GH-1: Push Docker image to repository

acteng · Sep 15, 2023 · 9c7b9e6 · 9c7b9e6
1 parent 3a7d936
commit 9c7b9e6
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 3 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,7 +29,22 @@ jobs:
     - name: Run tests
       run: pytest
 
-    - name: Build image
+    - id: auth
+      name: Authenticate with Google Cloud
+      uses: google-github-actions/auth@v1
+      with:
+        token_format: access_token
+        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
+    - name: Login to Docker repository
+      uses: docker/login-action@v1
+      with:
+        registry: europe-west1-docker.pkg.dev
+        username: oauth2accesstoken
+        password: ${{ steps.auth.outputs.access_token }}
+
+    - name: Build and push image
       uses: docker/build-push-action@v4
       with:
-        tags: schemes
+        tags: europe-west1-docker.pkg.dev/dft-ate-schemes-prt/docker/schemes
+        push: true
diff --git a/README.md b/README.md
@@ -122,3 +122,11 @@ docker run --rm -it -e PORT=8000 -p 8000:8000 schemes
    ```bash
    terraform apply
    ```
+
+1. Obtain the Docker repository service account private key:
+
+   ```bash
+   terraform output -raw github_action_private_key
+   ```
+
+1. [Set the GitHub Actions repository secret](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository) `GCP_CREDENTIALS` to the private key
diff --git a/cloud/docker-repository/main.tf b/cloud/docker-repository/main.tf
@@ -6,10 +6,11 @@ terraform {
 }
 
 provider "google" {
-  project = "dft-ate-schemes-prt"
+  project = local.project
 }
 
 locals {
+  project  = "dft-ate-schemes-prt"
   location = "europe-west1"
 }
 
@@ -25,3 +26,25 @@ resource "google_artifact_registry_repository" "main" {
 
   depends_on = [google_project_service.artifact_registry]
 }
+
+resource "google_service_account" "github_action" {
+  account_id   = "github-action"
+  display_name = "Service account for use within GitHub actions"
+}
+
+resource "google_project_iam_member" "github_action_service_account_token_creator" {
+  project = local.project
+  role    = "roles/iam.serviceAccountTokenCreator"
+  member  = "serviceAccount:${google_service_account.github_action.email}"
+}
+
+resource "google_project_iam_member" "github_action_artifact_registry_writer" {
+  project = local.project
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.github_action.email}"
+}
+
+resource "google_service_account_key" "github_action" {
+  service_account_id = google_service_account.github_action.name
+  public_key_type    = "TYPE_X509_PEM_FILE"
+}
diff --git a/cloud/docker-repository/outputs.tf b/cloud/docker-repository/outputs.tf
@@ -0,0 +1,5 @@
+output "github_action_private_key" {
+  description = "Service account key for github action service account"
+  value       = google_service_account_key.github_action.private_key
+  sensitive   = true
+}