fix: run as non-root bazel container #433
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: monorepo | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| monorepo-job: | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| contents: write | |
| container: | |
| image: gcr.io/bazel-public/bazel:7.1.2 | |
| volumes: | |
| - /usr/bin/docker:/usr/bin/docker | |
| - /var/run/docker.sock:/var/run/docker.sock | |
| options: -e USER="$(id -u)" -u="$(id -u)" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup git config | |
| run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| - name: Login to GitHub Container Registry | |
| run: echo ${{ secrets.GH_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Fetch bazel cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/cache | |
| key: bazel-cache | |
| restore-keys: | | |
| bazel-cache | |
| - name: Bazel prepare release | |
| run: | | |
| for prepareRelease in $(bazel --output_user_root=/tmp/cache query --keep_going --noshow_progress "filter("prepare_release", kind("sh_binary", //...))") | |
| do | |
| bazel --output_user_root=/tmp/cache run $prepareRelease | |
| done | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: Bazel test | |
| run: bazel --output_user_root=/tmp/cache test --test_output=errors //... | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: Upgrade new charts version and appVersions | |
| id: upgrade | |
| run: | | |
| chartsToUpgrade=$(bazel --output_user_root=/tmp/cache query --keep_going --noshow_progress "filter("apply_chart", kind("write_source_file", //apps/...))" 2>/dev/null) | |
| echo $chartsToUpgrade | |
| for chartToUpgrade in $chartsToUpgrade | |
| do | |
| bazel --output_user_root=/tmp/cache run --config=release $chartToUpgrade | |
| done | |
| echo "changes=$(git status --porcelain | wc -l)" >> "$GITHUB_OUTPUT" | |
| - name: Commit new charts version and appVersions | |
| if: steps.upgrade.outputs.changes > 0 | |
| run: | | |
| git config --local user.email "[email protected]" | |
| git config --local user.name "bot" | |
| git commit -a -m "chore: [skip ci] Upgrade charts versions and appVersions" | |
| - name: Push new charts version and appVersions | |
| if: steps.upgrade.outputs.changes > 0 | |
| uses: ad-m/github-push-action@master | |
| with: | |
| github_token: ${{ secrets.GH_TOKEN }} | |
| branch: ${{ github.ref }} | |
| - name: Bazel test apps | |
| if: steps.upgrade.outputs.changes > 0 | |
| run: bazel --output_user_root=/tmp/cache test --test_output=errors //apps/... | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: Bazel release components | |
| run: | | |
| for toRelease in $(bazel --output_user_root=/tmp/cache query --keep_going --noshow_progress "filter("release_me", kind("sh_binary", //...))") | |
| do | |
| bazel --output_user_root=/tmp/cache run $toRelease | |
| done | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: Bazel release images | |
| run: | | |
| for oci_push in $(bazel --output_user_root=/tmp/cache query --output=label "kind("oci_push", //...)") | |
| do | |
| bazel --output_user_root=/tmp/cache run --config=release $oci_push | |
| done | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: Bazel release helm charts | |
| run: | | |
| for push_registry in $(bazel --output_user_root=/tmp/cache query --output=label "kind("push_registry", //...)") | |
| do | |
| bazel --output_user_root=/tmp/cache run --config=release $push_registry | |
| done | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} |