fix(ci): Enable Docker builds and E2E for external PRs (#4224)

.github/workflows/.reusable-docker-build.yml

@@ -31,10 +31,15 @@ on:
         description: Whether to scan built image for vulnerabilities
         required: false
         default: true
+      ephemeral:
+        type: boolean
+        description: Whether to skip push and use Depot's ephemeral registry
+        required: false
+        default: false
     outputs:
       image:
         description: Resulting image specifier
-        value: ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}:${{ jobs.build.outputs.version }}
+        value: ${{ jobs.build.outputs.image }}
     secrets:
       secrets:
         description: List of secrets to expose to the build (e.g., `key=string, GIT_AUTH_TOKEN=mytoken`)
@@ -45,7 +50,7 @@ jobs:
     name: Build ${{ inputs.scan && 'and verify ' || '' }}${{ inputs.image-name }} image
     runs-on: ubuntu-latest
     outputs:
-      version: ${{ steps.meta.outputs.version }}
+      image: ${{ steps.image-tag.outputs.image-tag }}
 
     permissions:
       packages: write
@@ -61,6 +66,7 @@ jobs:
         uses: depot/setup-action@v1
 
       - name: Login to Github Container Registry
+        if: ${{ !inputs.ephemeral }}
         uses: docker/login-action@v3
         with:
           registry: ${{ inputs.registry-url }}
@@ -81,10 +87,12 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
 
       - name: Build and push image
+        id: build
         uses: depot/build-push-action@v1
         with:
           context: .
-          push: true
+          save: ${{ inputs.ephemeral }}
+          push: ${{ !inputs.ephemeral }}
           platforms: linux/amd64,linux/arm64
           secrets: ${{ secrets.secrets }}
           target: ${{ inputs.target }}
@@ -96,12 +104,23 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           provenance: false
 
+      - name: Render image tag
+        id: image-tag
+        run: >
+          echo image-tag=${{ inputs.ephemeral && format('registry.depot.dev/{0}:{1}', steps.build.outputs.project-id,
+          steps.build.outputs.build-id) || format('{0}/flagsmith/{1}:{2}', inputs.registry-url, inputs.image-name,
+          steps.meta.outputs.version) }} >> $GITHUB_OUTPUT
+
+      - name: Login to Depot Registry
+        if: inputs.scan && inputs.ephemeral
+        run: depot pull-token | docker login -u x-token --password-stdin registry.depot.dev
+
       - name: Run Trivy vulnerability scanner
         id: trivy
         if: inputs.scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}:${{ steps.meta.outputs.version }}
+          image-ref: ${{ steps.image-tag.outputs.image-tag }}
           format: sarif
           output: trivy-results.sarif
         env:

.github/workflows/.reusable-docker-e2e-tests.yml

@@ -4,11 +4,6 @@ name: Run Docker E2E tests
 on:
   workflow_call:
     inputs:
-      registry-url:
-        type: string
-        description: Github Container Registry base URL
-        required: false
-        default: ghcr.io
       api-image:
         type: string
         description: Core API Docker image to use, e.g., `ghcr.io/flagsmith/flagsmith-api:main`
@@ -33,17 +28,27 @@ jobs:
     name: "E2E${{ inputs.tests && format(': {0}', inputs.tests) || '' }}"
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
+
     steps:
       - name: Cloning repo
         uses: actions/checkout@v4
 
       - name: Login to Github Container Registry
+        if: ${{ startsWith(inputs.api-image, 'ghcr.io') || startsWith(inputs.e2e-image, 'ghcr.io') }}
         uses: docker/login-action@v3
         with:
-          registry: ${{ inputs.registry-url }}
+          registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Login to Depot Registry
+        if: startsWith(inputs.api-image, 'registry.depot.dev') || startsWith(inputs.e2e-image, 'registry.depot.dev')
+        run: depot pull-token | docker login -u x-token --password-stdin registry.depot.dev
+
       - name: Run tests on dockerised frontend
         uses: nick-fields/retry@v3
         with:
@@ -61,10 +66,3 @@ jobs:
           E2E_CONCURRENCY: ${{ inputs.concurrency }}
           SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
           GITHUB_ACTION_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-
-      - name: Output Core API container status and logs
-        if: failure()
-        working-directory: frontend
-        run: |
-          docker compose -f docker-compose-e2e-tests.yml logs flagsmith-api
-        shell: bash

