pathogen-repo-ci: Log in to docker.io and ghcr.io if possible #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tsibley
force-pushed
the
trs/pathogen-repo-ci/login-to-image-registries
branch
2 times, most recently
from
ae31ddb
to
85745d4
Compare
This lifts low rate limits on image pulls. However, calling workflows must explicitly opt in with "secrets: inherit" in order for this reusable workflow to be able to see the org-level secret containing the token. Related-to: <nextstrain/docker-base#148>
This allows the use of docker-base images we transiently stage at ghcr.io before publishing to docker.io. A new "permissions:" block with "packages: read" restricts the ghcr.io access to read-only. This addition requires explicitly enumerating the rest of the required permissions too, which is only "contents: read" for actions/checkout. Related-to: <nextstrain/docker-base#148>
tsibley
force-pushed
the
trs/pathogen-repo-ci/login-to-image-registries
branch
from
85745d4
to
83e7441
Compare
|
The annotations when one of the optional login steps fails are kinda annoying in the UI:
(screenshot from using this workflow in nextstrain/docker-base#148) |
1 task
joverlee521
approved these changes
May 6, 2023
|
Hmm, yeah, that would work. We could also ditch |
Maybe this will help with nextstrain/docker-base#131... |
…et isn't available Even though a login that fails due to the missing secret doesn't affect the workflow's execution status, it does clutter the workflow's summary page with a bunch of noisy warnings. Suggestion to do this pre-check from @joverlee521 in review. If only we could check for secrets directly in a step condition ("if: …").
|
Pushed 906908a to conditionalize the docker.io login on the presence of the secret, to avoid the annoying warnings. \o/ It works without the secret:
and with it:
|
tsibley
force-pushed
the
trs/pathogen-repo-ci/login-to-image-registries
branch
from
21d5297
to
906908a
Compare
victorlin
reviewed
May 10, 2023
Comment on lines
+55
to
+60
| # Log in, if possible, to docker.io (Docker Hub), since authenticated | ||
| # requests get higher rate limits (e.g. for image pulls). Our org-level | ||
| # secret DOCKER_TOKEN_PUBLIC_READ_ONLY is available to all our public | ||
| # repos on GitHub but only available here to this reusable workflow when | ||
| # called with "secrets: inherit". On Docker Hub, the token is granted | ||
| # "public read-only" access. |
tsibley
added a commit
that referenced
this pull request
May 10, 2023
@victorlin pointed out¹ that we could launder access to the secrets context thru the step env context without the need for an extra step. I avoid putting the secret itself into the environment (which only increases its potential visibility) and put only its presence/absence instead. ¹ <#38 (comment)>
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit messages.
Related-to: nextstrain/docker-base#148
Testing