From 0cc15c5ac0a055ea971599b70d9926346fa8fbb3 Mon Sep 17 00:00:00 2001 From: PINCHON Benjamin Date: Mon, 9 Sep 2024 15:14:34 +0200 Subject: [PATCH] ci: add IS_FORK to skip some jobs on PRs from forked projects Signed-off-by: PINCHON Benjamin --- .github/workflows/build.yml | 13 +++++-------- .github/workflows/ci.yml | 26 -------------------------- .github/workflows/sonar.yml | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 34 deletions(-) create mode 100644 .github/workflows/sonar.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 79771fe..dbf93d9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,11 +9,6 @@ on: build-platform: required: true type: string - secrets: - GHCR_USERNAME: - required: true - GHCR_TOKEN: - required: true jobs: build-and-push-image: @@ -35,10 +30,11 @@ jobs: - name: Log in to the Container registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + if: github.ref == 'refs/heads/main' with: registry: ghcr.io - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: ${{ github.actor }} + password: ${{ github.token }} - name: Extract metadata (tags, labels) for Docker id: meta @@ -58,7 +54,7 @@ jobs: uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: . - push: true + push: ${{ github.ref == 'refs/heads/main' }} provenance: false platforms: ${{ inputs.build-platform }} tags: ${{ steps.meta.outputs.tags }} @@ -66,6 +62,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + if: github.ref == 'refs/heads/main' with: image-ref: ${{ inputs.image-name }}:${{ steps.meta.outputs.version }} format: 'table' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc5da0c..21e6393 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,29 +119,6 @@ jobs: run: | make test - sonarqube: - name: SonarQube Trigger - runs-on: ubuntu-latest - needs: detect-noop - if: needs.detect-noop.outputs.noop != 'true' - continue-on-error: true - - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # Disabling shallow clone is recommended for improving relevancy of reporting - fetch-depth: 0 - - - name: SonarQube Scan - uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST }} - with: - args: > - -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} - repo-slug: runs-on: ubuntu-latest outputs: @@ -170,6 +147,3 @@ jobs: with: image-name: ${{ needs.repo-slug.outputs.repo_slug }} build-platform: "linux/amd64,linux/arm64,linux/s390x,linux/ppc64le" - secrets: - GHCR_USERNAME: ${{ github.actor }} - GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml new file mode 100644 index 0000000..a8da3da --- /dev/null +++ b/.github/workflows/sonar.yml @@ -0,0 +1,33 @@ +name: CI + +on: + push: + branches: + - main + +permissions: + contents: read + +jobs: + sonarqube: + name: SonarQube Trigger + runs-on: ubuntu-latest + continue-on-error: true + + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + if: ${{ secrets.SONAR_TOKEN != '' }} + with: + # Disabling shallow clone is recommended for improving relevancy of reporting + fetch-depth: 0 + + - name: SonarQube Scan + uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 + if: ${{ secrets.SONAR_TOKEN != '' }} + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST }} + with: + args: > + -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}