.github/workflows/platform-docker-build-test-publish.yml

@@ -66,6 +66,7 @@ jobs:
       api-image: ${{ matrix.api-image }}
       concurrency: ${{ matrix.args.concurrency }}
       tests: ${{ matrix.args.tests }}
+    secrets: inherit
 
     strategy:
       matrix:

.github/workflows/platform-pull-request.yml

@@ -62,6 +62,7 @@ jobs:
     with:
       target: oss-unified
       image-name: flagsmith
+      ephemeral: ${{ github.event.pull_request.author_association != 'MEMBER' }}
 
   docker-build-api:
     if: github.event.pull_request.draft == false
@@ -70,6 +71,7 @@ jobs:
     with:
       target: oss-api
       image-name: flagsmith-api
+      ephemeral: ${{ github.event.pull_request.author_association != 'MEMBER' }}
 
   docker-build-frontend:
     if: github.event.pull_request.draft == false
@@ -78,6 +80,7 @@ jobs:
     with:
       target: oss-frontend
       image-name: flagsmith-frontend
+      ephemeral: ${{ github.event.pull_request.author_association != 'MEMBER' }}
 
   docker-build-e2e:
     if: github.event.pull_request.draft == false
@@ -86,10 +89,11 @@ jobs:
     with:
       file: frontend/Dockerfile.e2e
       image-name: flagsmith-e2e
+      ephemeral: ${{ github.event.pull_request.author_association != 'MEMBER' }}
       scan: false
 
   docker-build-private-cloud:
-    if: github.event.pull_request.draft == false
+    if: github.event.pull_request.draft == false && github.event.pull_request.author_association == 'MEMBER'
     name: Build Private Cloud Image
     uses: ./.github/workflows/.reusable-docker-build.yml
     with:
@@ -100,19 +104,17 @@ jobs:
         github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
 
   run-e2e-tests:
-    needs: [docker-build-api, docker-build-private-cloud, docker-build-e2e]
+    needs: [docker-build-api, docker-build-e2e]
     uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
     with:
       e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
-      api-image: ${{ matrix.api-image }}
+      api-image: ${{ needs.docker-build-api.outputs.image }}
       concurrency: ${{ matrix.args.concurrency }}
       tests: ${{ matrix.args.tests }}
+    secrets: inherit
 
     strategy:
       matrix:
-        api-image:
-          - ${{ needs.docker-build-api.outputs.image }}
-          - ${{ needs.docker-build-private-cloud.outputs.image }}
         args:
           - tests: segment-part-1 environment
             concurrency: 1

frontend/Makefile

@@ -1,5 +1,8 @@
 .EXPORT_ALL_VARIABLES:
 
+COMPOSE_FILE ?= docker-compose-e2e-tests.yml
+COMPOSE_PROJECT_NAME ?= flagsmith-e2e
+
 DOTENV_OVERRIDE_FILE ?= .env
 
 E2E_CONCURRENCY ?= 3
@@ -25,5 +28,6 @@ serve:
 
 .PHONY: test
 test:
-	docker compose -f docker-compose-e2e-tests.yml run frontend \
-		npx cross-env E2E_CONCURRENCY=${E2E_CONCURRENCY} npm run test -- $(opts)
+	docker compose run frontend \
+		npx cross-env E2E_CONCURRENCY=${E2E_CONCURRENCY} npm run test -- $(opts) \
+		|| docker compose logs flagsmith-api