chore: Update docker workflow

.dockerignore

@@ -2,6 +2,8 @@
 # to do this for some reason:
 #   $ go get -v -u github.com/pwaller/docker-show-context
 main
+*.gro
+**/*.gro
 *.mashtree
 **/*.mashtree
 *.swp

.github/workflows/docker-publish.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Parse tag
         # This step converts Grain tags into standard semver, i.e. grain-v1.2.3 -> v1.2.3
@@ -48,7 +48,7 @@ jobs:
           ssh-private-key: ${{ secrets.AWS_SSH_PRIVATE_KEY }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2.0.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Set up remote builder
         run: |
@@ -61,7 +61,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3.6.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             grainlang/grain
@@ -72,20 +72,20 @@ jobs:
             type=semver,pattern={{major}}.{{minor}},value=${{ steps.vars.outputs.tag }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push image
-        uses: docker/build-push-action@v2.7.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: .
           file: Dockerfile
@@ -100,7 +100,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Parse tag
         # This step converts Grain tags into standard semver, i.e. grain-v1.2.3 -> v1.2.3
@@ -128,7 +128,7 @@ jobs:
           ssh-private-key: ${{ secrets.AWS_SSH_PRIVATE_KEY }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2.0.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Set up remote builder
         run: |
@@ -141,7 +141,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v3.6.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           flavor: |
             suffix=-slim,onlatest=true
@@ -154,20 +154,20 @@ jobs:
             type=semver,pattern={{major}}.{{minor}},value=${{ steps.vars.outputs.tag }}
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push slim image
-        uses: docker/build-push-action@v2.7.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: .
           file: Dockerfile-slim

.github/workflows/release.yml

@@ -2,176 +2,176 @@ name: Release
 on:
   push:
     branches: [main]
+  pull_request:
 
