Python
/
uv
mirror of https://github.com/astral-sh/uv
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore(ci): fix lint findings in build-docker (#15145) 

## Summary

Addresses zizmor findings in `build-docker.yml`.

Key changes: primarily removing template expansions and restricting some
permissions.

## Test Plan

Let the CI run.

Signed-off-by: William Woodruff <william@astral.sh>
This commit is contained in:
William Woodruff 2025-08-07 15:58:13 -04:00 committed by GitHub
parent ceb610c047
commit 16cb6af605
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/workflows/build-docker.yml vendored
View File

@ -36,6 +36,8 @@ on:
# And the workflow itself
- .github/workflows/build-docker.yml
permissions: {}
env:
UV_GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/uv
UV_DOCKERHUB_IMAGE: docker.io/astral/uv
@ -57,13 +59,13 @@ jobs:
IS_LOCAL_PR: ${{ github.event.pull_request.head.repo.full_name == 'astral-sh/uv' }}
id: plan
run: |
if [ "${{ env.DRY_RUN }}" == "false" ]; then
if [ "${DRY_RUN}" == "false" ]; then
echo "login=true" >> "$GITHUB_OUTPUT"
echo "push=true" >> "$GITHUB_OUTPUT"
echo "tag=${{ env.TAG }}" >> "$GITHUB_OUTPUT"
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
echo "action=build and publish" >> "$GITHUB_OUTPUT"
else
echo "login=${{ env.IS_LOCAL_PR }}" >> "$GITHUB_OUTPUT"
echo "login=${IS_LOCAL_PR}" >> "$GITHUB_OUTPUT"
echo "push=false" >> "$GITHUB_OUTPUT"
echo "tag=dry-run" >> "$GITHUB_OUTPUT"
echo "action=build" >> "$GITHUB_OUTPUT"
@ -91,6 +93,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: recursive
persist-credentials: false
# Login to DockerHub (when not pushing, it's to avoid rate-limiting)
- uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@ -111,14 +114,16 @@ jobs:
if: ${{ needs.docker-plan.outputs.push == 'true' }}
run: |
version=$(grep "version = " pyproject.toml | sed -e 's/version = "\(.*\)"/\1/g')
if [ "${{ needs.docker-plan.outputs.tag }}" != "${version}" ]; then
if [ "${DOCKER_PLAN_OUTPUTS_TAG}" != "${version}" ]; then
echo "The input tag does not match the version from pyproject.toml:" >&2
echo "${{ needs.docker-plan.outputs.tag }}" >&2
echo "${DOCKER_PLAN_OUTPUTS_TAG}" >&2
echo "${version}" >&2
exit 1
else
echo "Releasing ${version}"
fi
env:
DOCKER_PLAN_OUTPUTS_TAG: ${{ needs.docker-plan.outputs.tag }}
- name: Extract metadata (tags, labels) for Docker
id: meta
@ -219,12 +224,12 @@ jobs:
set -euo pipefail
# Extract the image and tags from the matrix variable
IFS=',' read -r BASE_IMAGE BASE_TAGS <<< "${{ matrix.image-mapping }}"
IFS=',' read -r BASE_IMAGE BASE_TAGS <<< "${IMAGE_MAPPING}"
# Generate Dockerfile content
cat <<EOF > Dockerfile
FROM ${BASE_IMAGE}
COPY --from=${{ env.UV_GHCR_IMAGE }}:latest /uv /uvx /usr/local/bin/
COPY --from=${UV_GHCR_IMAGE}:latest /uv /uvx /usr/local/bin/
ENV UV_TOOL_BIN_DIR="/usr/local/bin"
ENTRYPOINT []
CMD ["/usr/local/bin/uv"]
@ -236,8 +241,8 @@ jobs:
# Loop through all base tags and append its docker metadata pattern to the list
# Order is on purpose such that the label org.opencontainers.image.version has the first pattern with the full version
IFS=','; for TAG in ${BASE_TAGS}; do
TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${{ needs.docker-plan.outputs.tag }}\n"
TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ major }}.{{ minor }},suffix=-${TAG},value=${{ needs.docker-plan.outputs.tag }}\n"
TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ version }},suffix=-${TAG},value=${NEEDS_DOCKER_PLAN_OUTPUTS_TAG}\n"
TAG_PATTERNS="${TAG_PATTERNS}type=pep440,pattern={{ major }}.{{ minor }},suffix=-${TAG},value=${NEEDS_DOCKER_PLAN_OUTPUTS_TAG}\n"
TAG_PATTERNS="${TAG_PATTERNS}type=raw,value=${TAG}\n"
done
@ -250,6 +255,9 @@ jobs:
echo -e "${TAG_PATTERNS}"
echo EOF
} >> $GITHUB_ENV
env:
IMAGE_MAPPING: ${{ matrix.image-mapping }}
NEEDS_DOCKER_PLAN_OUTPUTS_TAG: ${{ needs.docker-plan.outputs.tag }}
- name: Extract metadata (tags, labels) for Docker
id: meta