Merge 5fe52f9b61 into da5b89b92c

ci: update codeql workflow

.github/workflows/codeql.yml

@@ -5,46 +5,41 @@ on:
     branches:
       - 'master'
       - 'releases/v*'
-    paths:
-      - '.github/workflows/codeql.yml'
-      - 'dist/**'
-      - 'src/**'
   pull_request:
-    paths:
-      - '.github/workflows/codeql.yml'
-      - 'dist/**'
-      - 'src/**'
 
 permissions:
   actions: read
   contents: read
   security-events: write
 
+env:
+  NODE_VERSION: "24"
+
 jobs:
   analyze:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - javascript-typescript
     steps:
       -
         name: Checkout
         uses: actions/checkout@v6
+      -
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
       -
         name: Initialize CodeQL
         uses: github/codeql-action/init@v4
         with:
-          languages: ${{ matrix.language }}
+          languages: javascript-typescript
-          config: |
+          build-mode: none
-            paths:
-              - src
-      -
-        name: Autobuild
-        uses: github/codeql-action/autobuild@v4
       -
         name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v4
         with:
-          category: "/language:${{matrix.language}}"
+          category: "/language:javascript-typescript"

__tests__/docker.test.ts

@@ -1,26 +1,27 @@
-import {expect, test, vi} from 'vitest';
+import {afterEach, beforeEach, expect, test, vi} from 'vitest';
-import * as path from 'path';
 
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
 
 import {loginStandard, logout} from '../src/docker.js';
 
-process.env['RUNNER_TEMP'] = path.join(__dirname, 'runner');
+beforeEach(() => {
+  delete process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS;
+});
+
+afterEach(() => {
+  delete process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS;
+});
 
 test('loginStandard calls exec', async () => {
-  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+  const execSpy = vi.spyOn(Docker, 'getExecOutput').mockResolvedValue({
-  // @ts-ignore
+    exitCode: 0,
-  const execSpy = vi.spyOn(Docker, 'getExecOutput').mockImplementation(async () => {
+    stdout: '',
-    return {
+    stderr: ''
-      exitCode: expect.any(Number),
-      stdout: expect.any(Function),
-      stderr: expect.any(Function)
-    };
   });
 
   const username = 'dbowie';
   const password = 'groundcontrol';
-  const registry = 'https://ghcr.io';
+  const registry = 'ghcr.io';
 
   await loginStandard(registry, username, password);
 
@@ -30,6 +31,7 @@ test('loginStandard calls exec', async () => {
     // we don't want to check env opt
     callfunc[1].env = undefined;
   }
+
   expect(execSpy).toHaveBeenCalledWith(['login', '--password-stdin', '--username', username, registry], {
     input: Buffer.from(password),
     silent: true,
@@ -37,27 +39,68 @@ test('loginStandard calls exec', async () => {
   });
 });
 
-test('logout calls exec', async () => {
+test('loginStandard throws if username and password are missing', () => {
-  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+  const execSpy = vi.spyOn(Docker, 'getExecOutput');
-  // @ts-ignore
+  const login = loginStandard('ghcr.io', '', '');
-  const execSpy = vi.spyOn(Docker, 'getExecOutput').mockImplementation(async () => {
+  expect(execSpy).not.toHaveBeenCalled();
-    return {
+  return expect(login).rejects.toThrow('Username and password required');
-      exitCode: expect.any(Number),
-      stdout: expect.any(Function),
-      stderr: expect.any(Function)
-    };
 });
 
-  const registry = 'https://ghcr.io';
+test('loginStandard throws if username is missing', () => {
+  const execSpy = vi.spyOn(Docker, 'getExecOutput');
+  const login = loginStandard('ghcr.io', '', 'groundcontrol');
+  expect(execSpy).not.toHaveBeenCalled();
+  return expect(login).rejects.toThrow('Username required');
+});
 
+test('loginStandard throws if password is missing', () => {
+  const execSpy = vi.spyOn(Docker, 'getExecOutput');
+  const login = loginStandard('ghcr.io', 'dbowie', '');
+  expect(execSpy).not.toHaveBeenCalled();
+  return expect(login).rejects.toThrow('Password required');
+});
+
+test('loginStandard skips if both credentials are missing and env opt-in is enabled', () => {
+  process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS = 'true';
+  const execSpy = vi.spyOn(Docker, 'getExecOutput');
+  const login = loginStandard('ghcr.io', '', '');
+  expect(execSpy).not.toHaveBeenCalled();
+  return expect(login).resolves.toBeUndefined();
+});
+
+test('loginStandard skips if username is missing and env opt-in is enabled', () => {
+  process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS = 'true';
+  const execSpy = vi.spyOn(Docker, 'getExecOutput');
+  const login = loginStandard('ghcr.io', '', 'groundcontrol');
+  expect(execSpy).not.toHaveBeenCalled();
+  return expect(login).resolves.toBeUndefined();
+});
+
+test('loginStandard skips if password is missing and env opt-in is enabled', () => {
+  process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS = 'true';
+  const execSpy = vi.spyOn(Docker, 'getExecOutput');
+  const login = loginStandard('ghcr.io', 'dbowie', '');
+  expect(execSpy).not.toHaveBeenCalled();
+  return expect(login).resolves.toBeUndefined();
+});
+
+test('logout calls exec', async () => {
+  const execSpy = vi.spyOn(Docker, 'getExecOutput').mockResolvedValue({
+    exitCode: 0,
+    stdout: '',
+    stderr: ''
+  });
+
+  const registry = 'ghcr.io';
   await logout(registry, '');
-
   expect(execSpy).toHaveBeenCalledTimes(1);
+
   const callfunc = execSpy.mock.calls[0];
   if (callfunc && callfunc[1]) {
     // we don't want to check env opt
     callfunc[1].env = undefined;
   }
+
   expect(execSpy).toHaveBeenCalledWith(['logout', registry], {
     ignoreReturnCode: true
   });

src/docker.ts

@@ -1,6 +1,7 @@
 import * as core from '@actions/core';
 
 import {Docker} from '@docker/actions-toolkit/lib/docker/docker.js';
+import {Util} from '@docker/actions-toolkit/lib/util.js';
 
 import * as aws from './aws.js';
 import * as context from './context.js';
@@ -34,6 +35,10 @@ export async function logout(registry: string, configDir: string): Promise<void>
 }
 
 export async function loginStandard(registry: string, username: string, password: string, scope?: string): Promise<void> {
+  if ((!username || !password) && skipLoginIfMissingCredsEnabled()) {
+    core.info(`Skipping login to ${registry}. Username or password is not set and DOCKER_LOGIN_SKIP_IF_MISSING_CREDS is enabled.`);
+    return;
+  }
   if (!username && !password) {
     throw new Error('Username and password required');
   }
@@ -79,3 +84,10 @@ async function loginExec(registry: string, username: string, password: string, s
     core.info('Login Succeeded!');
   });
 }
+
+function skipLoginIfMissingCredsEnabled(): boolean {
+  if (process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS) {
+    return Util.parseBool(process.env.DOCKER_LOGIN_SKIP_IF_MISSING_CREDS);
+  }
+  return false;
+}