Skip to content

gha: image build needs package write #607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 1, 2025
Merged

gha: image build needs package write #607

merged 1 commit into from
Jul 1, 2025

Conversation

mdtro
Copy link
Member

@mdtro mdtro commented Jul 1, 2025
edited
Loading

Fixing permissions here. This need packages write in order to push the container to GHCR.

@mdtro mdtro requested a review from a team July 1, 2025 23:39
@mdtro mdtro enabled auto-merge (squash) July 1, 2025 23:40
@mdtro mdtro merged commit 64ad22f into master Jul 1, 2025
13 checks passed
@mdtro mdtro deleted the mdtro/fix-gha-permissions branch July 1, 2025 23:41
asottile-sentry
asottile-sentry reviewed Jul 2, 2025
View reviewed changes
.github/workflows/image.yml
Comment on lines +15 to +65
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- name: builder-image
run: |
set -euxo pipefail

img=ghcr.io/getsentry/craft-builder:latest
args=()
if docker pull -q "$img"; then
args+=(--cache-from "$img")
fi
docker buildx build \
"${args[@]}" \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--target builder \
--tag "$img" \
.
- name: image
run: |
set -euxo pipefail
img=ghcr.io/getsentry/craft-builder:latest
args=()
if docker pull -q "$img"; then
args+=(--cache-from "$img")
fi
docker buildx build \
"${args[@]}" \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--target builder \
--tag "$img" \
.
- name: image
run: |
set -euxo pipefail

img=ghcr.io/getsentry/craft:latest
args=()
if docker pull -q "$img"; then
args+=(--cache-from "$img")
fi
docker buildx build \
"${args[@]}" \
--build-arg "SOURCE_COMMIT=$GITHUB_SHA" \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--tag "$img" \
.
- name: docker login
run: docker login --username "$DOCKER_USER" --password-stdin ghcr.io <<< "$DOCKER_PASS"
env:
DOCKER_USER: ${{ github.actor }}
DOCKER_PASS: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: docker push
run: |
set -euxo pipefail
img=ghcr.io/getsentry/craft:latest
args=()
if docker pull -q "$img"; then
args+=(--cache-from "$img")
fi
docker buildx build \
"${args[@]}" \
--build-arg "SOURCE_COMMIT=$GITHUB_SHA" \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--tag "$img" \
.
- name: docker login
run: docker login --username "$DOCKER_USER" --password-stdin ghcr.io <<< "$DOCKER_PASS"
env:
DOCKER_USER: ${{ github.actor }}
DOCKER_PASS: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: docker push
run: |
set -euxo pipefail

craft_builder=ghcr.io/getsentry/craft-builder:latest
craft_latest=ghcr.io/getsentry/craft:latest
craft_versioned="ghcr.io/getsentry/craft:${GITHUB_SHA}"
craft_builder=ghcr.io/getsentry/craft-builder:latest
craft_latest=ghcr.io/getsentry/craft:latest
craft_versioned="ghcr.io/getsentry/craft:${GITHUB_SHA}"

docker push "$craft_builder"
docker push "$craft_builder"

docker tag "$craft_latest" "$craft_versioned"
docker push "$craft_versioned"
docker push "$craft_latest"
if: github.event_name != 'pull_request'
docker tag "$craft_latest" "$craft_versioned"
docker push "$craft_versioned"
docker push "$craft_latest"
if: github.event_name != 'pull_request'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please don't change unrelated things

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asottile-sentry asottile-sentry asottile-sentry left review comments

@Jeffreyhung Jeffreyhung Jeffreyhung approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mdtro @Jeffreyhung @asottile-sentry