Don't run make targets while logged in to docker registry

Handle login and push under .github so that they are protected using the `pull_request_target` semantics or by tag semantics. Signed-off-by: Thomas Hallgren <thomas@tada.se>
telepresenceio · Aug 13, 2024 · ffa2aa3 · ffa2aa3
1 parent dd6a286
commit ffa2aa3
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 20 deletions.
diff --git a/.github/workflows/dev.yaml b/.github/workflows/dev.yaml
@@ -31,17 +31,26 @@ jobs:
         run: |
           v=$(go run build-aux/genversion/main.go ${{github.run_id}})
           echo "TELEPRESENCE_VERSION=$v" >> "$GITHUB_ENV"
+          echo "TELEPRESENCE_SENVER=${v#v}" >> "$GITHUB_ENV"
           echo "version=$v" >> $GITHUB_OUTPUT
           echo "semver=${v#v}" >> $GITHUB_OUTPUT
-      - name: Log in to registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
       - name: Setup docker buildx
         uses: docker/setup-buildx-action@v3
         with:
           platforms: linux/amd64,linux/arm64
       - name: Build cluster images
         run: |
-          make push-images-x
+          make build-images-x
+      - name: Log in to registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Push client image
+        run: docker push "${{env.TELEPRESENCE_REGISTRY}}/telepresence:${{env.TELEPRESENCE_SEMVER}}"
+      - name: Push tel2 image
+        run: docker push "${{env.TELEPRESENCE_REGISTRY}}/tel2:${{env.TELEPRESENCE_SEMVER}}"
+      - name: Log out from registry
+        if: always()
+        run: docker logout
+
   run_tests:
     if: github.event.label.name == 'ok to test'
     strategy:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -57,16 +57,26 @@ jobs:
         name: install dependencies
       - name: set version
         shell: bash
-        run: echo "TELEPRESENCE_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+        run: |
+          v=${{ github.ref_name }}
+          echo "TELEPRESENCE_VERSION=$v" >> "$GITHUB_ENV"
+          echo "TELEPRESENCE_SENVER=${v#v}" >> "$GITHUB_ENV"
       - name: Setup docker buildx
         uses: docker/setup-buildx-action@v3
         with:
           platforms: linux/amd64,linux/arm64
-      - name: Log in to registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
       - name: Upload Docker images
         run: |
-          make push-images-x
+          make build-images-x
+      - name: Log in to registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Push client image
+        run: docker push "${{env.TELEPRESENCE_REGISTRY}}/telepresence:${{env.TELEPRESENCE_SEMVER}}"
+      - name: Push tel2 image
+        run: docker push "${{env.TELEPRESENCE_REGISTRY}}/tel2:${{env.TELEPRESENCE_SEMVER}}"
+      - name: Log out from registry
+        if: always()
+        run: docker logout
 
   publish-release:
     runs-on: ubuntu-latest

diff --git a/build-aux/main.mk b/build-aux/main.mk
@@ -227,32 +227,27 @@ tel2-image: build-deps setup-build-dir
 
 .PHONY: tel2-image-x
 tel2-image-x: build-deps setup-build-dir
-	docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=$(TELEPRESENCE_VERSION) --cache-to type=local,dest=$(BUILDDIR)/docker-cache -f build-aux/docker/images/Dockerfile.traffic .
+	docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=$(TELEPRESENCE_VERSION) --tag $(TEL2_IMAGE_FQN) -f build-aux/docker/images/Dockerfile.traffic .
 
 .PHONY: client-image
 client-image: build-deps setup-build-dir
 	docker build --target telepresence --tag telepresence --tag $(CLIENT_IMAGE_FQN) -f build-aux/docker/images/Dockerfile.client .
 
 .PHONY: client-image-x
 client-image-x: build-deps setup-build-dir
-	docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=$(TELEPRESENCE_VERSION) --cache-to type=local,dest=$(BUILDDIR)/docker-cache -f build-aux/docker/images/Dockerfile.client .
+	docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=$(TELEPRESENCE_VERSION) --tag $(CLIENT_IMAGE_FQN) -f build-aux/docker/images/Dockerfile.client .
+
+.PHONY: build-images-x
+build-images-x: tel2-image-x client-image-x
 
 .PHONY: push-tel2-image
 push-tel2-image: tel2-image ## (Build) Push the manager/agent container image to $(TELEPRESENCE_REGISTRY)
 	docker push $(TEL2_IMAGE_FQN)
 
-.PHONY: push-tel2-image-x
-push-tel2-image-x: build-deps setup-build-dir
-	docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=$(TELEPRESENCE_VERSION) --cache-from type=local,src=$(BUILDDIR)/docker-cache -f build-aux/docker/images/Dockerfile.traffic --push --tag $(TEL2_IMAGE_FQN) .
-
 .PHONY: push-client-image
 push-client-image: client-image ## (Build) Push the client container image to $(TELEPRESENCE_REGISTRY)
 	docker push $(CLIENT_IMAGE_FQN)
 
-.PHONY: push-client-image-x
-push-client-image-x: build-deps setup-build-dir
-	docker buildx build --platform=linux/amd64,linux/arm64 --build-arg TELEPRESENCE_VERSION=$(TELEPRESENCE_VERSION) --cache-from type=local,src=$(BUILDDIR)/docker-cache -f build-aux/docker/images/Dockerfile.client --push --tag $(CLIENT_IMAGE_FQN) .
-
 .PHONY: save-tel2-image
 save-tel2-image: tel2-image
 	docker save $(TEL2_IMAGE_FQN) > $(BUILDDIR)/tel2-image.tar
@@ -264,9 +259,6 @@ save-client-image: client-image
 .PHONY: push-images
 push-images: push-tel2-image push-client-image
 
-.PHONY: push-images-x
-push-images-x: push-tel2-image-x push-client-image-x
-
 .PHONY: clobber
 clobber: ## (Build) Remove all build artifacts and tools
 	rm -rf $(BUILDDIR)