Update cicd.yaml with permissions #63
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
env: | |
REGISTRY: ghcr.io | |
REPOSITORY: apeworx/hosted-compiler | |
jobs: | |
docker-build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Log into registry ${{ env.REGISTRY }} | |
# Ensure this doesn't trigger on PR's | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build Image | |
id: build-image | |
env: | |
REGISTRY: ${{env.REGISTRY}} | |
REPOSITORY: ${{env.REPOSITORY}} | |
# NOTE: Our image tagging scheme is to tag all builds on "main" with "latest", | |
# and then when publishing to tag it with the release version tag + "stable" | |
IMAGE_TAG: latest | |
run: | | |
docker build \ | |
-t $REGISTRY/$REPOSITORY:$IMAGE_TAG \ | |
. | |
echo "image=$REGISTRY/$REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT | |
- name: Publish Image | |
# Skip on PRs | |
if: github.event_name != 'pull_request' | |
run: docker push ${{ steps.build-image.outputs.image }} |