From a2d2ce0b43f94926550c68bc65d0d6d7f0c0165a Mon Sep 17 00:00:00 2001 From: NextFire Date: Thu, 1 Feb 2024 14:39:36 -0500 Subject: [PATCH] pin repo refs --- .github/workflows/ci.yml | 31 ++++++++----------------------- renovate.json | 12 ++++++++++++ 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6245a92..79a6714 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,6 @@ name: CI on: - schedule: - - cron: "0 12 * * *" push: branches: ["main", "renovate/*"] workflow_dispatch: @@ -30,18 +28,22 @@ jobs: - owner: DakaraProject repo: dakara-client-web branch: master + ref: 2562635c030cd8cd5cd0fbbf4dab0ea137b1de96 plateforms: linux/amd64,linux/arm64 - owner: DakaraProject repo: dakara-server branch: master + ref: e832e3cd90d71ed1a0c85478517cdce300c6ee45 plateforms: linux/amd64,linux/arm64 - owner: mesosphere repo: traefik-forward-auth branch: master + ref: 057c6d41a7126080c08f011a7fbaa0f12c16d10a plateforms: linux/amd64,linux/arm64 - owner: odrling repo: syncplay branch: master + ref: fd759218ba9053fb48bbfc7b680dfcb93e3706eb plateforms: linux/amd64,linux/arm64 env: @@ -53,25 +55,14 @@ jobs: uses: actions/checkout@v4 with: repository: ${{ env.REPOSITORY }} - ref: ${{ matrix.branch }} - - - name: Check if image already exists - id: check - if: (github.event_name == 'schedule') && (env.REGISTRY == 'ghcr.io') - continue-on-error: true - run: | - GHCR_TOKEN=$(echo ${{ secrets.GITHUB_TOKEN }} | base64) - RESP=$(curl -H "Authorization: Bearer $GHCR_TOKEN" https://ghcr.io/v2/${{ env.IMAGE_NAME }}/tags/list) - echo $RESP | jq .tags | grep sha-$(git rev-parse --short HEAD) + ref: ${{ matrix.ref }} - name: Checkout containers repository - if: steps.check.outcome != 'success' uses: actions/checkout@v4 with: path: containers - name: Apply .diff and set Dockerfile - if: steps.check.outcome != 'success' id: prepare run: | DIFF="containers/${{ matrix.repo }}.diff" @@ -91,19 +82,17 @@ jobs: echo DOCKERFILE=$DOCKERFILE >> $GITHUB_OUTPUT - name: Install cosign - if: (steps.check.outcome != 'success') && (github.ref == 'refs/heads/main') + if: github.ref == 'refs/heads/main' uses: sigstore/cosign-installer@v3 - name: Set up QEMU - if: steps.check.outcome != 'success' uses: docker/setup-qemu-action@v3 - name: Setup Docker buildx - if: steps.check.outcome != 'success' uses: docker/setup-buildx-action@v3 - name: Log into registry ${{ env.REGISTRY }} - if: (steps.check.outcome != 'success') && (github.ref == 'refs/heads/main') + if: github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -111,18 +100,14 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Extract Docker metadata - if: steps.check.outcome != 'success' id: meta uses: docker/metadata-action@v5 with: - context: git images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=raw,value=${{ matrix.branch }} - type=sha - name: Build and push Docker image - if: steps.check.outcome != 'success' id: build-and-push uses: docker/build-push-action@v5 with: @@ -136,7 +121,7 @@ jobs: cache-to: type=gha,mode=max - name: Sign the published Docker image - if: (steps.check.outcome != 'success') && (github.ref == 'refs/heads/main') + if: github.ref == 'refs/heads/main' env: TAGS: ${{ steps.meta.outputs.tags }} DIGEST: ${{ steps.build-and-push.outputs.digest }} diff --git a/renovate.json b/renovate.json index d8dd4a4..5c956e2 100644 --- a/renovate.json +++ b/renovate.json @@ -14,5 +14,17 @@ "automergeType": "branch", "excludePackageNames": ["python"] } + ], + "customManagers": [ + { + "customType": "regex", + "fileMatch": ["^\\.github\\/workflows\\/[^/]+\\.ya?ml$"], + "matchStrings": [ + "owner: (?\\S+)\\s+repo: (?\\S+)\\s+branch: (?\\S+)\\s+ref: (?\\S+)" + ], + "depNameTemplate": "{{{owner}}}/{{{repo}}}", + "packageNameTemplate": "https://github.com/{{{owner}}}/{{{repo}}}", + "datasourceTemplate": "git-refs" + } ] }