spellcheck-github-actions icon indicating copy to clipboard operation
spellcheck-github-actions copied to clipboard
verified publisher icon rojopolis

feat: add automated container build

Open sxd opened this issue 3 years ago • 22 comments

Use the docker/build-push and docker/metadata actions to build a container and add the proper tag depending on the branch, PR or the tagged version using semver as the proper version.

Closes #80

Signed-off-by: Jonathan Gonzalez V [email protected]

sxd avatar Jul 14 '22 22:07 sxd

Hi @sxd

Thank you, I will have a look at it over the weekend.

jonasbn avatar Jul 15 '22 08:07 jonasbn

Hi @sxd

First review of your PR looks promising. I do however have some obstacles I have to overcome first. I need to get the required authorizations to work in a balanced and secure manner, so this will require some work before the PR can be processed and approved.

The challenges are:

  • I am using DockerHub with my own account, it can be exchanged for GHCR
  • I am just the maintainer not the owner of this repository, so I need to find out how to get the authorization set up with the assistance of the repository owner. I believe changing the ownership of the repository, it too much hassle, but it could be an option

All of the above is not caused by your PR, but it was a question of time before these decisions had to be made.

So please bear with me and I will get back to you

jonasbn avatar Jul 22 '22 09:07 jonasbn

hi @jonasbn

Using GHCR makes a lot of sense and doesn't require too much changes to my PR. Related to the ownership of this repo, well there's nothing I can do there XD except I can fork this repo and start my own project but that's not the idea, so I think I'll wait news from you about this point and the possible changes =)

Cheers!

sxd avatar Jul 22 '22 11:07 sxd

Hi @rojopolis

Could you perhaps help us out here. We need to have the permissions associated with the auto-generated GITHUB_TOKEN for the repository adjusted, so we can set up publishing up packages (Docker images) to the GitHub container registry.

Currently we are using DockerHub, but with this PR I believe it makes more sense to change to ghcr.io also because the actions are not used outside GitHub.

  1. From the main page of the repository
  2. Go to "Settings"
  3. In the left sidebar, click "Actions"
  4. Then click "General"
  5. Under "Workflow permissions", check "Read and write permissions"
  6. Click "Save"

The checkbox "Allow GitHub actions to create and approve pull requests should not be ticked.

REF: GitHub Docs

jonasbn avatar Aug 04 '22 19:08 jonasbn

@jonasbn hi!

I don't think we need to enable it, probably is enabled by default, we can just create and push the image, we can actually try that, what do you think?

Regards!

sxd avatar Aug 05 '22 14:08 sxd

HI Jonas,

Sure!

I’m away right now (and am forgetful so please ping me if I haven’t done it by Monday). Cheers, Robert

On Aug 5, 2022, at 7:29 AM, Jonathan Gonzalez V. @.***> wrote:

@jonasbn https://github.com/jonasbn hi!

I don't think we need to enable it, probably is enabled by default, we can just create and push the image, we can actually try that, what do you think?

Regards!

— Reply to this email directly, view it on GitHub https://github.com/rojopolis/spellcheck-github-actions/pull/108#issuecomment-1206521846, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJMYNL6IEGPFIL6NP4TZU5TVXUQOJANCNFSM53TYMRYQ. You are receiving this because you were mentioned.

rojopolis avatar Aug 05 '22 15:08 rojopolis

Oh, sorry… I didn’t see the second message…

Is there a cost for the image repo?

On Aug 5, 2022, at 8:01 AM, Robert Jordan @.***> wrote:

HI Jonas,

Sure!

I’m away right now (and am forgetful so please ping me if I haven’t done it by Monday). Cheers, Robert

On Aug 5, 2022, at 7:29 AM, Jonathan Gonzalez V. @.*** @.***>> wrote:

@jonasbn https://github.com/jonasbn hi!

I don't think we need to enable it, probably is enabled by default, we can just create and push the image, we can actually try that, what do you think?

Regards!

