chore: configure publishing container images to ECR Public (#4025)

aws · Mar 22, 2023 · ad5544b · ad5544b
1 parent 878761e
commit ad5544b
Showing 1 changed file with 57 additions and 36 deletions.
diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml
@@ -172,21 +172,8 @@ jobs:
  # Only when puhsing to main/release from now on
  - name: Publish (nightly)
  if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref != 'refs/heads/release'
+ # NOTE BELOW: The `--tag` flags can be provided multiple times... we use that capability...
  run: |-
- docker buildx build \
- --builder ${{ steps.buildx.outputs.name }} \
- --platform linux/amd64,linux/arm64 \
- --target superchain \
- --cache-from type=local,src=/tmp/.buildx-cache \
- --cache-to type=local,dest=/tmp/.buildx-cache \
- --push \
- --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
- --build-arg COMMIT_ID='${{ github.sha }}' \
- --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
- --tag "jsii/superchain:1-buster-slim-node${{ matrix.node }}-nightly"\
- -f superchain/Dockerfile \
- .
-
  # If the current version is the default version, also tag this with the unqualified ':nightly' label
  if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then
  docker buildx build \
@@ -200,29 +187,10 @@ jobs:
  --build-arg COMMIT_ID='${{ github.sha }}' \
  --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
  --tag "jsii/superchain:1-buster-slim-nightly" \
+ --tag "jsii/superchain:1-buster-slim-node${{ matrix.node }}-nightly"\
  -f superchain/Dockerfile \
  .
- fi
- - name: Publish (latest)
- if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/release'
- run: |-
- # Alias 'nodeX-nightly's to 'nodeX', then push
- docker buildx build \
- --builder ${{ steps.buildx.outputs.name }} \
- --platform linux/amd64,linux/arm64 \
- --target superchain \
- --cache-from type=local,src=/tmp/.buildx-cache \
- --cache-to type=local,dest=/tmp/.buildx-cache \
- --push \
- --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
- --build-arg COMMIT_ID='${{ github.sha }}' \
- --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
- --tag "jsii/superchain:1-buster-slim-node${{ matrix.node }}" \
- -f superchain/Dockerfile \
- .
-
- # If the current version is the default version, also tag this with the unqualified ':1-*' label
- if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then
+ else
  docker buildx build \
  --builder ${{ steps.buildx.outputs.name }} \
  --platform linux/amd64,linux/arm64 \
@@ -233,11 +201,64 @@ jobs:
  --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
  --build-arg COMMIT_ID='${{ github.sha }}' \
  --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
- --tag "jsii/superchain:1-buster-slim" \
+ --tag "jsii/superchain:1-buster-slim-node${{ matrix.node }}-nightly"\
  -f superchain/Dockerfile \
  .
  fi
 
+ # We only switch to an ECR-Push capable role if this is a "release" push, for safety reasons...
+ - name: Federate with AWS role for ECE Public push
+ if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/release'
+ uses: aws-actions/configure-aws-credentials@v2
+ with:
+ aws-region: us-east-1
+ role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_FOR_ECR_PUBLIC_PUSH }}
+ role-session-name: GHA_aws-jsii_docker-images-PUSH
+ - name: Authenticate with ECR Public for Push
+ if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/release'
+ uses: aws-actions/amazon-ecr-login@v1
+ with:
+ registry-type: public
+
+ - name: Publish (latest)
+ if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/release'
+ # NOTE BELOW: The `--tag` flags can be provided multiple times... we use that capability...
+ run: |-
+ # If the current version is the default version, also tag this with the unqualified ':1-*' label
+ if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then
+ docker buildx build \
+ --builder ${{ steps.buildx.outputs.name }} \
+ --platform linux/amd64,linux/arm64 \
+ --target superchain \
+ --cache-from type=local,src=/tmp/.buildx-cache \
+ --cache-to type=local,dest=/tmp/.buildx-cache \
+ --push \
+ --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
+ --build-arg COMMIT_ID='${{ github.sha }}' \
+ --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
+ --tag "jsii/superchain:1-buster-slim" \
+ --tag "jsii/superchain:1-buster-slim-node${{ matrix.node }}" \
+ --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-buster-slim" \
+ --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-buster-slim-node${{ matrix.node }}" \
+ -f superchain/Dockerfile \
+ .
+ else
+ docker buildx build \
+ --builder ${{ steps.buildx.outputs.name }} \
+ --platform linux/amd64,linux/arm64 \
+ --target superchain \
+ --cache-from type=local,src=/tmp/.buildx-cache \
+ --cache-to type=local,dest=/tmp/.buildx-cache \
+ --push \
+ --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
+ --build-arg COMMIT_ID='${{ github.sha }}' \
+ --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
+ --tag "jsii/superchain:1-buster-slim-node${{ matrix.node }}" \
+ --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-buster-slim-node${{ matrix.node }}" \
+ -f superchain/Dockerfile \
+ .
+ fi
+
  # Replace the cache so it does not grow forever (should always be last!)
  - name: Update layer cache
  if: always() && steps.should-run.outputs.result == 'true'