Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build and push rootless docker container #8572

Merged
merged 5 commits into from
Aug 30, 2023
Merged

Build and push rootless docker container #8572

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5ff9867
Build and push rootless docker container
cgdolan Aug 30, 2023
dee4d34
push rootless images for PRs too
cgdolan Aug 30, 2023
1df59d7
dedup tags
cgdolan Aug 30, 2023
758cfdd
review feedback
cgdolan Aug 30, 2023
cf61d67
rename to non-root
cgdolan Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/build-test-docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ on:
type: string
description: Dockerfile to build
default: Dockerfile
target:
required: true
type: string
description: Dockerfile target to build
enable-tests:
required: true
type: boolean
Expand All @@ -46,6 +50,10 @@ on:
required: true
type: string
description: Dockerfile to build
target:
cgdolan marked this conversation as resolved.
Show resolved Hide resolved
required: true
type: string
description: Dockerfile target to build
enable-tests:
required: true
type: boolean
Expand All @@ -71,6 +79,8 @@ jobs:
uses: docker/metadata-action@v4
with:
images: ${{ inputs.repository-name }}
flavor: |
cgdolan marked this conversation as resolved.
Show resolved Hide resolved
latest=false # pass latest tag in inputs
tags: ${{ inputs.docker-tags }}
- uses: depot/setup-action@v1
- name: Build image
Expand All @@ -83,6 +93,7 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: ${{ inputs.file }}
target: ${{ inputs.target }}
buildx-fallback: true
- name: Load image
if: ${{ inputs.enable-tests }}
Expand Down
26 changes: 26 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,11 +95,27 @@ jobs:
docker-tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
repository-name: ${{ github.repository }}
artifact-name: image-release
file: Dockerfile
target: semgrep-cli
enable-tests: true

build-test-docker-rootless:
uses: ./.github/workflows/build-test-docker.yaml
secrets: inherit
with:
docker-tags: |
type=semver,pattern={{version}},suffix=-rootless
type=semver,pattern={{major}}.{{minor}},suffix=-rootless
type=raw,value=latest-rootless
repository-name: ${{ github.repository }}
artifact-name: image-release-rootless
file: Dockerfile
target: rootless
enable-tests: false

build-test-osx-x86:
uses: ./.github/workflows/build-test-osx-x86.yaml
secrets: inherit
Expand Down Expand Up @@ -128,6 +144,7 @@ jobs:
needs:
[
build-test-docker,
build-test-docker-rootless,
build-test-manylinux-x86,
build-test-manylinux-aarch64,
build-test-osx-x86,
Expand All @@ -146,6 +163,15 @@ jobs:
repository-name: ${{ github.repository }}
dry-run: ${{ needs.inputs.outputs.dry-run == 'true' }}

push-docker-rootless:
needs: [wait-for-build-test, inputs]
uses: ./.github/workflows/push-docker.yaml
secrets: inherit
with:
artifact-name: image-release-rootless
repository-name: ${{ github.repository }}
dry-run: ${{ needs.inputs.outputs.dry-run == 'true' }}

upload-wheels:
name: Upload Wheels to PyPI
runs-on: ubuntu-latest
Expand Down
28 changes: 28 additions & 0 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,7 @@ jobs:
artifact-name: image-test
repository-name: ${{ github.repository }}
file: Dockerfile
target: semgrep-cli
enable-tests: true

push-docker:
Expand All @@ -327,6 +328,33 @@ jobs:
repository-name: ${{ github.repository }}
dry-run: false

build-docker-rootless:
uses: ./.github/workflows/build-test-docker.yaml
secrets: inherit
with:
docker-tags: |
type=semver,pattern={{version}},suffix=-rootless
cgdolan marked this conversation as resolved.
Show resolved Hide resolved
type=semver,pattern={{major}}.{{minor}},suffix=-rootless
type=ref,event=pr,suffix=-rootless
type=ref,event=branch,suffix=-rootless
type=sha,event=branch,suffix=-rootless
type=edge,suffix=-rootless
artifact-name: image-test-rootless
repository-name: ${{ github.repository }}
file: Dockerfile
target: rootless
enable-tests: false

push-docker-rootless:
needs: [build-docker-rootless]
uses: ./.github/workflows/push-docker.yaml
if: github.ref == 'refs/heads/develop' || (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository))
secrets: inherit
with:
artifact-name: image-test-rootless
repository-name: ${{ github.repository }}
dry-run: false

test-semgrep-pro:
needs: [build-test-docker, push-docker]
uses: ./.github/workflows/test-semgrep-pro.yaml
Expand Down
3 changes: 3 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,3 +232,6 @@ RUN printf "[safe]\n directory = /src" > ~semgrep/.gitconfig && \
# to interactively explore the docker image.
CMD ["semgrep", "--help"]
LABEL maintainer="support@semgrep.com"

cgdolan marked this conversation as resolved.
Show resolved Hide resolved
FROM semgrep-cli AS rootless
USER semgrep