Improve Docker CI pipeline

- omit publishing and releasing Docker images in forks - verify Git tag to match Makefile before releasing - auto-cancel concurrent CI pipelines for the same Git ref
2022-09-13 13:19:07 +03:00 · 2022-09-13 13:19:07 +03:00 · 01d725e65b
commit 01d725e65b
parent 79f9c65dd8
1 changed files with 34 additions and 44 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -1,12 +1,14 @@
 name: Docker CI

-
 on:
  pull_request:
  push:
  schedule:
-    - cron: '13 13 * * 3'
+    - cron: "13 13 * * 3"

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

 jobs:
  buildx:
@ -15,28 +17,26 @@ jobs:
        include:
          - dockerfile: debian
            cache: ${{ github.ref != 'refs/heads/master'
-                       && !startsWith(github.ref, 'refs/tags/docker/') }}
+                    && !startsWith(github.ref, 'refs/tags/docker/') }}
            publish: ${{ github.event_name == 'push'
-                         && (startsWith(github.ref, 'refs/tags/docker/')
-                             || github.ref == 'refs/heads/master') }}
-
+                      && github.repository_owner == 'coturn'
+                      && (startsWith(github.ref, 'refs/tags/docker/')
+                          || github.ref == 'refs/heads/master') }}
          - dockerfile: alpine
            cache: ${{ github.ref != 'refs/heads/master'
-                       && !startsWith(github.ref, 'refs/tags/docker/') }}
+                    && !startsWith(github.ref, 'refs/tags/docker/') }}
            publish: ${{ github.event_name == 'push'
-                         && (startsWith(github.ref, 'refs/tags/docker/')
-                             || github.ref == 'refs/heads/master') }}
-
+                      && github.repository_owner == 'coturn'
+                      && (startsWith(github.ref, 'refs/tags/docker/')
+                          || github.ref == 'refs/heads/master') }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-
      - uses: docker/setup-qemu-action@v2
      - uses: docker/setup-buildx-action@v2

-
      - name: Detect correct Git ref for image build
        id: git
        uses: actions/github-script@v6
@ -48,14 +48,13 @@ jobs:
              out.ver = out.ref;
            }
            return out;
-
-
-      - name: Pre-build fresh Docker images cache
-        run: make docker.build.cache no-cache=yes
-                  DOCKERFILE=${{ matrix.dockerfile }}
-                  ref=${{ fromJSON(steps.git.outputs.result).ref }}
+      - name: Verify Git ref matches Makefile version
+        run: |
+          test "${{ fromJSON(steps.git.outputs.result).ref }}" \
+            == "$(grep -m1 'COTURN_VER ?=' Makefile | cut -d'=' -f2 | tr -d ' ')"
        working-directory: ./docker/coturn
-        if: ${{ !matrix.cache }}
+        if: ${{ matrix.publish
+             && github.ref != 'refs/heads/master' }}

      - uses: satackey/action-docker-layer-caching@v0.0.11
        with:
@ -65,11 +64,10 @@ jobs:
        timeout-minutes: 10
        if: ${{ matrix.cache }}
      - name: Pre-build Docker images cache
-        run: make docker.build.cache no-cache=no
-                  DOCKERFILE=${{ matrix.dockerfile }}
+        run: make docker.build.cache DOCKERFILE=${{ matrix.dockerfile }}
+                  no-cache=${{ (matrix.cache && 'no') || 'yes' }}
                  ref=${{ fromJSON(steps.git.outputs.result).ref }}
        working-directory: ./docker/coturn
-        if: ${{ matrix.cache }}

      - name: Test Docker images
        run: |
@ -80,14 +78,13 @@ jobs:
          sudo systemctl restart docker

          make npm.install
-          make test.docker platforms=@all build=yes \
-               DOCKERFILE=${{ matrix.dockerfile }} \
+          make test.docker DOCKERFILE=${{ matrix.dockerfile }} \
+               platforms=@all build=yes \
               ref=${{ fromJSON(steps.git.outputs.result).ref }}
        env:
          COTURN_VERSION: ${{ fromJSON(steps.git.outputs.result).ver }}
        working-directory: ./docker/coturn

-
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
@ -95,7 +92,6 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ matrix.publish }}
-
      - name: Login to Quay.io
        uses: docker/login-action@v2
        with:
@ -103,7 +99,6 @@ jobs:
          username: ${{ secrets.QUAYIO_ROBOT_USERNAME }}
          password: ${{ secrets.QUAYIO_ROBOT_TOKEN }}
        if: ${{ matrix.publish }}
-
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
@ -112,19 +107,18 @@ jobs:
        if: ${{ matrix.publish }}

      - name: Publish version Docker tags
-        run: make docker.push
-                  DOCKERFILE=${{ matrix.dockerfile }}
+        run: make docker.push DOCKERFILE=${{ matrix.dockerfile }}
                  ref=${{ fromJSON(steps.git.outputs.result).ref }}
        working-directory: ./docker/coturn
-        if: ${{ matrix.publish && github.ref != 'refs/heads/master' }}
-
+        if: ${{ matrix.publish
+             && github.ref != 'refs/heads/master' }}
      - name: Publish edge Docker tags
-        run: make docker.push tags=edge-${{ matrix.dockerfile }}
-                  DOCKERFILE=${{ matrix.dockerfile }}
+        run: make docker.push DOCKERFILE=${{ matrix.dockerfile }}
+                  tags=edge-${{ matrix.dockerfile }}
                  ref=${{ fromJSON(steps.git.outputs.result).ref }}
        working-directory: ./docker/coturn
-        if: ${{ matrix.publish && github.ref == 'refs/heads/master' }}
-
+        if: ${{ matrix.publish
+             && github.ref == 'refs/heads/master' }}

      # On GitHub Container Registry README is automatically updated on pushes.
      - name: Update README on Quay.io
@ -136,7 +130,6 @@ jobs:
          destination_container_repo: quay.io/coturn/coturn
          readme_file: docker/coturn/README.md
        if: ${{ matrix.publish }}
-
      - name: Update README on Docker Hub
        uses: christian-korneck/update-container-description-action@v1
        env:
@ -148,11 +141,11 @@ jobs:
          readme_file: docker/coturn/README.md
        if: ${{ matrix.publish }}

-
  release:
-    needs: ['buildx']
+    needs: ["buildx"]
    if: ${{ github.event_name == 'push'
-            && startsWith(github.ref, 'refs/tags/docker/') }}
+         && github.repository_owner == 'coturn'
+         && startsWith(github.ref, 'refs/tags/docker/') }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
@ -160,16 +153,13 @@ jobs:
      - name: Parse release version from Git tag
        id: release
        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/docker/}
-
      - name: Parse CHANGELOG link
        id: changelog
-        run: echo ::set-output name=LINK::https://github.com/${{ github.repository }}/blob/docker/${{ steps.release.outputs.VERSION }}/docker/coturn/CHANGELOG.md#$(sed -n '/^## \[${{ steps.release.outputs.VERSION }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)
+        run: echo ::set-output name=LINK::${{ github.server_url }}/${{ github.repository }}/blob/docker/${{ steps.release.outputs.VERSION }}/docker/coturn/CHANGELOG.md#$(sed -n '/^## \[${{ steps.release.outputs.VERSION }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)
        working-directory: ./docker/coturn

-      - name: Release on GitHub
+      - name: Create GitHub release
        uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          name: docker/${{ steps.release.outputs.VERSION }}
          body: |