 # This will cancel previous runs when a branch or PR is updated
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
-  release-please:
-    name: Create Release
-    runs-on: ubuntu-latest
-    outputs:
-      release-pr: ${{ steps.release.outputs.pr }}
-      releases-created: ${{ steps.release.outputs.releases_created }}
-      tag-name: ${{ steps.release.outputs.tag_name }}
-      stdlib-tag-name: ${{ steps.release.outputs.stdlib--tag_name }}
-    steps:
-      - uses: GoogleCloudPlatform/release-please-action@v3.7.5
-        id: release
-        with:
-          # Explicitly use GITHUB_TOKEN here so Release Please doesn't start a CI run that will fail
-          # The correct CI run is triggered by the `generate-docs` job below when it pushes updated documentation
-          token: ${{ secrets.GITHUB_TOKEN }}
-          command: manifest
-
-  build-preview:
-    name: Build preview binaries
-    needs: [release-please]
-    if: ${{ needs.release-please.outputs.release-pr }}
-    uses: ./.github/workflows/build-js.yml
-    with:
-      os: ubuntu-latest
-      ref: ${{ fromJSON(needs.release-please.outputs.release-pr).headBranchName }}
-
-  generate-docs:
-    name: Generate documentation
-    needs: [release-please, build-preview]
-    if: ${{ needs.release-please.outputs.release-pr }}
-    uses: ./.github/workflows/generate-docs.yml
-    with:
-      ref: ${{ fromJSON(needs.release-please.outputs.release-pr).headBranchName }}
-    secrets:
-      # This uses WORKFLOW_TOKEN because we want the push to trigger our `ci.yml` runs on the release PR
-      # and the GITHUB_TOKEN is blocked from triggering other workflows.
-      # See https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
-      PUSH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
-
-  upload-preview:
-    name: Upload preview binaries
-    needs: [release-please, build-preview]
-    if: ${{ needs.release-please.outputs.release-pr }}
-    uses: ./.github/workflows/upload-binaries.yml
-    with:
-      tag: preview
-      ref: ${{ fromJSON(needs.release-please.outputs.release-pr).headBranchName }}
-    secrets:
-      UPLOAD_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  build-release:
-    name: Build release binaries
-    needs: [release-please]
-    if: ${{ needs.release-please.outputs.releases-created }}
-    uses: ./.github/workflows/build-js.yml
-    with:
-      os: ubuntu-latest
-      ref: ${{ needs.release-please.outputs.tag-name }}
-
-  upload-release:
-    name: Upload release binaries
-    needs: [release-please, build-release]
-    if: ${{ needs.release-please.outputs.releases-created }}
-    uses: ./.github/workflows/upload-binaries.yml
-    with:
-      tag: ${{ needs.release-please.outputs.tag-name }}
-      ref: ${{ needs.release-please.outputs.tag-name }}
-    secrets:
-      UPLOAD_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  upload-npm-artifacts:
-    needs: [release-please]
-    if: ${{ needs.release-please.outputs.releases-created }}
-    name: Upload release npm artifacts
-    runs-on: ubuntu-latest
-    outputs:
-      stdlib-download-url: ${{ steps.stdlib-upload.outputs.browser_download_url }}
-    steps:
-      - name: Checkout project
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ needs.release-please.outputs.tag-name }}
-
-      # Many of these steps are the same as building the compiler for tests
-      - name: Setup Node.js
-        uses: actions/setup-node@v3.6.0
-        with:
-          node-version: ">=18.15 <19"
-          check-latest: true
-          cache: "npm"
-
-      - name: Pack stdlib
-        working-directory: ./stdlib
-        # Runs `npm pack` and assigns the filename to an env var we can use later
-        run: |
-          echo "STDLIB_TAR=$(npm pack --json | jq -r '.[0].filename')" >> $GITHUB_ENV
-
-      - name: Upload stdlib
-        id: stdlib-upload
-        uses: grain-lang/upload-release-action@v3.0.2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          file: ./stdlib/${{ env.STDLIB_TAR }}
-          asset_name: stdlib.tgz
-          tag: ${{ needs.release-please.outputs.stdlib-tag-name }}
-
-  dispatch-website:
-    needs: [release-please, upload-release]
-    if: ${{ needs.release-please.outputs.releases-created }}
-    name: Dispatch website release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: grain-lang/workflow-dispatch-action@v1.0.1
-        with:
-          workflow: Grain Release
-          token: ${{ secrets.WORKFLOW_TOKEN }}
-          ref: main
-          repo: grain-lang/grain-lang.org
-          tag_input: ${{ needs.release-please.outputs.tag-name }}
-
-  dispatch-homebrew:
-    needs: [release-please, upload-release]
-    if: ${{ needs.release-please.outputs.releases-created }}
-    name: Dispatch homebrew release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: grain-lang/workflow-dispatch-action@v1.0.1
-        with:
-          workflow: Grain Release
-          token: ${{ secrets.WORKFLOW_TOKEN }}
-          ref: main
-          repo: grain-lang/homebrew-tap
-          tag_input: ${{ needs.release-please.outputs.tag-name }}
-
   dispatch-docker:
-    needs: [release-please]
-    if: ${{ needs.release-please.outputs.releases-created }}
+    # needs: [release-please]
+    # if: ${{ needs.release-please.outputs.releases-created }}
     name: Dispatch Docker builds
     runs-on: ubuntu-latest
     steps:
       - uses: grain-lang/workflow-dispatch-action@v1.0.1
         with:
           workflow: Publish Docker images
-          token: ${{ secrets.WORKFLOW_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           ref: main
           repo: grain-lang/grain
-          tag_input: ${{ needs.release-please.outputs.tag-name }}
-
-  npm-release-stdlib:
-    needs: [release-please, upload-npm-artifacts]
-    if: ${{ needs.release-please.outputs.releases-created }}
-    name: Publish stdlib to npm registry
-    runs-on: ubuntu-latest
-    steps:
-      - name: Setup NodeJS
-        uses: actions/setup-node@v3.6.0
-        with:
-          node-version: ">=18.15 <19"
-          check-latest: true
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Publish to npm
-        run: |
-          npm publish ${{ needs.upload-npm-artifacts.outputs.stdlib-download-url }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_RELEASE }}
+          tag_input: 'grain-docker-test'
+  # release-please:
+  #   name: Create Release
