refactor: restructure image tag derivation and pipeline token prepara… #170
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Container Build" | |
| on: | |
| workflow_dispatch: # needed for manually running this workflow | |
| schedule: | |
| - cron: "15 3 * * *" # sadly there is no TZ support here | |
| push: | |
| branches: | |
| - "main" | |
| permissions: | |
| contents: read | |
| packages: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| env: | |
| IMAGE_TAG: "" | |
| PIPELINE_BUILD_TOKEN: "" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Derive image tag | |
| run: | | |
| set -euo pipefail | |
| repo="${GITHUB_REPOSITORY,,}" | |
| ref="${GITHUB_REF_NAME,,}" | |
| echo "IMAGE_TAG=ghcr.io/${repo}:${ref}" >> "$GITHUB_ENV" | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Prepare pipeline token | |
| run: | | |
| set -euo pipefail | |
| if [ -n "${{ secrets.PIPELINE_GITHUB_TOKEN }}" ]; then | |
| echo "::add-mask::${{ secrets.PIPELINE_GITHUB_TOKEN }}" | |
| echo "PIPELINE_BUILD_TOKEN=${{ secrets.PIPELINE_GITHUB_TOKEN }}" >> "$GITHUB_ENV" | |
| echo "PIPELINE_BUILD_TOKEN_SOURCE=PIPELINE_GITHUB_TOKEN" >> "$GITHUB_ENV" | |
| echo "Using token source: PIPELINE_GITHUB_TOKEN" | |
| else | |
| if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then | |
| echo "No GitHub token available. Configure PIPELINE_GITHUB_TOKEN or ensure GITHUB_TOKEN is accessible." >&2 | |
| exit 1 | |
| fi | |
| echo "PIPELINE_GITHUB_TOKEN not set; falling back to workflow GITHUB_TOKEN (may hit rate limits)." >&2 | |
| echo "::add-mask::${{ secrets.GITHUB_TOKEN }}" | |
| echo "PIPELINE_BUILD_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> "$GITHUB_ENV" | |
| echo "PIPELINE_BUILD_TOKEN_SOURCE=GITHUB_TOKEN" >> "$GITHUB_ENV" | |
| echo "Using token source: GITHUB_TOKEN" | |
| fi | |
| - name: Build and push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: container/Dockerfile | |
| push: true | |
| platforms: linux/amd64 | |
| secrets: | | |
| github_token=${{ env.PIPELINE_BUILD_TOKEN }} | |
| tags: ${{ env.IMAGE_TAG }} |