ref(error): Improve error handling #276
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker CI | |
| on: | |
| pull_request: | |
| types: [closed] | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: "Git ref to build (branch, tag, or SHA)" | |
| type: string | |
| required: false | |
| experimental: | |
| description: "Build experimental image (main branch excluded)" | |
| type: boolean | |
| required: false | |
| default: false | |
| permissions: | |
| contents: read | |
| actions: write | |
| id-token: write | |
| jobs: | |
| resolve-ref: | |
| name: Resolve Checkout Ref | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| outputs: | |
| ref: ${{ steps.pick.outputs.ref }} | |
| steps: | |
| - name: Pick ref | |
| id: pick | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| EVENT_NAME="${GITHUB_EVENT_NAME}" | |
| MERGE_SHA=$(jq -r '.pull_request.merge_commit_sha // empty' "$GITHUB_EVENT_PATH") | |
| INPUT_REF=$(jq -r '.inputs.ref // empty' "$GITHUB_EVENT_PATH") | |
| if [[ "$EVENT_NAME" == "pull_request" && -n "$MERGE_SHA" ]]; then | |
| REF="$MERGE_SHA" | |
| elif [[ -n "$INPUT_REF" ]]; then | |
| REF="$INPUT_REF" | |
| else | |
| echo "Error: no merge commit or input ref provided" >&2 | |
| exit 1 | |
| fi | |
| echo "ref=$REF" >> "$GITHUB_OUTPUT" | |
| validate-experimental: | |
| name: Validate Experimental Build | |
| needs: resolve-ref | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| if: github.event_name == 'workflow_dispatch' && inputs.experimental == true | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.resolve-ref.outputs.ref }} | |
| fetch-depth: 0 | |
| - name: Check if building from main branch | |
| run: | | |
| set -euo pipefail | |
| # Get the current commit SHA | |
| CURRENT_SHA=$(git rev-parse HEAD) | |
| # Get the main branch SHA | |
| MAIN_SHA=$(git rev-parse origin/main) | |
| # Check if we're on main | |
| if [[ "$CURRENT_SHA" == "$MAIN_SHA" ]]; then | |
| echo "❌ Error: Cannot build experimental images from the main branch" | |
| echo "Experimental images are meant for pre-merge testing only" | |
| exit 1 | |
| fi | |
| # Also check if the ref input was explicitly 'main' | |
| INPUT_REF=$(jq -r '.inputs.ref // empty' "$GITHUB_EVENT_PATH") | |
| if [[ "$INPUT_REF" == "main" ]]; then | |
| echo "❌ Error: Cannot build experimental images from 'main' ref" | |
| echo "Experimental images are meant for pre-merge testing only" | |
| exit 1 | |
| fi | |
| echo "✅ Validation passed: building experimental image from non-main branch" | |
| build: | |
| name: Build and Push Images | |
| needs: [resolve-ref, validate-experimental] | |
| # Run only when the PR is merged and is NOT a release PR, or manual run. | |
| if: | | |
| (success() || needs.validate-experimental.result == 'skipped') && ( | |
| github.event_name == 'workflow_dispatch' || ( | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.merged == true && | |
| !contains(github.event.pull_request.labels.*.name, 'release') | |
| ) | |
| ) | |
| strategy: | |
| matrix: | |
| image: [etl-api, etl-replicator] | |
| uses: ./.github/workflows/docker-build.yml | |
| secrets: | |
| PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }} | |
| with: | |
| image: public.ecr.aws/supabase/${{ matrix.image }} | |
| context: . | |
| file: ./${{ matrix.image }}/Dockerfile | |
| push: true | |
| tag_with_version: false | |
| experimental: ${{ github.event_name == 'workflow_dispatch' && inputs.experimental || false }} | |
| # Build from the resolved ref: merge commit for PRs, or provided ref, fallback to current SHA. | |
| checkout_ref: ${{ needs.resolve-ref.outputs.ref }} | |
| build_args: | | |
| ENABLE_EGRESS=true |