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     release-pr: ${{ steps.release.outputs.pr }}
+  #     releases-created: ${{ steps.release.outputs.releases_created }}
+  #     tag-name: ${{ steps.release.outputs.tag_name }}
+  #     stdlib-tag-name: ${{ steps.release.outputs.stdlib--tag_name }}
+  #   steps:
+  #     - uses: GoogleCloudPlatform/release-please-action@v3.7.5
+  #       id: release
+  #       with:
+  #         # Explicitly use GITHUB_TOKEN here so Release Please doesn't start a CI run that will fail
+  #         # The correct CI run is triggered by the `generate-docs` job below when it pushes updated documentation
+  #         token: ${{ secrets.GITHUB_TOKEN }}
+  #         command: manifest
+
+  # build-preview:
+  #   name: Build preview binaries
+  #   needs: [release-please]
+  #   if: ${{ needs.release-please.outputs.release-pr }}
+  #   uses: ./.github/workflows/build-js.yml
+  #   with:
+  #     os: ubuntu-latest
+  #     ref: ${{ fromJSON(needs.release-please.outputs.release-pr).headBranchName }}
+
+  # generate-docs:
+  #   name: Generate documentation
+  #   needs: [release-please, build-preview]
+  #   if: ${{ needs.release-please.outputs.release-pr }}
+  #   uses: ./.github/workflows/generate-docs.yml
+  #   with:
+  #     ref: ${{ fromJSON(needs.release-please.outputs.release-pr).headBranchName }}
+  #   secrets:
+  #     # This uses WORKFLOW_TOKEN because we want the push to trigger our `ci.yml` runs on the release PR
+  #     # and the GITHUB_TOKEN is blocked from triggering other workflows.
+  #     # See https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
+  #     PUSH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+
+  # upload-preview:
+  #   name: Upload preview binaries
+  #   needs: [release-please, build-preview]
+  #   if: ${{ needs.release-please.outputs.release-pr }}
+  #   uses: ./.github/workflows/upload-binaries.yml
+  #   with:
+  #     tag: preview
+  #     ref: ${{ fromJSON(needs.release-please.outputs.release-pr).headBranchName }}
+  #   secrets:
+  #     UPLOAD_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # build-release:
+  #   name: Build release binaries
+  #   needs: [release-please]
+  #   if: ${{ needs.release-please.outputs.releases-created }}
+  #   uses: ./.github/workflows/build-js.yml
+  #   with:
+  #     os: ubuntu-latest
+  #     ref: ${{ needs.release-please.outputs.tag-name }}
+
+  # upload-release:
+  #   name: Upload release binaries
+  #   needs: [release-please, build-release]
+  #   if: ${{ needs.release-please.outputs.releases-created }}
+  #   uses: ./.github/workflows/upload-binaries.yml
+  #   with:
+  #     tag: ${{ needs.release-please.outputs.tag-name }}
+  #     ref: ${{ needs.release-please.outputs.tag-name }}
+  #   secrets:
+  #     UPLOAD_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # upload-npm-artifacts:
+  #   needs: [release-please]
+  #   if: ${{ needs.release-please.outputs.releases-created }}
+  #   name: Upload release npm artifacts
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     stdlib-download-url: ${{ steps.stdlib-upload.outputs.browser_download_url }}
+  #   steps:
+  #     - name: Checkout project
+  #       uses: actions/checkout@v3
+  #       with:
+  #         ref: ${{ needs.release-please.outputs.tag-name }}
+
+  #     # Many of these steps are the same as building the compiler for tests
+  #     - name: Setup Node.js
+  #       uses: actions/setup-node@v3.6.0
+  #       with:
+  #         node-version: ">=18.15 <19"
+  #         check-latest: true
+  #         cache: "npm"
+
+  #     - name: Pack stdlib
+  #       working-directory: ./stdlib
+  #       # Runs `npm pack` and assigns the filename to an env var we can use later
+  #       run: |
+  #         echo "STDLIB_TAR=$(npm pack --json | jq -r '.[0].filename')" >> $GITHUB_ENV
+
+  #     - name: Upload stdlib
+  #       id: stdlib-upload
+  #       uses: grain-lang/upload-release-action@v3.0.2
+  #       with:
+  #         token: ${{ secrets.GITHUB_TOKEN }}
+  #         file: ./stdlib/${{ env.STDLIB_TAR }}
+  #         asset_name: stdlib.tgz
+  #         tag: ${{ needs.release-please.outputs.stdlib-tag-name }}
+
+  # dispatch-website:
+  #   needs: [release-please, upload-release]
+  #   if: ${{ needs.release-please.outputs.releases-created }}
+  #   name: Dispatch website release
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: grain-lang/workflow-dispatch-action@v1.0.1
+  #       with:
+  #         workflow: Grain Release
+  #         token: ${{ secrets.WORKFLOW_TOKEN }}
+  #         ref: main
+  #         repo: grain-lang/grain-lang.org
+  #         tag_input: ${{ needs.release-please.outputs.tag-name }}
+
+  # dispatch-homebrew:
+  #   needs: [release-please, upload-release]
+  #   if: ${{ needs.release-please.outputs.releases-created }}
+  #   name: Dispatch homebrew release
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: grain-lang/workflow-dispatch-action@v1.0.1
+  #       with:
+  #         workflow: Grain Release
+  #         token: ${{ secrets.WORKFLOW_TOKEN }}
+  #         ref: main
+  #         repo: grain-lang/homebrew-tap
+  #         tag_input: ${{ needs.release-please.outputs.tag-name }}
+
+  # npm-release-stdlib:
+  #   needs: [release-please, upload-npm-artifacts]
+  #   if: ${{ needs.release-please.outputs.releases-created }}
+  #   name: Publish stdlib to npm registry
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Setup NodeJS
+  #       uses: actions/setup-node@v3.6.0
+  #       with:
+  #         node-version: ">=18.15 <19"
+  #         check-latest: true
+  #         registry-url: "https://registry.npmjs.org"
+
+  #     - name: Publish to npm
+  #       run: |
+  #         npm publish ${{ needs.upload-npm-artifacts.outputs.stdlib-download-url }}
+  #       env:
+  #         NODE_AUTH_TOKEN: ${{ secrets.NPM_RELEASE }}

Dockerfile

@@ -1,6 +1,6 @@
 # This Dockerfile constructs an environment in which the Grain compiler can be built and used.
 
-FROM ospencer/esy:alpine as esy
+FROM ospencer/esy:alpine AS esy
 FROM node:18
 
 LABEL name="Grain"

Dockerfile-slim

@@ -1,8 +1,8 @@
 # This Dockerfile constructs a minimal environment in which Grain programs can be compiled.
 # The environment is only meant to build Grain programs, not develop the compiler.
 
-FROM ospencer/esy:alpine as esy
-FROM node:18 as builder
+FROM ospencer/esy:alpine AS esy
+FROM node:18 AS builder
 
 LABEL name="Grain"
 LABEL description="Grain CLI"