-
-
Notifications
You must be signed in to change notification settings - Fork 35
266 lines (238 loc) · 12.1 KB
/
amazon-ecr-credential-helper.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
#
# This workflow was created automatically from the `package-template.yml` by running `make -C .github workflows`
# DO NOT EDIT THIS WORKFLOW, changes will be lost on the next update.
#
name: "amazon-ecr-credential-helper"
concurrency:
group: ${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }} (${{ inputs.package_version_override || 'LATEST' }}_r${{ inputs.release_number_override || '0' }})
cancel-in-progress: true
on:
push:
branches:
- main
paths:
- apk/**
- deb/**
- rpm/**
- tasks/**
- vendor/amazon-ecr-credential-helper/**
# Do not automatically trigger a build when the workflow file is changed, because we often make mass updates.
# If we need to run all the workflows, we can just uncomment the line below and make new workflows.
# - .github/workflows/amazon-ecr-credential-helper.yml
pull_request:
types: [opened, synchronize, reopened]
# Include '[no ci]' in the commit message to keep the workflow from running on that commit in the PR.
paths:
- apk/**
- deb/**
- rpm/**
- tasks/**
- vendor/amazon-ecr-credential-helper/**
- .github/workflows/amazon-ecr-credential-helper.yml
workflow_dispatch:
inputs:
package_version_override:
description: 'Version of amazon-ecr-credential-helper package to build. Defaults to vendor/amazon-ecr-credential-helper/VERSION.'
required: false
type: string
release_number_override:
description: 'Zero-based release number of amazon-ecr-credential-helper package to publish. Defaults to 0 (zero) when version is specified, ignored if not.'
required: false
type: string
env:
amazon-ecr-credential-helper_VERSION: ${{ inputs.package_version_override }}
amazon-ecr-credential-helper_RELEASE: ${{ inputs.release_number_override }}
permissions:
contents: read
packages: write
attestations: write
id-token: write
jobs:
# Mergify cannot distinguish between 2 jobs with the same name run from different workflows,
# so each job must have a unique name for the rules to work properly.
# See https://github.com/Mergifyio/mergify/discussions/5082
# and https://github.com/Mergifyio/mergify/issues/5083
matrix-amazon-ecr-credential-helper:
if: github.event_name != 'schedule'
runs-on: ubuntu-latest
outputs:
package-enabled: ${{ steps.info.outputs.package_enabled }}
package-matrix: ${{steps.info.outputs.package_matrix}}
arch-matrix: ${{steps.info.outputs.arch_matrix}}
apk-enabled: ${{ steps.info.outputs.package_enabled == 'true' && steps.info.outputs.apk_package_enabled == 'true' }}
steps:
- uses: actions/checkout@v4
- name: Export package build matrix
shell: bash
id: info
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: |
echo setting ouputs
make -C vendor/amazon-ecr-credential-helper info/github
echo
echo outputs set
# Build for alpine linux
# Kept separate because it is old and slightly different from the other package builds
alpine-amazon-ecr-credential-helper:
needs: matrix-amazon-ecr-credential-helper
if: github.event_name != 'schedule' && needs.matrix-amazon-ecr-credential-helper.outputs.apk-enabled != 'false'
runs-on: ubuntu-latest
strategy:
matrix:
# These versions must be strings. E.g. Otherwise `3.10` -> `3.1`
alpine:
# Now that we are just building 1 binary for all distributions, we do not
# need to track which distribution we are building on.
- 'alpine'
env:
APK_KEY_RSA: "${{ secrets.APK_KEY_RSA }}"
APK_PACKAGES_PATH: ${{github.workspace}}/artifacts/${{matrix.alpine}}
PACKAGER: ops@cloudposse.com
PACKAGER_PRIVKEY: /dev/shm/ops@cloudposse.com.rsa
PACKAGER_PUBKEY: ${{github.workspace}}/artifacts/ops@cloudposse.com.rsa.pub
container:
image: ghcr.io/cloudposse/packages-apkbuild:${{matrix.alpine}}
credentials:
username: ${{ github.actor }}
password: "${{ secrets.GITHUB_TOKEN }}"
steps:
# Checkout the packages repo so we can build the packages as a monorepo
- name: "Checkout source code at current commit"
uses: actions/checkout@v4
# Export the apk keys as files from secrets
- name: "Export keys"
run: "make -C .github/ export"
# Build the alpine packages for the matrix version of alpine
- name: "Build alpine packages"
run: "make -C vendor/${{github.workflow}} apk"
# Verify the packages were built or error
- name: "List packages"
run: 'find ${APK_PACKAGES_PATH} -type f -name \*.apk | xargs --no-run-if-empty ls -l | grep .'
