[CLIENT-3813] CI/CD: Check if custom server image was built for the base image already. Also add workflow to build server docker image for dev tests #849
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Log into Github's Docker registry to upload our custom server Docker image | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Set new Docker image name and tag | ||
| uses: docker/metadata-action@v5 | ||
| id: meta | ||
| with: | ||
| images: ${{ env.REGISTRY }}/aerospike/aerospike-server-enterprise | ||
| flavor: | | ||
| latest=false | ||
| type=raw,value=${{ inputs.new-image-tag }} | ||
|
|
||
| - name: Build Aerospike server EE Docker image for testing | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| # Don't want to use default Git context or else it will clone the whole Python client repo again | ||
| context: .github/workflows/docker-build-context | ||
| build-args: | | ||
| SERVER_IMAGE=${{ inputs.base-image-name }}:${{ inputs.base-image-tag }} | ||
| TLS_PORT=${{ env.TLS_PORT }} | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| # setup-buildx-action configures Docker to use the docker-container build driver | ||
| # This driver doesn't publish an image locally by default | ||
| # so we have to manually enable it | ||
| load: true | ||
| push: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 14 days ago
To fix the problem, an explicit permissions block should be added at either the workflow or job level to limit the GITHUB_TOKEN's permissions to only what is strictly needed. For this workflow, pushing Docker images to the GitHub Container Registry and accessing repository content are required. Thus, setting permissions to contents: read and packages: write suffices. The recommended best practice is to set permissions at the top level of the workflow unless specific jobs require broader or different permissions.
Change required:
Add the following at the root of .github/workflows/build-server-ee-image-for-dev-tests.yml, directly after the on: or env: keys (typically after on: and before env:):
permissions:
contents: read
packages: writeNo additional imports, method definitions, or variable definitions are required.
| @@ -17,6 +17,10 @@ | ||
| required: true | ||
| default: 'latest' | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: write | ||
|
|
||
| env: | ||
| TLS_PORT: 4333 | ||
| REGISTRY: ghcr.io |
This reverts commit 62b5d3b.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #849 +/- ##
==========================================
- Coverage 82.35% 0.00% -82.36%
==========================================
Files 99 80 -19
Lines 14379 12541 -1838
==========================================
- Hits 11842 0 -11842
- Misses 2537 12541 +10004 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…orkflow-to-build-server-docker-image-for-dev-tests
juliannguyen4
changed the title
2 participants
No description provided.