chore: various small action improvements (#177)

* fix: only scan the container if we have a digest * chore: add PR report action * chore: switch test report action * ci: fix job permissions * doc: remove incorrect comment
philips-software · Oct 23, 2023 · dbbca01 · dbbca01
1 parent dc50228
commit dbbca01
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -35,7 +35,6 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
           # Generate Docker tags based on the following events/attributes
-          # When modifying please update the tags in the clean up workflow as well
           tags: |
             type=raw,value=latest,enable={{is_default_branch}}
             type=ref,event=pr
@@ -63,6 +62,7 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
       - uses: crazy-max/ghaction-container-scan@3e9c23f89cd6b0bda949ffe14f28a3ce282323b7 # v3.0.0
+        if: ${{ steps.build-and-push.outputs.digest != '' }}
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }}
       - name: Sign the image with GitHub OIDC token

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,6 +16,9 @@ permissions:
 jobs:
   build-test:
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
     steps:
       # While the docker/build-push-action works from the Git context, we still need
       # the checkout step for running our tests.
@@ -32,7 +35,7 @@ jobs:
         run: |
           set -Eeuo pipefail
           docker run --rm --mount type=bind,src="$(pwd)/test",dst=/ws -w /ws ${{ github.repository }}:test bats --formatter junit testsuite.bats | tee test-report.xml
-      - uses: test-summary/action@62bc5c68de2a6a0d02039763b8c754569df99e3f # v2.1
+      - uses: EnricoMi/publish-unit-test-result-action@ca89ad036b5fcd524c1017287fb01b5139908408 # v2.11.0
+        if: always()
         with:
-          paths: test-report.xml
-          show: all
+          files: test-report.xml
diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml
@@ -0,0 +1,25 @@
+name: PR Report
+
+on:
+  pull_request:
+    types: [closed]
+
+permissions:
+  contents: read
+
+jobs:
+  add-pr-report:
+    permissions:
+      contents: read
+      checks: read
+      pull-requests: write
+      repository-projects: read
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          persist-credentials: false
+      - uses: philips-software/pull-request-report-action@6d08a2c0a96d666770637b54e050d6512e9d45b0 # v0.1.2
+        env:
+          GITHUB_TOKEN: ${{ github.token }}