From c2c37b52a89e6cccd6daf239b25aed7e499c8323 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Fri, 5 May 2023 13:58:43 -0700
Subject: [PATCH 1/3] pathogen-repo-ci: Log in to docker.io if possible

This lifts low rate limits on image pulls.  However, calling workflows
must explicitly opt in with "secrets: inherit" in order for this
reusable workflow to be able to see the org-level secret containing the
token.

Related-to: <https://github.com/nextstrain/docker-base/pull/148>
---
 .github/workflows/pathogen-repo-ci.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
index c588d81..4373577 100644
--- a/.github/workflows/pathogen-repo-ci.yaml
+++ b/.github/workflows/pathogen-repo-ci.yaml
@@ -48,6 +48,20 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      # Log in, if possible, to docker.io (Docker Hub), since authenticated
+      # requests get higher rate limits (e.g. for image pulls).  Our org-level
+      # secret DOCKER_TOKEN_PUBLIC_READ_ONLY is available to all our public
+      # repos on GitHub but only available here to this reusable workflow when
+      # called with "secrets: inherit".  On Docker Hub, the token is granted
+      # "public read-only" access.
+      - name: Log in to docker.io
+        uses: docker/login-action@v2
+        with:
+          registry: docker.io
+          username: nextstrainbot
+          password: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
+        continue-on-error: true
+
       # Transforms the inputs.env *string* containing YAML like this:
       #
       #   FOO: bar

From 83e74412cd65dd0377015e787687bf196184ff01 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Fri, 5 May 2023 13:58:43 -0700
Subject: [PATCH 2/3] pathogen-repo-ci: Log in to ghcr.io if possible

This allows the use of docker-base images we transiently stage at
ghcr.io before publishing to docker.io.  A new "permissions:" block with
"packages: read" restricts the ghcr.io access to read-only.  This
addition requires explicitly enumerating the rest of the required
permissions too, which is only "contents: read" for actions/checkout.

Related-to: <https://github.com/nextstrain/docker-base/pull/148>
---
 .github/workflows/pathogen-repo-ci.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
index 4373577..1634aa6 100644
--- a/.github/workflows/pathogen-repo-ci.yaml
+++ b/.github/workflows/pathogen-repo-ci.yaml
@@ -44,6 +44,10 @@ on:
         default: ""
         required: false
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -62,6 +66,17 @@ jobs:
           password: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
         continue-on-error: true
 
+      # Log in, if possible, to ghcr.io which we use for staging images in
+      # nextstrain/docker-base.  The automatic GITHUB_TOKEN is restricted to
+      # read-only access by the "permissions:" block above.
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
       # Transforms the inputs.env *string* containing YAML like this:
       #
       #   FOO: bar

From 906908af9999abff5c0bc3103e71060909026e11 Mon Sep 17 00:00:00 2001
From: Thomas Sibley <tsibley@fredhutch.org>
Date: Mon, 8 May 2023 11:44:07 -0700
Subject: [PATCH 3/3] pathogen-repo-ci: Skip logging into docker.io when the
 org-level secret isn't available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Even though a login that fails due to the missing secret doesn't affect
the workflow's execution status, it does clutter the workflow's summary
page with a bunch of noisy warnings.

Suggestion to do this pre-check from @joverlee521 in review.  If only we
could check for secrets directly in a step condition ("if: …").
---
 .github/workflows/pathogen-repo-ci.yaml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pathogen-repo-ci.yaml b/.github/workflows/pathogen-repo-ci.yaml
index 1634aa6..81795c6 100644
--- a/.github/workflows/pathogen-repo-ci.yaml
+++ b/.github/workflows/pathogen-repo-ci.yaml
@@ -58,7 +58,15 @@ jobs:
       # repos on GitHub but only available here to this reusable workflow when
       # called with "secrets: inherit".  On Docker Hub, the token is granted
       # "public read-only" access.
-      - name: Log in to docker.io
+      - id: DOCKER_TOKEN_PUBLIC_READ_ONLY
+        name: Check if DOCKER_TOKEN_PUBLIC_READ_ONLY secret is available
+        env:
+          DOCKER_TOKEN_PUBLIC_READ_ONLY: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
+        run: |
+          tee -a "$GITHUB_OUTPUT" <<<available=${DOCKER_TOKEN_PUBLIC_READ_ONLY:+yes}
+
+      - if: steps.DOCKER_TOKEN_PUBLIC_READ_ONLY.outputs.available == 'yes'
+        name: Log in to docker.io
         uses: docker/login-action@v2
         with:
           registry: docker.io