— Reply to this email directly, view it on GitHub https://github.com/rojopolis/spellcheck-github-actions/pull/108#issuecomment-1206521846, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJMYNL6IEGPFIL6NP4TZU5TVXUQOJANCNFSM53TYMRYQ. You are receiving this because you were mentioned.

rojopolis avatar Aug 05 '22 15:08 rojopolis

Hi @rojopolis

No no it's free, it might be enabled already. So together with @sxd I will do some experimentation and validation. So do not sweat it, I will ping you if we need you assistance.

Thanks

jonasbn avatar Aug 05 '22 15:08 jonasbn

@sxd

I did a run on the PR.

If failed with the following:

#21 pushing layers 0.3s done
#21 ERROR: unexpected status: 403 Forbidden
------
 > exporting to image:
------
error: failed to solve: unexpected status: 403 Forbidden
Error: buildx failed with: error: failed to solve: unexpected status: 403 Forbidden

Ref: line 668 of the "Build container" step.

Any ideas?

jonasbn avatar Aug 05 '22 15:08 jonasbn

@sxd

I found this older issue googling: docker/build-push-action/issues/463

It is the same diagnostics, so the suggested remedy might be the same.

jonasbn avatar Aug 05 '22 16:08 jonasbn

@jonasbn I had to deal with that issue yesterday, it's about the permissions in the action like here https://github.com/cloudnative-pg/webtest/blob/main/.github/workflows/ci.yml#L15 I'm will go out for lunch in a couple of minutes and I'll get back to take a look! and check and fix it! never mind, just did it was quite fast :P

sxd avatar Aug 05 '22 16:08 sxd

@jonasbn can you trigger the run again? I'll check it later :D

sxd avatar Aug 05 '22 16:08 sxd

@sxd it is running now

REF: https://github.com/rojopolis/spellcheck-github-actions/runs/7695549439?check_suite_focus=true

jonasbn avatar Aug 05 '22 16:08 jonasbn

@sxd same outcome:

Error: buildx failed with: error: failed to solve: unexpected status: 403 Forbidden

jonasbn avatar Aug 05 '22 16:08 jonasbn

@jonasbn the permissions is not there for the packages :S https://github.com/rojopolis/spellcheck-github-actions/runs/7695549439?check_suite_focus=true#step:1:19 can you try again ? I pushed some small changes, but yes it's weird the permissions were not there

sxd avatar Aug 05 '22 17:08 sxd

Same again is not even using the proper commit :S https://github.com/rojopolis/spellcheck-github-actions/runs/7695700457?check_suite_focus=true#step:2:138

sxd avatar Aug 05 '22 17:08 sxd

@jonasbn weird, you can see that it's working here https://github.com/sxd/spellcheck-github-actions/actions/runs/2805064755 :S

sxd avatar Aug 05 '22 17:08 sxd

@sxd I will get @rojopolis to help evaluate the settings based on the reference I located, I believe this will get it to work, I am still think this is related to permissions.

jonasbn avatar Aug 05 '22 17:08 jonasbn

@jonasbn totally agree @rojopolis can you give @jonasbn admin permissions on the repo for a while at least so he can properly configure the repo?

sxd avatar Aug 05 '22 17:08 sxd

@jonasbn totally agree @rojopolis can you give @jonasbn admin permissions on the repo for a while at least so he can properly configure the repo?

I don't believe I can because this repo doesn't belong to an Organization. https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/permission-levels-for-a-personal-account-repository#about-permissions-levels-for-a-personal-account-repository

rojopolis avatar Aug 07 '22 16:08 rojopolis

@sxd @jonasbn Could this be the issue?

rojopolis avatar Aug 07 '22 17:08 rojopolis

@rojopolis @jonasbn yes! probably that's the issue we faced the same a couple of weeks ago and now we throw the test using pull_request_target, so the package it's ok, it should fail since it's running in a forked repo, that will not change even if we change it in the PR. So, the only way to test this will be to change the CI to use pull_request_target first, instead of using pull_request

sxd avatar Aug 07 '22 18:08 sxd