Revert "chore(ci): fix lint findings in build-docker (#15145)"#15174
Revert "chore(ci): fix lint findings in build-docker (#15145)"#15174
Conversation
This reverts commit 16cb6af.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| id: plan | ||
| run: | | ||
| if [ "${DRY_RUN}" == "false" ]; then | ||
| if [ "${{ env.DRY_RUN }}" == "false" ]; then |
Check warning
Code scanning / zizmor
code injection via template expansion Warning
| echo "login=true" >> "$GITHUB_OUTPUT" | ||
| echo "push=true" >> "$GITHUB_OUTPUT" | ||
| echo "tag=${TAG}" >> "$GITHUB_OUTPUT" | ||
| echo "tag=${{ env.TAG }}" >> "$GITHUB_OUTPUT" |
Check warning
Code scanning / zizmor
code injection via template expansion Warning
| echo "action=build and publish" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "login=${IS_LOCAL_PR}" >> "$GITHUB_OUTPUT" | ||
| echo "login=${{ env.IS_LOCAL_PR }}" >> "$GITHUB_OUTPUT" |
Check warning
Code scanning / zizmor
code injection via template expansion Warning
| run: | | ||
| version=$(grep "version = " pyproject.toml | sed -e 's/version = "\(.*\)"/\1/g') | ||
| if [ "${DOCKER_PLAN_OUTPUTS_TAG}" != "${version}" ]; then | ||
| if [ "${{ needs.docker-plan.outputs.tag }}" != "${version}" ]; then |
Check notice
Code scanning / zizmor
code injection via template expansion Note
| if [ "${{ needs.docker-plan.outputs.tag }}" != "${version}" ]; then | ||
| echo "The input tag does not match the version from pyproject.toml:" >&2 | ||
| echo "${DOCKER_PLAN_OUTPUTS_TAG}" >&2 | ||
| echo "${{ needs.docker-plan.outputs.tag }}" >&2 |
Check notice
Code scanning / zizmor
code injection via template expansion Note
| cat <<EOF > Dockerfile | ||
| FROM ${BASE_IMAGE} | ||
| COPY --from=${UV_GHCR_IMAGE}:latest /uv /uvx /usr/local/bin/ | ||
| COPY --from=${{ env.UV_GHCR_IMAGE }}:latest /uv /uvx /usr/local/bin/ |
Check warning
Code scanning / zizmor
code injection via template expansion Warning
| IFS=','; for TAG in ${BASE_TAGS}; do | ||
| TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${NEEDS_DOCKER_PLAN_OUTPUTS_TAG}\n" | ||
| TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ major }}.{{ minor }},suffix=-${TAG},value=${NEEDS_DOCKER_PLAN_OUTPUTS_TAG}\n" | ||
| TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${{ needs.docker-plan.outputs.tag }}\n" |
Check notice
Code scanning / zizmor
code injection via template expansion Note
| IFS=','; for TAG in ${BASE_TAGS}; do | ||
| TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${NEEDS_DOCKER_PLAN_OUTPUTS_TAG}\n" | ||
| TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ major }}.{{ minor }},suffix=-${TAG},value=${NEEDS_DOCKER_PLAN_OUTPUTS_TAG}\n" | ||
| TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${{ needs.docker-plan.outputs.tag }}\n" |
Check notice
Code scanning / zizmor
code injection via template expansion Note
zanieb
temporarily deployed
to
uv-test-registries
GitHub Actions
Inactive
## Summary This re-creates #15145, with fixes following the revert in #15174. The overall approach is the same, except that I've added an explicit permissions block to `docker-annotate-base` that should cover the needed permissions in that job. (One confusion is around how that wasn't failing before -- FWICT it was receiving the default `GITHUB_TOKEN`, which doesn't include `id-token: write` or `packages: write`. So it _should_ have been failing even before I explicitly did `permissions: {}`...) Edit: Oh, I see why -- the actual release process does a `workflow_call`, so this inherits its `GITHUB_TOKEN` from `release.yml:custom-build-docker`, which in turn has the right permissions granted to it. ## Test Plan See what happens in CI. Plus maybe we could do a release dry-run? Signed-off-by: William Woodruff <[email protected]>
1 participant
This reverts commit 16cb6af from #15145
This broke the annotation step in the image release.