implement and use PR workflow

.github/workflows/docker-publish.yml

@@ -1,12 +1,6 @@
 name: build and publish
 
 on:
-  # Populate the cache on pushes to main, because if you push to cache on builds for tags,
-  # the cache can't be read by builds for other tags:
-  # https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
-  push:
-    branches:
-      - main
   release:
     types: [published]
 
@@ -67,109 +61,13 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-  # (In case of push only)
-  # Use the container we just built to build the guide and upload it to the actions artifacts.
-  render-samples-push:
+  # Use the fresh container to render the samples.
+  render-samples:
     needs: build-container
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/trustedcomputinggroup/pandoc:main
-    permissions:
-      contents: write
-    if: ${{ github.event_name == 'push' }}
-    steps:
-      - name: Checkout repository
-        uses: actions/[email protected]
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
-      - name: Cache LaTeX files
-        uses: actions/cache@v3
-        env:
-          cache-name: cache-latex-files
-        with:
-          path: |
-            *.aux
-            *.fdb_latexmk
-            *.lof
-            *.lot
-            *.toc
-            *.convert.pdf
-          key: latex-${{ github.run_id }}
-          restore-keys: latex
-
-      - name: Run the action on guide
-        uses: trustedcomputinggroup/markdown@latest
-        with:
-          input-md: guide.tcg
-          extra-build-options: "--versioned_filenames"
-          output-pdf: guide.pdf
-          output-tex: guide.tex
-          output-docx: guide.docx
-
-      - name: Upload PDF
-        uses: actions/upload-artifact@master
-        with:
-          name: PDF
-          path: guide.*.pdf
-
-  # (In case of release only)
-  # Use the container we just built to build the guide and attach it to the release
-  render-samples-release:
-    needs: build-container
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/trustedcomputinggroup/pandoc:latest
-    permissions:
-      contents: write
-    if: ${{ github.event_name == 'release' }}
-    steps:
-      - name: Checkout repository
-        uses: actions/[email protected]
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-
-      - name: Cache LaTeX files
-        uses: actions/cache@v3
-        env:
-          cache-name: cache-latex-files
-        with:
-          path: |
-            *.aux
-            *.fdb_latexmk
-            *.lof
-            *.lot
-            *.toc
-            *.convert.pdf
-          key: latex-${{ github.run_id }}
-          restore-keys: latex
-
-      - name: Render for release
-        uses: trustedcomputinggroup/markdown@latest
-        with:
-          input-md: guide.tcg
-          extra-build-options: "--versioned_filenames"
-          output-pdf: guide.pdf
-          output-docx: guide.docx
-
-      - name: Upload to release
-        uses: svenstaro/upload-release-action@v2
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: guide.*.pdf
-          tag: ${{ github.ref }}
-          overwrite: true
-          file_glob: true
-          body: "Guide (PDF)"
-
-      - name: Upload to release
-        uses: svenstaro/upload-release-action@v2
-        with:
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: guide.*.docx
-          tag: ${{ github.ref }}
-          overwrite: true
-          file_glob: true
-          body: "Guide (Word)"
+    uses: ./.github/workflows/release.yml
+    with:
+      container: ghcr.io/trustedcomputinggroup/pandoc
+      container-version: latest
+      input: guide.tcg
+      output: guide
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr.yml

