Right now, we test the container at the end of the build rather than
before publishing so while we decouple that work, we should not fail
the build step if a security advisory was found - it's too late, the
containers are released so we should instead catch the advisory and
that will allow our release pipeline to continue
Fixes: #6185
This PR also addresses the fact that we create an image of
pulumi-nodejs:latest and then the ubi and debian builds override
that pulumi-nodejs:latest with their versions
this overwrite is actually last container wins. Therefore, we will
not be tagging the ubi and debian builds with latest to ensure that
latest is *actually* deterministic
There are a few things happening here:
- Rename the command dispatch release events to be prefixed with trigger-
- Introduce a new command-dispatch event
This new event listens for a trigger term in a comment e.g. /run-acceptance-tests
This trigger term is *only* needed when the PR is from a fork! When the trigger term is posted
then the run-build-and-acceptance-tests.yml event is fired
- run-build-and-acceptance-tests.yml
If the user runs the code from a pulumi based branch, then the tests and builds will work as normal
If this file is being run via respository_dispatch then it will be able to run the test and builds
and also post a comment back to the PR with the link to the test run
It's important to say that PRs affecting the codegen and resource docs paths will only fire from a
pulumi based branch - there is currently no command dispatch events for these codegen and resource PRs!
2020-12-07 19:29:04 +00:00
Renamed from .github/workflows/container-build.yml (Browse further)