Skip to content

Bump github/codeql-action in the github-actions-all group #5301

Bump github/codeql-action in the github-actions-all group

Bump github/codeql-action in the github-actions-all group #5301

Workflow file for this run

---
name: Build
on:
push:
branches:
- '**'
pull_request:
release:
types: [edited, published]
schedule:
- cron: '0 10 * * *' # everyday at 10am
workflow_dispatch:
inputs:
dispatch-tag:
description: "Tag to apply to pushed images"
required: true
default: "dispatch"
permissions:
actions: read
contents: read
jobs:
diagnostics:
name: "Diagnostics"
uses: felddy/reusable-workflows/.github/workflows/diagnostics.yml@v2
config:
name: "Config"
uses: ./.github/workflows/_config.yml
metadata:
name: "Metadata"
needs: [config]
uses: felddy/reusable-workflows/.github/workflows/docker-metadata.yml@v2
with:
image_name: ${{ needs.config.outputs.image_name }}
foundry-secrets:
name: "Foundry secrets"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2
with:
egress-policy: block
- name: Check foundry.com credentials
run: |
return_code=0
if [ -z "${{ secrets.FOUNDRY_USERNAME }}" ]; then
echo "::warning::Set the FOUNDRY_USERNAME secret."
return_code=1
fi
if [ -z "${{ secrets.FOUNDRY_PASSWORD }}" ]; then
echo "::warning::Set the FOUNDRY_PASSWORD secret."
return_code=1
fi
exit $return_code
docker-secrets:
name: "Docker secrets"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2
with:
egress-policy: block
- name: Check docker.com credentials
run: |
return_code=0
if [ -z "${{ secrets.DOCKER_USERNAME }}" ]; then
echo "::warning::Set the DOCKER_USERNAME secret."
return_code=1
fi
if [ -z "${{ secrets.DOCKER_PASSWORD }}" ]; then
echo "::warning::Set the DOCKER_PASSWORD secret."
return_code=1
fi
exit $return_code
artifact-key:
name: "Artifact key"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # tag=v2.10.2
with:
egress-policy: block
- name: Check artifact key
run: |
if [ -z "${{ secrets.ARTIFACT_KEY }}" ]; then
echo "::warning::Set the ARTIFACT_KEY secret."
exit 1
fi
lint:
name: "Lint"
needs: [config]
uses: felddy/reusable-workflows/.github/workflows/common-lint.yml@v2
build-normal-test-image:
name: "Build normal test image"
needs:
- config
- lint
- metadata
uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2
with:
artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ needs.config.outputs.test_platform }}
build_arg_1_name: VERSION
cache_from_scopes: ${{ needs.config.outputs.test_platform }}
cache_to_scope: ${{ needs.config.outputs.test_platform }}
image_archive_name_stem: ${{ needs.config.outputs.test_platform }}
image_labels: ${{ needs.metadata.outputs.image_labels }}
platforms: ${{ needs.config.outputs.test_platform }}
secrets:
build_arg_1_value: ${{ needs.metadata.outputs.source_version }}
build-pre-installed-test-image:
name: "Build pre-installed test image"
needs:
- artifact-key
- config
- foundry-secrets
- lint
- metadata
uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2
with:
artifact_name: pre-installed-${{ needs.config.outputs.image_artifact_name_stem }}-${{ needs.config.outputs.test_platform }}
build_arg_1_name: FOUNDRY_PASSWORD
build_arg_2_name: FOUNDRY_USERNAME
build_arg_3_name: VERSION
cache_from_scopes: ${{ needs.config.outputs.test_platform }}-pre-installed
cache_to_scope: ${{ needs.config.outputs.test_platform }}-pre-installed
image_archive_name_stem: ${{ needs.config.outputs.test_platform }}
image_labels: ${{ needs.metadata.outputs.image_labels }}
platforms: ${{ needs.config.outputs.test_platform }}
secrets:
build_arg_1_value: ${{ secrets.FOUNDRY_PASSWORD }}
build_arg_2_value: ${{ secrets.FOUNDRY_USERNAME }}
build_arg_3_value: ${{ needs.metadata.outputs.source_version }}