@@ -0,0 +1,77 @@
+# Reusable workflow to render the spec for PRs.
+# https://docs.github.com/en/actions/using-workflows/reusing-workflows
+
+name: Render
+
+on:
+  workflow_call:
+    inputs:
+      container:
+        required: false
+        type: string
+        default: ghcr.io/trustedcomputinggroup/pandoc
+      container-version:
+        required: true
+        type: string
+      input:
+        required: true
+        type: string
+      output:
+        required: true
+        type: string
+
+jobs:
+  render:
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ inputs.container }}:${{ inputs.container-version }}
+    name: Render
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Cache LaTeX files
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-latex-${{ inputs.input }}-files
+        with:
+          path: |
+            *.aux
+            *.fdb_latexmk
+            *.lof
+            *.lot
+            *.toc
+            *.upa
+            *.upb
+            media/*.convert.pdf
+          key: latex-${{ inputs.input }}-${{ github.run_id }}
+          restore-keys: latex-${{ inputs.input }}
+
+      - name: Render
+        uses: ./.github/actions/render
+        with:
+          input-md: ${{ inputs.input }}
+          output-basename: ${{ inputs.output }}
+          pdf: true
+          diffbase: "${{ github.event.pull_request.base.sha }}"
+          pr-number: "${{ github.event.number }}"
+          pr-repo: "${{ github.repository }}"
+
+      - name: Upload pdfs
+        uses: actions/upload-artifact@master
+        with:
+          name: PDF
+          path: |
+            ${{ inputs.output }}.*.pdf
+        if: always()
+
+      - name: Upload logs
+        uses: actions/upload-artifact@master
+        with:
+          name: Logs
+          path: |
+            ${{ inputs.output }}.*.log
+        if: always()

.github/workflows/push-main.yml

@@ -0,0 +1,72 @@
+name: build and publish
+
+on:
+  release:
+    types: [published]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      # Login against a Docker registry
+      # https://github.com/docker/login-action
+      - name: Log into registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Set up QEMU for cross-platform builds below
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+
+      # Build and push Docker image with Buildx
+      # https://github.com/docker/build-push-action
+      - name: Build and publish Docker image
+        uses: docker/build-push-action@v5
+        with:
+          # Cache layers from the container repo.
+          # Update the cache only on pushes to main.
+          # This minimizes the amount of times we have to rebuild pandoc.
+          cache-from: type=gha
+          cache-to: ${{ github.event_name == 'push' && 'type=gha' || '' }}
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  # Use the fresh container to render the samples.
+  render-samples:
+    needs: build-container
+    uses: ./.github/workflows/push.yml
+    with:
+      container: ghcr.io/trustedcomputinggroup/pandoc
+      container-version: latest
+      input: guide.tcg
+      output: guide

.github/workflows/push.yml

@@ -0,0 +1,78 @@
+# Reusable workflow to render the spec for pushes.
+# https://docs.github.com/en/actions/using-workflows/reusing-workflows
+
+# Build on pushes, because if you push to cache on builds for tags,
+# the cache can't be read by builds for other tags:
+# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
+
+name: Render
+
+on:
+  workflow_call:
+    inputs:
+      container:
+        required: false
+        type: string
+        default: ghcr.io/trustedcomputinggroup/pandoc
+      container-version:
+        required: true
+        type: string
+      input:
+        required: true
+        type: string
+      output:
+        required: true
+        type: string
+
+jobs:
+  render:
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ inputs.container }}:${{ inputs.container-version }}
+    name: Render
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Cache LaTeX files
+        uses: actions/cache@v3
+        env:
+          cache-name: cache-latex-${{ inputs.input }}-files
+        with:
+          path: |
+            *.aux
+            *.fdb_latexmk
+            *.lof
+            *.lot
+            *.toc
+            *.upa
+            *.upb
+            media/*.convert.pdf
+          key: latex-${{ inputs.input }}-${{ github.run_id }}
+          restore-keys: latex-${{ inputs.input }}
+
+      - name: Render
+        uses: ./.github/actions/render
+        with:
+          input-md: ${{ inputs.input }}
+          output-basename: ${{ inputs.output }}
+          pdf: true
+
+      - name: Upload pdfs
+        uses: actions/upload-artifact@master
+        with:
+          name: PDF
+          path: |
+            ${{ inputs.output }}.*.pdf
+        if: always()
+
+      - name: Upload logs
+        uses: actions/upload-artifact@master
+        with:
+          name: Logs
+          path: |
+            ${{ inputs.output }}.*.log
+        if: always()