Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
---
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
- package-ecosystem: gomod
directory: /
cooldown:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,7 @@ jobs:
files: ./coverage.txt

release:
if: startsWith(github.ref, 'refs/tags/v')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Moving job-level if skips artifact verification steps on non-tag pushes

Previously the if: startsWith(github.ref, 'refs/tags/v') guard was only on the final ncipollo/release-action step. That meant on every push to main (non-tag), the job still ran:

  1. actions/download-artifact — fetches the release artifact
  2. tree -nh ./bin/release — lists artifacts
  3. find bin/release -type f -exec file … — checks binary types

…but skipped only the actual GitHub Release creation. These steps acted as a post-build artifact sanity check for every push.

After this PR, the entire release job is skipped on non-tag pushes, so those sanity checks no longer run on main branch pushes. If this is intentional (just avoiding unnecessary work), the PR description doesn't mention it and it's worth a comment to confirm. If the artifact verification was considered useful, consider keeping those steps outside the tag guard:

  release:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Artifacts
        uses: actions/download-artifact@...
      - name: List artifacts
        run: tree -nh ./bin/release
      - name: Check artifacts
        run: find bin/release -type f -exec file -e ascii -- {} +
      - name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: ncipollo/release-action@...

permissions:
contents: write # to create a release (ncipollo/release-action)
runs-on: ubuntu-latest
Expand All @@ -329,7 +330,6 @@ jobs:
find bin/release -type f -exec file -e ascii -- {} +
-
name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v')
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
artifacts: ./bin/release/*
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
cache: true
cache-scope: bin-image
output: image
push: ${{ github.event_name != 'pull_request' }}
push: true # this workflow only triggers on push (main and tags)
sbom: true
set-meta-labels: true
meta-images: |
Expand Down Expand Up @@ -97,12 +97,14 @@ jobs:
-
name: Trigger Docker Desktop e2e with edge version
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
DOCKERDESKTOP_REPO: ${{ secrets.DOCKERDESKTOP_REPO }}
with:
github-token: ${{ steps.generate_token.outputs.token }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'docker',
repo: '${{ secrets.DOCKERDESKTOP_REPO }}',
repo: process.env.DOCKERDESKTOP_REPO,
workflow_id: 'compose-edge-integration.yml',
ref: 'main',
inputs: {
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
uses: github/codeql-action/upload-sarif@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3.36.3
with:
sarif_file: results.sarif
Loading