caio/clang-p2996
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
automated-release
clang-p2996/.github/workflows/libcxx-build-containers.yml
Aiden Grossman 4476f7237e [Github][libc++] Hash Pin Actions in Workflows (#129488) 
This patch has pins actions in the libc Github workflows. Hash pinning
is a best practice as it ensures we are getting an exact action version,
which can help with reproducibility/reliability. It additionally
alleviates security concerns as an attacker can modify release assets,
potentially giving them access to tokens in privileged workflows.
2025-03-10 11:54:12 -07:00

71 lines
2.0 KiB
YAML
Raw Permalink Blame History

# This file defines an action that builds the various Docker images used to run
# libc++ CI whenever modifications to those Docker files are pushed to `main`.
#
# The images are pushed to the LLVM package registry at https://github.com/orgs/llvm/packages
# and tagged appropriately. The selection of which Docker image version is used by the libc++
# CI nodes at any given point is controlled from the workflow files themselves.
name: Build Docker images for libc++ CI
permissions:
contents: read
on:
push:
branches:
- main
paths:
- 'libcxx/utils/ci/**'
- '.github/workflows/libcxx-build-containers.yml'
pull_request:
branches:
- main
paths:
- 'libcxx/utils/ci/**'
- '.github/workflows/libcxx-build-containers.yml'
jobs:
build-and-push:
runs-on: ubuntu-24.04
if: github.repository_owner == 'llvm'
permissions:
packages: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Build the Linux builder image
working-directory: libcxx/utils/ci
run: docker compose build actions-builder
env:
TAG: ${{ github.sha }}
# - name: Build the Android builder image
# working-directory: libcxx/utils/ci
# run: docker compose build android-buildkite-builder
# env:
# TAG: ${{ github.sha }}
- name: Log in to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push the Linux builder image
if: github.event_name == 'push'
working-directory: libcxx/utils/ci
run: |
docker compose push actions-builder
env:
TAG: ${{ github.sha }}
# - name: Push the Android builder image
# if: github.event_name == 'push'
# working-directory: libcxx/utils/ci
# run: |
# docker compose push android-buildkite-builder
# env:
# TAG: ${{ github.sha }}
Reference in New Issue View Git Blame Copy Permalink