From 01d725e65b5e075ae90758ff87ede02171c9c791 Mon Sep 17 00:00:00 2001
From: tyranron <tyranron@gmail.com>
Date: Tue, 13 Sep 2022 13:19:07 +0300
Subject: [PATCH] Improve Docker CI pipeline

- omit publishing and releasing Docker images in forks
- verify Git tag to match Makefile before releasing
- auto-cancel concurrent CI pipelines for the same Git ref
---
 .github/workflows/docker.yml | 78 ++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6db050a..53367a7 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,12 +1,14 @@
 name: Docker CI
 
-
 on:
   pull_request:
   push:
   schedule:
-    - cron: '13 13 * * 3'
+    - cron: "13 13 * * 3"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   buildx:
@@ -15,28 +17,26 @@ jobs:
         include:
           - dockerfile: debian
             cache: ${{ github.ref != 'refs/heads/master'
-                       && !startsWith(github.ref, 'refs/tags/docker/') }}
+                    && !startsWith(github.ref, 'refs/tags/docker/') }}
             publish: ${{ github.event_name == 'push'
-                         && (startsWith(github.ref, 'refs/tags/docker/')
-                             || github.ref == 'refs/heads/master') }}
-
+                      && github.repository_owner == 'coturn'
+                      && (startsWith(github.ref, 'refs/tags/docker/')
+                          || github.ref == 'refs/heads/master') }}
           - dockerfile: alpine
             cache: ${{ github.ref != 'refs/heads/master'
-                       && !startsWith(github.ref, 'refs/tags/docker/') }}
+                    && !startsWith(github.ref, 'refs/tags/docker/') }}
             publish: ${{ github.event_name == 'push'
-                         && (startsWith(github.ref, 'refs/tags/docker/')
-                             || github.ref == 'refs/heads/master') }}
-
+                      && github.repository_owner == 'coturn'
+                      && (startsWith(github.ref, 'refs/tags/docker/')
+                          || github.ref == 'refs/heads/master') }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
       - uses: docker/setup-qemu-action@v2
       - uses: docker/setup-buildx-action@v2
 
-
       - name: Detect correct Git ref for image build
         id: git
         uses: actions/github-script@v6
@@ -48,14 +48,13 @@ jobs:
               out.ver = out.ref;
             }
             return out;
-
-
-      - name: Pre-build fresh Docker images cache
-        run: make docker.build.cache no-cache=yes
-                  DOCKERFILE=${{ matrix.dockerfile }}
-                  ref=${{ fromJSON(steps.git.outputs.result).ref }}
+      - name: Verify Git ref matches Makefile version
+        run: |
+          test "${{ fromJSON(steps.git.outputs.result).ref }}" \
+            == "$(grep -m1 'COTURN_VER ?=' Makefile | cut -d'=' -f2 | tr -d ' ')"
         working-directory: ./docker/coturn
-        if: ${{ !matrix.cache }}
+        if: ${{ matrix.publish
+             && github.ref != 'refs/heads/master' }}
 
       - uses: satackey/action-docker-layer-caching@v0.0.11
         with:
@@ -65,11 +64,10 @@ jobs:
         timeout-minutes: 10
         if: ${{ matrix.cache }}
       - name: Pre-build Docker images cache
-        run: make docker.build.cache no-cache=no
-                  DOCKERFILE=${{ matrix.dockerfile }}
+        run: make docker.build.cache DOCKERFILE=${{ matrix.dockerfile }}
+                  no-cache=${{ (matrix.cache && 'no') || 'yes' }}
                   ref=${{ fromJSON(steps.git.outputs.result).ref }}
         working-directory: ./docker/coturn
-        if: ${{ matrix.cache }}
 