image_archive_key: ${{ secrets.ARTIFACT_KEY }}
# Since we need to pass the foundryvtt.com credentials to the tests, we can't
# use the standard reusable test workflow. Instead, we'll use a modified
# version of the workflow that accepts the credential secrets and is stored in
# this repository.
test-normal-image:
name: "Test normal image"
needs:
- artifact-key
- build-normal-test-image
- config
- foundry-secrets
uses: ./.github/workflows/docker-pytest-image.yml
with:
data_artifact_name: ${{ needs.config.outputs.data_artifact_name }}
data_artifact_path: ${{ needs.config.outputs.data_artifact_path }}
image_artifact_name: ${{ needs.build-normal-test-image.outputs.artifact_name }}
image_archive_name: ${{ needs.build-normal-test-image.outputs.image_archive_name }}
secrets:
data_archive_key: ${{ secrets.ARTIFACT_KEY }}
foundry_password: ${{ secrets.FOUNDRY_PASSWORD }}
foundry_username: ${{ secrets.FOUNDRY_USERNAME }}
test-pre-installed-image:
name: "Test pre-installed image"
needs:
- artifact-key
- build-pre-installed-test-image
- config
uses: ./.github/workflows/docker-pytest-image.yml
with:
data_artifact_name: pre-installed-${{ needs.config.outputs.data_artifact_name }}
data_artifact_path: ${{ needs.config.outputs.data_artifact_path }}
image_artifact_name: ${{ needs.build-pre-installed-test-image.outputs.artifact_name }}
image_archive_name: ${{ needs.build-pre-installed-test-image.outputs.image_archive_name }}
secrets:
data_archive_key: ${{ secrets.ARTIFACT_KEY }}
image_archive_key: ${{ secrets.ARTIFACT_KEY }}
build-each-platform:
name: "Build platform"
needs:
- config
- lint
- metadata
- test-normal-image
- test-pre-installed-image
if: github.event_name != 'pull_request'
strategy:
matrix:
platform: ${{ fromJson(needs.config.outputs.platforms_json) }}
exclude:
- platform: ${{ needs.config.outputs.test_platform }}
uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2
with:
artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ matrix.platform }}
build_arg_1_name: VERSION
cache_from_scopes: ${{ matrix.platform }}
cache_to_scope: ${{ matrix.platform }}
image_labels: ${{ needs.metadata.outputs.image_labels }}
image_archive_name_stem: ${{ matrix.platform }}
platforms: ${{ matrix.platform }}
secrets:
build_arg_1_value: ${{ needs.metadata.outputs.source_version }}
generate-sboms:
name: "Bill of Materials"
needs:
- build-each-platform
- config
permissions:
contents: write
strategy:
matrix:
platform: ${{ fromJson(needs.config.outputs.platforms_json) }}
uses: felddy/reusable-workflows/.github/workflows/sbom-artifact.yml@v2
with:
image_artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ matrix.platform }}
sbom_artifact_name: ${{ needs.config.outputs.sbom_artifact_name_stem }}-${{ matrix.platform }}
build-multi-arch-image:
name: "Publish image"
needs:
- build-each-platform
- config
- docker-secrets
- metadata
if: github.event_name != 'pull_request'
permissions:
packages: write
uses: felddy/reusable-workflows/.github/workflows/docker-multi-arch-push.yml@v2
with:
artifact_name_pattern: ${{ needs.config.outputs.image_artifact_name_stem }}-*
image_tags: ${{ needs.metadata.outputs.image_tags }}
secrets:
docker_password: ${{ secrets.DOCKER_PASSWORD }}
docker_username: ${{ secrets.DOCKER_USERNAME }}
publish-readme:
name: "Publish docs"
needs:
- build-multi-arch-image
- config
- docker-secrets
- metadata
if: needs.metadata.outputs.latest == 'true'
uses: felddy/reusable-workflows/.github/workflows/docker-publish-description.yml@v2
with:
image_name: ${{ needs.config.outputs.image_name }}
secrets:
docker_password: ${{ secrets.DOCKER_PASSWORD }}
docker_username: ${{ secrets.DOCKER_USERNAME }}