generated from ublue-os/base
-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(ci): Enable PR tagged images on pull request approval
Submits an image to the GitHub Container Registry on pull request approval, permitting approved pull requests to be tested before being merged. Requires branch protection rule: 'Require approval of the most recent reviewable push' This rule ensures that the state of a PR is reset after a new commit has been pushed to an open pull request.
- Loading branch information
Showing
1 changed file
with
10 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,9 @@ | ||
name: build-ublue | ||
on: | ||
pull_request: | ||
merge_group: | ||
pull_request_review: | ||
type: [submitted] | ||
merge_group: | ||
schedule: | ||
- cron: '0 7 * * *' # 7 am everyday | ||
workflow_dispatch: | ||
|
@@ -12,6 +14,7 @@ env: | |
jobs: | ||
push-ghcr: | ||
name: Build and push image | ||
if: github.event.review.state == 'approved' || github.event_name != 'pull_request_review' | ||
runs-on: ubuntu-22.04 | ||
permissions: | ||
contents: read | ||
|
@@ -34,7 +37,7 @@ jobs: | |
# When F38 is added, sericea will automatically be built too | ||
- image_name: sericea | ||
major_version: 37 | ||
steps: | ||
steps: | ||
# Checkout push-to-registry action GitHub repository | ||
- name: Checkout Push to Registry action | ||
uses: actions/checkout@v3 | ||
|
@@ -138,7 +141,7 @@ jobs: | |
- name: Push To GHCR | ||
uses: redhat-actions/push-to-registry@v2 | ||
id: push | ||
if: github.event_name != 'pull_request' | ||
if: github.event.review.state == 'approved' || github.event_name != 'pull_request' | ||
env: | ||
REGISTRY_USER: ${{ github.actor }} | ||
REGISTRY_PASSWORD: ${{ github.token }} | ||
|
@@ -153,18 +156,18 @@ jobs: | |
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v2 | ||
if: github.event_name != 'pull_request' | ||
if: github.event.review.state == 'approved' || github.event_name != 'pull_request' | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
# Sign container | ||
- uses: sigstore/[email protected] | ||
if: github.event_name != 'pull_request' | ||
if: github.event.review.state == 'approved' || github.event_name != 'pull_request' | ||
|
||
- name: Sign container image | ||
if: github.event_name != 'pull_request' | ||
if: github.event.review.state == 'approved' || github.event_name != 'pull_request' | ||
run: | | ||
cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS} | ||
env: | ||
|
@@ -173,7 +176,6 @@ jobs: | |
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} | ||
|
||
- name: Echo outputs | ||
if: github.event_name != 'pull_request' | ||
if: github.event.review.state == 'approved' || github.event_name != 'pull_request' | ||
run: | | ||
echo "${{ toJSON(steps.push.outputs) }}" | ||