       - name: Test Docker images
         run: |
@@ -80,14 +78,13 @@ jobs:
           sudo systemctl restart docker
 
           make npm.install
-          make test.docker platforms=@all build=yes \
-               DOCKERFILE=${{ matrix.dockerfile }} \
+          make test.docker DOCKERFILE=${{ matrix.dockerfile }} \
+               platforms=@all build=yes \
                ref=${{ fromJSON(steps.git.outputs.result).ref }}
         env:
           COTURN_VERSION: ${{ fromJSON(steps.git.outputs.result).ver }}
         working-directory: ./docker/coturn
 
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
@@ -95,7 +92,6 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
         if: ${{ matrix.publish }}
-
       - name: Login to Quay.io
         uses: docker/login-action@v2
         with:
@@ -103,7 +99,6 @@ jobs:
           username: ${{ secrets.QUAYIO_ROBOT_USERNAME }}
           password: ${{ secrets.QUAYIO_ROBOT_TOKEN }}
         if: ${{ matrix.publish }}
-
       - name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
@@ -112,19 +107,18 @@ jobs:
         if: ${{ matrix.publish }}
 
       - name: Publish version Docker tags
-        run: make docker.push
-                  DOCKERFILE=${{ matrix.dockerfile }}
+        run: make docker.push DOCKERFILE=${{ matrix.dockerfile }}
                   ref=${{ fromJSON(steps.git.outputs.result).ref }}
         working-directory: ./docker/coturn
-        if: ${{ matrix.publish && github.ref != 'refs/heads/master' }}
-
+        if: ${{ matrix.publish
+             && github.ref != 'refs/heads/master' }}
       - name: Publish edge Docker tags
-        run: make docker.push tags=edge-${{ matrix.dockerfile }}
-                  DOCKERFILE=${{ matrix.dockerfile }}
+        run: make docker.push DOCKERFILE=${{ matrix.dockerfile }}
+                  tags=edge-${{ matrix.dockerfile }}
                   ref=${{ fromJSON(steps.git.outputs.result).ref }}
         working-directory: ./docker/coturn
-        if: ${{ matrix.publish && github.ref == 'refs/heads/master' }}
-
+        if: ${{ matrix.publish
+             && github.ref == 'refs/heads/master' }}
 
       # On GitHub Container Registry README is automatically updated on pushes.
       - name: Update README on Quay.io
@@ -136,7 +130,6 @@ jobs:
           destination_container_repo: quay.io/coturn/coturn
           readme_file: docker/coturn/README.md
         if: ${{ matrix.publish }}
-
       - name: Update README on Docker Hub
         uses: christian-korneck/update-container-description-action@v1
         env:
@@ -148,11 +141,11 @@ jobs:
           readme_file: docker/coturn/README.md
         if: ${{ matrix.publish }}
 
-
   release:
-    needs: ['buildx']
+    needs: ["buildx"]
     if: ${{ github.event_name == 'push'
-            && startsWith(github.ref, 'refs/tags/docker/') }}
+         && github.repository_owner == 'coturn'
+         && startsWith(github.ref, 'refs/tags/docker/') }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -160,16 +153,13 @@ jobs:
       - name: Parse release version from Git tag
         id: release
         run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/docker/}
-
       - name: Parse CHANGELOG link
         id: changelog
-        run: echo ::set-output name=LINK::https://github.com/${{ github.repository }}/blob/docker/${{ steps.release.outputs.VERSION }}/docker/coturn/CHANGELOG.md#$(sed -n '/^## \[${{ steps.release.outputs.VERSION }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)
+        run: echo ::set-output name=LINK::${{ github.server_url }}/${{ github.repository }}/blob/docker/${{ steps.release.outputs.VERSION }}/docker/coturn/CHANGELOG.md#$(sed -n '/^## \[${{ steps.release.outputs.VERSION }}\]/{s/^## \[\(.*\)\][^0-9]*\([0-9].*\)/\1--\2/;s/[^0-9a-z-]*//g;p;}' CHANGELOG.md)
         working-directory: ./docker/coturn
 
-      - name: Release on GitHub
+      - name: Create GitHub release
         uses: softprops/action-gh-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           name: docker/${{ steps.release.outputs.VERSION }}
           body: |