# Export the artifact filename including path.
# Path must be relative to workdir for Cloudsmith action to be able to find it.
- name: "Set output path to artifact"
id: artifact
shell: bash
run: |
artifact=$(find artifacts/${{matrix.alpine}} -type f -name \*.apk)
echo "path=$artifact" | tee -a $GITHUB_OUTPUT
# Determine which package organization we should use (e.g. dev or prod)
- name: "Determine package repo"
shell: bash
id: repo
run: |
if [[ ${GITHUB_REF} == 'refs/heads/main' ]]; then
echo "org=${{github.repository_owner}}" | tee -a $GITHUB_OUTPUT
else
echo "org=${{github.repository_owner}}-dev" | tee -a $GITHUB_OUTPUT
fi
env:
GITHUB_REF: ${{ github.ref }}
# Publish the artifacts
- name: "Push artifact to package repository"
uses: cloudsmith-io/action@v0.6.10
with:
api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
command: 'push'
format: 'alpine'
owner: '${{steps.repo.outputs.org}}' # Your Cloudsmith account name or org name (namespace)
repo: 'packages' # Your Cloudsmith Repository name (slug)
distro: 'alpine' # Your Distribution (i.e debian, ubuntu, alpine)
release: 'any-version' # Use "any-version" if your package is compatible with more than one version of alpine linux
republish: 'true' # Needed if version is not changing
file: '${{steps.artifact.outputs.path}}' # Package filename (including path)
no-wait-for-sync: 'true' # Skip the waiting for package synchronisation (i.e. upload only)
# Build packages with fpm package manager
package-amazon-ecr-credential-helper:
needs: matrix-amazon-ecr-credential-helper
# Should not be needed, but without these conditions, this job would fail with an error if the matrix is []
# and would run with package-type empty if matrix is ["apk"]
if: >
github.event_name != 'schedule' && needs.matrix-amazon-ecr-credential-helper.outputs.package-enabled != 'false'
&& needs.matrix-amazon-ecr-credential-helper.outputs.package-matrix != '[]' && needs.matrix-amazon-ecr-credential-helper.outputs.package-matrix != '["apk"]'
strategy:
matrix:
package-type: ${{ fromJSON(needs.matrix-amazon-ecr-credential-helper.outputs.package-matrix) }}
arch: ${{ fromJSON(needs.matrix-amazon-ecr-credential-helper.outputs.arch-matrix) }}
exclude:
- package-type: 'apk'
include:
# Default value for runs-on. Original matrix values will not be overridden, but added ones (like runs-on) can be.
# See https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations
- runs-on: "self-hosted-arm64-large"
# By including `arch: amd64` here, we override the `runs-on` value when the matrix `arch` is `amd64`.
# This also forces the matrix to include `arch: amd64` even if it is not in the original matrix.
# This is why we do not default for amd64 and then override for arm64. (Because it would force arm64 to be included, and some tools are not available for arm64.)
- arch: amd64
runs-on: "ubuntu-latest"
runs-on: ${{ matrix.runs-on }}
env:
# We are in a bit of a bind here because of how GitHub actions work as of 2020-11-19
# Although the "workspace" is mounted to the container, it is not mounted
# at `/github/workspace` or ${{github.workspace}}, although through some
# mechanism, an environment variable whose value starts with ${{github.workspace}}
# will have ${{github.workspace}} replaced with the correct mount point.
#
# We need an absolute path for the package build system, since every build happens
# in a different directory, but because the mount point changes, we also
# need a path relative to the initial working directory to communicate between
# the package building container and the cloudsmith action.
PACKAGES_PATH: ${{github.workspace}}/artifacts/${{matrix.package-type}}/any-version
PACKAGE_RELPATH: artifacts/${{matrix.package-type}}/any-version
# Unfortunately, there is no reasonable way to configure the docker image tag based on the package-type
container:
image: ghcr.io/cloudposse/packages-${{matrix.package-type}}build:latest
credentials:
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
steps:
# Checkout the packages repo so we can build the packages as a monorepo
- name: "Checkout source code at current commit"
uses: actions/checkout@v4
# Build the packages for the matrix version
- name: "Build ${{matrix.package-type}} packages"
shell: bash
run: |
echo Current directory is $(pwd)
[[ $PACKAGES_PATH =~ ^$(pwd) ]] || { echo Package dir \"$PACKAGES_PATH\" not beneath workdir \"$(pwd)\" >&2; exit 1; }
make -C vendor/${{github.workflow}} ${{matrix.package-type}}
# Export the artifact filename including path
- name: "Set output path to artifact"
id: artifact
shell: bash
run: |
[[ -n $PACKAGE_RELPATH ]] || { echo Error: PACKAGE_RELPATH is not set >&2; exit 1; }
packages=($(find ${PACKAGE_RELPATH} -type f -name \*.${{matrix.package-type}}))
echo List packages found:
printf "%s\n" "${packages[@]}" | xargs --no-run-if-empty ls -l
echo Error if not exactly 1 package found
(( ${#packages[@]} == 1 )) || { echo "Error: other than 1 package found (${#packages[@]})" >&2; exit 1; }
echo "setting output"
echo "path=$packages" | tee -a $GITHUB_OUTPUT
# Determine which package organization we should use (e.g. dev or prod)
- name: "Determine package repo"
shell: bash
id: repo
run: |
if [[ ${GITHUB_REF} == 'refs/heads/main' ]]; then
echo "org=${{github.repository_owner}}" | tee -a $GITHUB_OUTPUT
else
echo "org=${{github.repository_owner}}-dev" | tee -a $GITHUB_OUTPUT
fi
env:
GITHUB_REF: ${{ github.ref }}
# Publish the artifacts
- name: "Push artifact to package repository"
uses: cloudsmith-io/action@v0.6.10
with:
api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
command: 'push'
format: '${{matrix.package-type}}'
owner: '${{steps.repo.outputs.org}}' # Your Cloudsmith account name or org name (namespace)
repo: 'packages' # Your Cloudsmith Repository name (slug)
distro: 'any-distro' # Use "any-distro" since our package is compatible with more than more distribution
release: 'any-version' # Use "any-version" since our package is compatible with more than more version
republish: 'true' # Needed if version is not changing
file: '${{steps.artifact.outputs.path}}' # Package filename (including path)
no-wait-for-sync: 'true' # Skip the waiting for package synchronisation (i.e. upload only)