Actions: tighten when docker build runs and how (GSA#682)

* Actions: tighten when docker build runs and how - We do not want to fails build when staff and community make fork PRs. - We want to make sure the latest feature branch is tagged and deployed for now, stop push PR container builds before merge. * Actions: more explicit branch targeting I am not sure that syntax is air-tight with var == 'value1' || 'value2', so make it more explicit and have var on left side and right side of the boolean OR check. * Actions: even more explicit use startsWith syntax * Actions: one last attempt to force annotations
brian-ruf · Nov 8, 2024 · 0b8dba4 · 0b8dba4
1 parent 818deb4
commit 0b8dba4
Showing 1 changed file with 17 additions and 7 deletions.
diff --git a/.github/workflows/content-artifacts.yml b/.github/workflows/content-artifacts.yml
@@ -5,20 +5,24 @@ on:
     branches:
       - master
     paths:
+      - Dockerfile
       - "src/**"
       - "oscal"
   pull_request:
     types: [opened, synchronize, reopened]
   workflow_dispatch:
     branches:
       - master
+      - 'feature**'
 name: Process Content
 env:
   HOME_REPO: GSA/fedramp-automation
   IMAGE_NAME: GSA/fedramp-automation/validation-tools
   REGISTRY: ghcr.io
   # Docs: github.com/docker/metadata-action/?tab=readme-ov-file#typesha
   DOCKER_METADATA_PR_HEAD_SHA: true
+  # https://github.com/docker/metadata-action?tab=readme-ov-file#annotations
+  DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 jobs:
   validate-and-publish-content:
     name: Content Validation Checking, Conversion and Validation
@@ -62,22 +66,26 @@ jobs:
           commit_user_name: OSCAL GitHub Actions Bot
           commit_user_email: oscal@nist.gov
           commit_author: OSCAL GitHub Actions Bot <oscal@nist.gov>
-      - name: Container image QEMU setup for cross-arch builds
+      - if: github.repository == env.HOME_REPO
+        name: Container image QEMU setup for cross-arch builds
         id: image_setup_qemu
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
-      - name: Container image buildx setup for cross-arch builds
+      - if: github.repository == env.HOME_REPO
+        name: Container image buildx setup for cross-arch builds
         id: image_setup_buildx
         with:
           platforms: linux/amd64,linux/arm64 
         uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
-      - name: Container image login
+      - if: github.repository == env.HOME_REPO
+        name: Container image login
         id: image_login
         uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Container image metadata and tag generation
+      - if: github.repository == env.HOME_REPO
+        name: Container image metadata and tag generation
         id: image_metadata
         uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
         with:
@@ -91,7 +99,7 @@ jobs:
           # For now, do not auto-tag latest, maintainers will decided what is
           # release-worthy.
           flavor: |
-            latest=false
+            latest=true
           annotations:
             maintainers="FedRAMP Automation Team <oscal@fedramp.gov>"
             org.opencontainers.image.authors="FedRAMP Automation Team <oscal@fedramp.gov>"
@@ -101,7 +109,8 @@ jobs:
             org.opencontainers.image.title="FedRAMP Validation Tools"
             org.opencontainers.image.description="FedRAMP's tools for validating OSCAL data"
             org.opencontainers.image.licenses="CC0-1.0"
-      - name: Container image registry push
+      - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
+        name: Container image registry push
         id: image_registry_push
         uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
         with:
@@ -112,7 +121,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - name: Container image push attestations
+      - if: github.repository == env.HOME_REPO && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/feature'))
+        name: Container image push attestations
         uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}