From 6f9e599d915e1250af511c470a02ff32d27ae9fb Mon Sep 17 00:00:00 2001
From: Philip Salzmann <philip.salzmann@uibk.ac.at>
Date: Mon, 11 Dec 2023 11:22:43 +0100
Subject: [PATCH] Log in to Docker right before pushing

...to reduce the likelihood of racing with other jobs that also log in
using their own tokens.
---
 .github/workflows/build_images.yml | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build_images.yml b/.github/workflows/build_images.yml
index 1b9306e..df294f7 100644
--- a/.github/workflows/build_images.yml
+++ b/.github/workflows/build_images.yml
@@ -58,18 +58,20 @@ jobs:
             packages: write
         steps:
             - uses: actions/checkout@v2
-            - name: Log into Container registry
-              uses: docker/login-action@v3
-              with:
-                registry: ghcr.io
-                username: ${{ github.actor }}
-                password: ${{ secrets.GITHUB_TOKEN }}
             - name: Build Docker container for ${{ matrix.sycl }} ${{ matrix.sycl-version }} on ${{ matrix.ubuntu-version }}
               run: bash ./build.sh ${{ matrix.ubuntu-version }} ${{ matrix.sycl }} ${{ matrix.sycl-version }}
               if: ${{ github.event_name == 'schedule' }}
             - name: Force-build Docker container for ${{ matrix.sycl }} ${{ matrix.sycl-version }} on ${{ matrix.ubuntu-version }}
               run: bash ./build.sh -f ${{ matrix.ubuntu-version }} ${{ matrix.sycl }} ${{ matrix.sycl-version }}
               if: ${{ github.event_name != 'schedule' }}
+            # NOTE: Since `docker login` is stateful, we race with other jobs that run concurrently on the same machine, which may
+            #       result in spurious authentication failures. We reduce the likelihood of this by logging in right before pushing.
+            - name: Log into Container registry
+              uses: docker/login-action@v3
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
             - name: Push Docker container for ${{ matrix.sycl }} ${{ matrix.sycl-version }} on ${{ matrix.ubuntu-version }}
               run: |
                 IMAGE="celerity-build/${{ matrix.sycl }}:ubuntu${{ matrix.ubuntu-version }}-${{ matrix.sycl-version }}"
@@ -82,14 +84,15 @@ jobs:
             packages: write
         steps:
             - uses: actions/checkout@v2
+            - name: Build Celerity linting container
+              run: bash ./build-lint.sh
+            # Same concurrency concerns as above.
             - name: Log into Container registry
               uses: docker/login-action@v3
               with:
                 registry: ghcr.io
                 username: ${{ github.actor }}
                 password: ${{ secrets.GITHUB_TOKEN }}
-            - name: Build Celerity linting container
-              run: bash ./build-lint.sh
             - name: Push Celerity linting container
               run: |
                 docker tag celerity-lint:latest ghcr.io/celerity/celerity-lint:latest