mirror of
https://github.com/element-hq/synapse.git
synced 2025-04-16 07:56:22 +00:00
51deadec41
After the [recent supply chain attack](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup) in `tj-actions/changed-files` and actions based on it, it's become clear that relying on git tags to pin our dependencies is not enough (as tags can simply be replaced). Therefore we need to switch to hashes. Dependabot should continue to update these dependencies for us. Best reviewed commit-by-commit. Though if CI passes, we're *probably* fine.
74 lines
2.9 KiB
YAML
74 lines
2.9 KiB
YAML
# This task does not run complement tests, see tests.yaml instead.
|
|
# This task does not build docker images for synapse for use on docker hub, see docker.yaml instead
|
|
|
|
name: Store complement-synapse image in ghcr.io
|
|
on:
|
|
push:
|
|
branches: [ "master" ]
|
|
schedule:
|
|
- cron: '0 5 * * *'
|
|
workflow_dispatch:
|
|
inputs:
|
|
branch:
|
|
required: true
|
|
default: 'develop'
|
|
type: choice
|
|
options:
|
|
- develop
|
|
- master
|
|
|
|
# Only run this action once per pull request/branch; restart if a new commit arrives.
|
|
# C.f. https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency
|
|
# and https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
build:
|
|
name: Build and push complement image
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout specific branch (debug build)
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
if: github.event_name == 'workflow_dispatch'
|
|
with:
|
|
ref: ${{ inputs.branch }}
|
|
- name: Checkout clean copy of develop (scheduled build)
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
if: github.event_name == 'schedule'
|
|
with:
|
|
ref: develop
|
|
- name: Checkout clean copy of master (on-push)
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
if: github.event_name == 'push'
|
|
with:
|
|
ref: master
|
|
- name: Login to registry
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Work out labels for complement image
|
|
id: meta
|
|
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
|
|
with:
|
|
images: ghcr.io/${{ github.repository }}/complement-synapse
|
|
tags: |
|
|
type=schedule,pattern=nightly,enable=${{ github.event_name == 'schedule'}}
|
|
type=raw,value=develop,enable=${{ github.event_name == 'schedule' || inputs.branch == 'develop' }}
|
|
type=raw,value=latest,enable=${{ github.event_name == 'push' || inputs.branch == 'master' }}
|
|
type=sha,format=long
|
|
- name: Run scripts-dev/complement.sh to generate complement-synapse:latest image.
|
|
run: scripts-dev/complement.sh --build-only
|
|
- name: Tag and push generated image
|
|
run: |
|
|
for TAG in ${{ join(fromJson(steps.meta.outputs.json).tags, ' ') }}; do
|
|
echo "tag and push $TAG"
|
|
docker tag complement-synapse $TAG
|
|
docker push $TAG
|
|
done
|