steps.set-tag.outputs.tags }}" platforms: linux/amd64,linux/arm64 - cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache - cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache,mode=max + cache-from: type=gha, + cache-to: type=gha,mode=max From cff5ca492d6b1f009826ccab6cbfa192105737dc Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Fri, 15 Aug 2025 09:51:21 +0100 Subject: [PATCH 6/8] Update and pin docker/build-push-action Taken from #160, so the action knows what the 'gha' backend is. --- .github/workflows/docker.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 9290ac9..19afcb0 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -58,7 +58,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push all platforms - uses: docker/build-push-action@v4 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: # Always build, but don't push to container registries on PRs. push: ${{ github.event_name != 'pull_request' }} From 44acf8bec8deee13034857e888ea9cbceaa6ea96 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Fri, 15 Aug 2025 09:53:30 +0100 Subject: [PATCH 7/8] Remove extraneous comma --- .github/workflows/docker.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 19afcb0..1658a36 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -65,5 +65,5 @@ jobs: labels: "gitsha1=${{ github.sha }}" tags: "${{ steps.set-tag.outputs.tags }}" platforms: linux/amd64,linux/arm64 - cache-from: type=gha, + cache-from: type=gha cache-to: type=gha,mode=max From e347b619392a50d00da5b712a132a417dc655998 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Fri, 15 Aug 2025 10:09:13 +0100 Subject: [PATCH 8/8] Say why we use gha backend vs registry --- .github/workflows/docker.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 1658a36..3191d87 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -65,5 +65,11 @@ jobs: labels: "gitsha1=${{ github.sha }}" tags: "${{ steps.set-tag.outputs.tags }}" platforms: linux/amd64,linux/arm64 + # Cache to GitHub Actions backend (which is evicted after 7 days). + # This doesn't require authentication (unlike a registry), so works + # well with external PRs. + # + # This backend does prevent workflows on other repos from accessing it, + # but that is not necessary right now. cache-from: type=gha cache-to: type=gha,mode=max