diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 38611d3..b2da2a2 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: fmt: runs-on: ubuntu-24.04-arm @@ -130,6 +133,10 @@ jobs: test: runs-on: ubuntu-24.04-arm needs: [fmt, clippy, deny] + permissions: + contents: read + packages: read + actions: write strategy: matrix: @@ -143,9 +150,6 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - - name: Log into registry - run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin - - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd @@ -157,17 +161,24 @@ jobs: run: | IMAGE_ID=ghcr.io/chipp/${{ matrix.binary }} RUST_VERSION=$(cat .rust-version) + CACHE_TO_TEST=() + CACHE_TO_IMAGE=() + + if [ "${{ github.actor }}" != "dependabot[bot]" ]; then + CACHE_TO_TEST=("--cache-to=type=gha,scope=${{ matrix.binary }}-test,mode=max") + CACHE_TO_IMAGE=("--cache-to=type=gha,scope=${{ matrix.binary }},mode=max") + fi docker buildx build . --file bin/${{ matrix.binary }}/test.Dockerfile \ --output type=cacheonly \ --tag $IMAGE_ID:latest \ --build-arg RUST_VERSION="${RUST_VERSION}" \ --cache-from=type=gha,scope=${{ matrix.binary }}-test \ - --cache-to=type=gha,scope=${{ matrix.binary }}-test,mode=max + "${CACHE_TO_TEST[@]}" docker buildx build . --file bin/${{ matrix.binary }}/Dockerfile \ --output type=cacheonly \ --tag $IMAGE_ID:latest \ --build-arg RUST_VERSION="${RUST_VERSION}" \ --cache-from=type=gha,scope=${{ matrix.binary }} \ - --cache-to=type=gha,scope=${{ matrix.binary }},mode=max + "${CACHE_TO_IMAGE[@]}"