Open scottyhq opened 3 years ago
scottyhq
commented
3 years ago Could also utilize some newer github actions, such as:
Docker images with Buildx https://github.com/docker/build-push-action
Or as a Docker alternative build and push with podman to quay.io https://github.com/redhat-actions/push-to-registry
scottyhq
commented
2 years ago copying some discussion from #282
The miniforge version is currently specified in a couple places, because of how we generate a lockfile for every PR via github actions. https://github.com/pangeo-data/pangeo-docker-images/blob/9b282f51eb52000dfba40f8aad972532fba5e07f/.github/workflows/CondaLock.yml#L37-L44
I think a better strategy going forward might be to install conda-lock in the base image Dockerfile and then actually run conda-lock via that Docker image. That way, conda, mamba, and conda-lock versions will be consistent throughout this repository...
The GitHub Actions in the repository are fairly complex, mainly stemming from the fact that we want to add environment lock files from any PR. But PRs coming from forks only have read access by default, which is why we use our pangeo-bot user access token and /slash commands to have write access.
I recently learned a lot from this blog post https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ on best practices for structuring this style of CI. Likely could make some modifications and improvements to how things are currently structured.