diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1fe3ebb..f35a8ce 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,7 +8,7 @@ on: permissions: contents: read jobs: - test: + test-code: runs-on: ubuntu-latest steps: - name: Checkout @@ -35,17 +35,84 @@ jobs: run: go install github.com/google/addlicense@dc31ac9ffcca99c9457226366135701794b128c0 - name: Check licenses run: addlicense -l apache -check -v -ignore '**/*.yaml' -c 'The Score Authors' ./cmd ./internal/ - - name: Build docker image + test-container: + runs-on: ubuntu-latest + if: ${{ !github.event.pull_request.head.repo.fork }} + permissions: + pull-requests: write + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + - name: Set up Docker + uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4.7.0 + with: + daemon-config: | + { + "debug": true, + "features": { + "containerd-snapshotter": true + } + } + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + with: + version: latest + - name: docker login docker.io + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: docker login dhi.io + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: dhi.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Build container image from PR branch uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: false load: true - tags: score-k8s:test - build-args: | - "VERSION=test" + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: mode=max + sbom: true + tags: score-k8s:pr-${{ github.event.number }} + - name: docker images + run: | + docker images + - name: checkout code in main branch + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: main + - name: Build container image from main branch + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + context: . + push: false + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: mode=max + sbom: true + tags: score-k8s:main + - name: docker images + run: | + docker images + - name: Docker Scout Comparison between main branch and current PR branch + uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2 + with: + command: compare + image: local://score-k8s:pr-${{ github.event.number }} + to: local://score-k8s:main + write-comment: true + github-token: ${{ secrets.GITHUB_TOKEN }} + organization: ${{ secrets.DOCKER_HUB_ORG }} - name: Test docker image run: | - docker run --rm score-k8s:test --version - docker run -v .:/score-k8s --rm score-k8s:test init + docker run --rm score-k8s:pr-${{ github.event.number }} --version + docker run -v .:/score-k8s --rm score-k8s:pr-${{ github.event.number }} init cat score.yaml diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index 3f6a2a1..f5abc37 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -1,12 +1,14 @@ name: Dependabot auto-merge on: pull_request permissions: - contents: write - pull-requests: write + contents: read jobs: dependabot-auto-merge: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }} + permissions: + contents: write + pull-requests: write steps: - name: Approve a PR run: gh pr review --approve "$PR_URL"