build(ci): relocate Docker login action for security

- Move Docker login action to a more secure location in the workflow- Ensure login only occurs for non-pull-request events - Improve security by limiting Docker login credentials exposure
vnobo · Dec 14, 2024 · 1ebf6e5 · 1ebf6e5
1 parent 6687b31
commit 1ebf6e5
Showing 1 changed file with 15 additions and 8 deletions.
diff --git a/.github/workflows/gradle-build.yml b/.github/workflows/gradle-build.yml
@@ -50,14 +50,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.PAGK_TOKEN }}
 
-      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{env.DOCKER_REGISTRY}}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
       - name: Extract platform metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
@@ -79,6 +71,13 @@ jobs:
           docker tag plate-platform "$tag"
           done <<< "${{ steps.meta.outputs.tags }}"
 
+      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{env.DOCKER_REGISTRY}}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Push docker platform image to DockerHub
         run: |
           docker push --all-tags ${{ env.GITHUB_REGISTRY }}/plate-platform
@@ -106,6 +105,14 @@ jobs:
           docker tag plate-oauth2 $tag
           done <<< "${{ steps.oauth2.outputs.tags }}"
 
+      - name: Log into registry ${{ env.DOCKER_REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{env.DOCKER_REGISTRY}}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
       - name: Push docker oauth2 image to DockerHub
         run: |
           docker push --all-tags  ${{ env.GITHUB_REGISTRY }}/plate-oauth2