set a non-root user for containers (#2496)

* change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly
2023-01-04 23:15:12 +01:00
parent e748d8f765
commit 2c6fd67276
10 changed files with 134 additions and 121 deletions
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -0,0 +1,56 @@
+# See https://docs.earthly.dev/ci-integration/vendor-specific-guides/gh-actions-integration
+# for details.
+
+name: Build development container
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  push:
+    branches:
+      - webv2
+  pull_request:
+    branches:
+      - webv2
+
+jobs:
+  Earthly:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Earthly
+        uses: earthly/actions-setup@v1
+        with:
+          version: 'latest' # or pin to an specific version, e.g. "v0.6.10"
+
+      - name: Log Earthly version
+        run: earthly --version
+
+      - name: Authenticate to GitHub Container Registry
+        if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
+        env:
+          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
+        run: echo "${{ secrets.GH_CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Build and push
+        if: ${{ github.event_name == 'schedule' && env.GH_CR_PAT != null }}
+        env:
+          GH_CR_PAT: ${{ secrets.GH_CR_PAT }}
+          EARTHLY_BUILD_TAG: 'webv2'
+          EARTHLY_BUILD_BRANCH: 'webv2'
+          EARTHLY_PUSH: true
+        run: ./build/develop/container.sh
+
+      - name: Build
+        if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}
+        run: ./build/develop/container.sh