#github-actions (2024-01)
Discussions related to GitHub Actions
2024-01-03
@Igor Rodionov is there a way to not build an image index from cloudposse/github-aciton-docker-build-push?
Lambdas can’t use the image index and we don’t see a way just to get the image uri itself after a build
Looks like provenance is ignored because the buildx version isn’t set so the if looks for >= 0.10.0 or something like that and it shows 0.0.0+unknown in the build logs
cc @wbrown43
/usr/bin/docker buildx version
github.com/docker/buildx v0.0.0+unknown
@johncblandii hello. What do you mean by image index? Image registry?
Do you want get cloudposse/github-action-docker-build-push:v1 instead of [registry.hub.docker.com/cloudposse/github-action-docker-build-push:v1](http://registry.hub.docker.com/cloudposse/github-action-docker-build-push:v1)
?
apologies…i forgot all about this.
basically, there is an index file that is uploaded to the registry.
you have images and image index for multi-platform
@wbrown43 ended up getting something to work
2024-01-04
2024-01-08
2024-01-10
Reduce job queue times with newly updated ‘min’ attribute in Action-Runner-Controller Reduce job queue times with newly updated ‘min’ attribute in Action-Runner-Controller The post Reduce job queue times with newly updated ‘min’ attribute in Action-Runner-Controller appeared first on The GitHub Blog.
2024-01-11
Hey everyone, wondering how you guys vet third-party github actions? The github-verified badge on an action is nice but is not an indicator that the action was audited. And verified actions can use non verified actions. Does your team use a tool that does security checks on an action (and all called actions, recursively), like snyk would do for source code that uses libraries? Are there CVE’s against actions?
@Igor Rodionov @Matt Calhoun
And verified actions can use non verified actions
That’s true, however, I believe in your runs, those non-verified actions are still executed in your orgs security context and will still have to pass whatever policy you have set.
The ecosystem is relatively young, and I’m not aware of any mature scanning tools (open source at least).
Thanks @Erik Osterman (Cloud Posse)
@francois can probably answer more questions on this topic
2024-01-16
2024-01-17
Hey :wave:
I have a repo with a GitHub action which triggers on push to the master branch (when PRs get merged to master, I believe)
I would like to add a couple of jobs that will run if the PR that just got merged to master had certain labels. The push event does not have a labels attribute, but the pull_request event does.
I’m now wondering: is
on:
push:
branches:
- master # commits to master I believe
equivalent to:
on:
pull_request:
branches:
- master
types: ["closed"] # I suspect that this would also be the same as the above commit to master. We auto-close PRs upon merging to master
If these two triggers are identical logically, then I can change the PR trigger from the former to the latter without breaking the existing jobs. I just want to be sure that it won’t break. If the two triggers are not logically similar, someone please explain to me how I can achieve what I am trying to without breaking the other older, existing jobs
Thanks in advance
The best way I’ve found is to use the pull_request trigger and then check if the label is included in the job itself. For example:
on:
pull_request:
types:
- closed
branches:
- main
jobs:
foo:
if: ${{ github.event.pull_request.merged && !contains( github.event.pull_request.labels.*.name, 'mylabel') }}
And the triggers you’ve mentioned are the same if you can only push to master through pull requests. Otherwise you could push directly to master and bypass the pull_request trigger
Plus the GitHub event will have a different context on a push verse on a merged pull request. For example you can only get the pull request labels from the event on a closed PR
GitHub Actions – Repository Actions Runners List is now generally available GitHub Actions - Repository Actions Runners List is now generally available The post GitHub Actions – Repository Actions Runners List is now generally available appeared first on The GitHub Blog.
2024-01-18
2024-01-19
Hey guys,
I have another tricky scenario re: github actions:
I have this job which is a terraform-apply job (let’s call it job1) and gives an output that looks like this:
{
"A": "123",
"B": "234",
"C": "345"
}
I would like to have another job, say job2 that runs after job1 and consumes the output from job1 for use in a matrix. I want the matrix for job 2 to look like this:
job2:
needs: ["job1"]
strategy:
matrix:
env:
[
{ environment: production, item: [ "A", "B", "C" ] }, # Note that A, B and C are the keys from job1's output JSON
{ environment: development, item: [ "A", "B", "C" ] }} }
]
I shall be needing job1’s output as a complete JSON in job2 as I shall be using jq to retrieve the values, for each key in matrix.env.item
What’s the best way to go about this?
@Igor Rodionov
I managed to do this using an intermediate job that processes the output from job1 using jq -c 'keys' and then sends the output (an array of the keys: A, B & C) to job2
@Saichovsky Hello. in your case I’d suggest pattern like that
job2:
needs: ["job1"]
strategy:
matrix:
include:
- environment: production
item: ${{ needs.job1.outputs.items }}
- environment: development
item: ${{ needs.job1.outputs.items }}
or
job2:
needs: ["job1"]
strategy:
matrix:
environment: ["production", development"]
items: [${{ toJSON(needs.job1.outputs.items) }}]
pay attention to functions https://docs.github.com/en/actions/learn-github-actions/expressions#tojson
and
Thanks @Igor Rodionov
I used the second approach after someone pointed me to the fromJSON function. But thanks for the two examples
this is off-topic, but have you seen our GHA that helps to deal with matrixes ?
like
and also there is two actions that looks promissing
2024-01-22
2024-01-23
2024-01-26
2024-01-29
We’ve noticed issues with https://github.com/cloudposse/github-action-pre-commit creating problems with branches where it updates the current branch with main, but the commits are included in a new commit which makes the PR look like it has all of the other changes as well.
Maybe this is an issue caused from squash committing or something else…not sure, but only formatting/committing changes from the current branch without updating it would be ideal.
This could also be a GH problem…I’m not sure.
It comments with The merge-base changed after approval. even when the base did not change.
@Igor Rodionov
2024-01-30
GitHub Actions: Introducing the new M1 macOS runner available to open source! GitHub Actions: Introducing the new M1 macOS runner available to open source! The post GitHub Actions: Introducing the new M1 macOS runner available to open source! appeared first on The GitHub Blog.
GitHub Actions: macOS 14 (Sonoma) is now available GitHub Actions: macOS 14 (Sonoma) is now available The post GitHub Actions: macOS 14 (Sonoma) is now available appeared first on The GitHub Blog.