ceph-csi/.github/workflows/publish-artifacts.yaml
StepSecurity Bot 56d08e1b4d ci: Harden GitHub Actions
Update GitHub actions to use full length commit ids for
third-party actions to reduce security risk in case of vulnerabilities.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
2024-09-19 11:00:39 +00:00

44 lines
1.4 KiB
YAML

---
name: publish artifacts
# yamllint disable-line rule:truthy
on:
push:
# Sequence of patterns matched against refs/heads
branches:
# Push events on default branch
- devel
# Push events to branches matching refs/heads/release-v*
- 'release-v*'
permissions:
contents: read
jobs:
push:
name: Publish artifacts
runs-on: ubuntu-latest
if: github.repository == 'ceph/ceph-csi'
steps:
# yamllint disable-line rule:line-length
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Login to Quay
# yamllint disable-line rule:line-length
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_IO_USERNAME }}
password: ${{ secrets.QUAY_IO_PASSWORD }}
- name: Set build environment variables
run: |
echo "BRANCH_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV
echo "GITHUB_USER=${{ secrets.CEPH_CSI_BOT_NAME }}" >> $GITHUB_ENV
echo "GITHUB_EMAIL=${{ secrets.CEPH_CSI_BOT_EMAIL }}" >> $GITHUB_ENV
echo "GITHUB_TOKEN=${{ secrets.CEPH_CSI_BOT_TOKEN }}" >> $GITHUB_ENV
- name: publish artifacts
# podman cannot pull images with both tag and digest
# https://github.com/containers/buildah/issues/1407
# use docker to build images
run: CONTAINER_CMD=docker ./deploy.sh