fix(authorization): allow only resource owners/admins to manage permi… #443
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish | |
on: | |
push: | |
tags: | |
- '[0-9]+.[0-9]+.[0-9]+*' | |
# Allows building SNAPSHOT releases with the commit SHA inlcuded for testing purposes | |
workflow_dispatch: | |
# Test this workflow in PRs in case it changed | |
pull_request: | |
paths: | |
- .github/workflows/publish.yml | |
jobs: | |
newRelease: | |
runs-on: ubuntu-latest | |
timeout-minutes: 60 | |
permissions: | |
contents: read | |
packages: write | |
env: | |
# We only push the resulting image when we are on release tag (i.e., the only time we have a push event) or on | |
# manual request via the workflow_dispatch event. | |
PUSH: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'push' }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version-file: '.nvmrc' | |
registry-url: 'https://artifacts.itemis.cloud/repository/npm-open/' | |
scope: '<@modelix>' | |
- name: Set up JDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: 'temurin' | |
java-version: '21' | |
- name: Set up Gradle | |
uses: gradle/actions/setup-gradle@v3 | |
- name: Configure the project version | |
id: version | |
run: |- | |
if [[ "${{ github.event_name }}" == 'pull_request' || "${{ github.event_name }}" == 'workflow_dispatch' ]]; then | |
version="0.0.1-${GITHUB_SHA:0:7}-SNAPSHOT" | |
else | |
version="${GITHUB_REF#refs/*/}" | |
fi | |
echo "${version}" > version.txt | |
cat version.txt | |
echo "VERSION=${version}" >> $GITHUB_OUTPUT | |
- name: Determine Docker metadata | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
modelix/model-server | |
tags: | | |
type=raw,value=${{ steps.version.outputs.VERSION }},enable=true | |
type=raw,value=latest,enable=${{ github.event_name == 'push' }} | |
# Perform the build in a separate call to avoid trying to publish | |
# something where the build already failed partially. This could happen | |
# due to the use of the --continue flag in the publish step. | |
- name: Build | |
run: >- | |
./gradlew --build-cache build | |
--info | |
-PciBuild=true | |
- name: Publish | |
# We run gradle with --info to debug the ongoing random publishing | |
# issues. Gradle would log upload retries on info level: | |
# https://github.com/gradle/gradle/blob/2e843f089f969940e505e69eb0742ed4fbf67993/platforms/software/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/transport/NetworkOperationBackOffAndRetry.java#L64 | |
# Maybe retries are the source of our duplicate publication attempts. | |
# | |
# We use --continue to work around the commonly seen 403 issues. | |
# Usually, the artifact that cannot be uploaded is strangely already | |
# in the repo. As the result, by ignoring the exception, we should end | |
# up with a working release in most cases. | |
run: |- | |
if [[ "$IS_PR" = 'true' ]]; then | |
TARGET=publishToMavenLocal | |
else | |
TARGET=publish | |
fi | |
./gradlew --build-cache $TARGET \ | |
--continue \ | |
--info \ | |
-PciBuild=true \ | |
-Partifacts.itemis.cloud.user=${{ secrets.ARTIFACTS_ITEMIS_CLOUD_USER }} \ | |
-Partifacts.itemis.cloud.pw=${{ secrets.ARTIFACTS_ITEMIS_CLOUD_PW }} \ | |
-Pgpr.user=${{ github.actor }} \ | |
-Pgpr.key=${{ secrets.GITHUB_TOKEN }} \ | |
-Pgpr.universalkey=${{ secrets.GHP_UNIVERSAL_PUBLISH_TOKEN }} \ | |
-Porg.gradle.internal.http.connectionTimeout=180000 \ | |
-Porg.gradle.internal.http.socketTimeout=180000 | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.ARTIFACTS_ITEMIS_CLOUD_NPM_TOKEN }} | |
IS_PR: ${{ github.event_name == 'pull_request' }} | |
# Try to log in early. If this fails, there's no reason to perform the remaining steps | |
- name: Log in to Docker Hub | |
# Only attempt to log in if we later attempt to push. | |
if: ${{ env.PUSH }} | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USER }} | |
password: ${{ secrets.DOCKER_HUB_KEY }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64 | |
- name: Build and publish model-server Docker image | |
uses: docker/build-push-action@v6 | |
with: | |
context: ./model-server | |
file: ./model-server/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ env.PUSH }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} |