Skip to content

Commit

Permalink
Copy builder images to public ecr (#557)
Browse files Browse the repository at this point in the history 
* Add public ecr publishing

* Use id-token permission

* Update ecr config vars

* Use vars, not config

* Run action on branch too

* Comment out branch restriction

* Use correct region

* Fix ecr public address

* Fix typo in ecr public address

* Also mirror image index / manifest list to ECR

* Use correct matrix argument

* Rework publish manifests step

* Use correct ecr.aws domain

* Re-enable branch restriction

Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com>

* Use singular naming

Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com>

---------

Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com>
  • Loading branch information
@joshwlewis @edmorley
joshwlewis and edmorley authored Jul 26, 2024
1 parent 5272527 commit 58c6b85
Showing 1 changed file with 49 additions and 14 deletions.
63 changes: 49 additions & 14 deletions .github/workflows/build-test-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:

permissions:
contents: read
id-token: write

defaults:
run:
Expand Down Expand Up @@ -165,19 +166,22 @@ jobs:
include:
- builder: builder-20
arch: amd64
tag_public: heroku/builder:20
tag_docker_hub: heroku/builder:20
- builder: builder-22
arch: amd64
tag_public: heroku/builder:22
tag_docker_hub: heroku/builder:22
tag_ecr_public: heroku/builder:22
- builder: salesforce-functions
arch: amd64
tag_private: heroku-22:builder-functions
- builder: builder-24
arch: amd64
tag_public: heroku/builder:24_linux-amd64
tag_docker_hub: heroku/builder:24_linux-amd64
tag_ecr_public: heroku/builder:24_linux-amd64
- builder: builder-24
arch: arm64
tag_public: heroku/builder:24_linux-arm64
tag_docker_hub: heroku/builder:24_linux-arm64
tag_ecr_public: heroku/builder:24_linux-arm64
steps:
- name: Restore Docker images from the cache
uses: actions/cache/restore@v4
Expand All @@ -190,7 +194,7 @@ jobs:
- name: Load Docker images into the Docker daemon
run: zstd -dc --long=31 images.tar.zst | docker load
- name: Log into Docker Hub
if: matrix.tag_public != ''
if: matrix.tag_docker_hub != ''
run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | docker login -u '${{ secrets.DOCKER_HUB_USER }}' --password-stdin
- name: Log into internal registry
if: matrix.tag_private != ''
Expand All @@ -202,20 +206,39 @@ jobs:
| jq --exit-status -r '.raw_id_token'
)
echo "${REGISTRY_TOKEN}" | docker login '${{ secrets.REGISTRY_HOST }}' -u '${{ secrets.REGISTRY_USER }}' --password-stdin
- name: Configure AWS credentials
if: matrix.tag_ecr_public != ''
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }}
aws-region: ${{ vars.AWS_REGION }}
- name: Log in to Amazon ECR Public
if: matrix.tag_ecr_public != ''
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Tag builder and push to Docker Hub
if: matrix.tag_public != ''
if: matrix.tag_docker_hub != ''
run: |
PUBLIC_IMAGE_URI='${{ matrix.tag_public }}'
DOCKER_HUB_IMAGE_URI='${{ matrix.tag_docker_hub }}'
set -x
docker tag '${{ matrix.builder }}' "${PUBLIC_IMAGE_URI}"
docker push "${PUBLIC_IMAGE_URI}"
docker tag '${{ matrix.builder }}' "${DOCKER_HUB_IMAGE_URI}"
docker push "${DOCKER_HUB_IMAGE_URI}"
- name: Tag builder and push to internal registry
if: matrix.tag_private != ''
run: |
PRIVATE_IMAGE_URI='${{ secrets.REGISTRY_HOST }}/s/${{ secrets.SERVICE_TOKEN_USER_NAME }}/${{ matrix.tag_private }}'
set -x
docker tag '${{ matrix.builder }}' "${PRIVATE_IMAGE_URI}"
docker push "${PRIVATE_IMAGE_URI}"
- name: Tag builder and push to public ECR
if: matrix.tag_ecr_public != ''
run: |
ECR_PUBLIC_IMAGE_URI='public.ecr.aws/${{ matrix.tag_ecr_public }}'
set -x
docker tag '${{ matrix.builder }}' "${ECR_PUBLIC_IMAGE_URI}"
docker push "${ECR_PUBLIC_IMAGE_URI}"
publish-manifest:
runs-on: ubuntu-24.04
Expand All @@ -224,13 +247,25 @@ jobs:
fail-fast: false
matrix:
include:
- tag_public: "heroku/builder:24"
manifests: "heroku/builder:24_linux-amd64 heroku/builder:24_linux-arm64"
- tag_uri: "docker.io/heroku/builder:24"
manifest_uris: "docker.io/heroku/builder:24_linux-amd64 docker.io/heroku/builder:24_linux-arm64"
- tag_uri: "public.ecr.aws/heroku/builder:24"
manifest_uris: "public.ecr.aws/heroku/builder:24_linux-amd64 public.ecr.aws/heroku/builder:24_linux-arm64"
steps:
- name: Log in to Docker Hub
if: matrix.tag_public != ''
run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | docker login -u '${{ secrets.DOCKER_HUB_USER }}' --password-stdin
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }}
aws-region: ${{ vars.AWS_REGION }}
- name: Log in to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Create and push manifest lists
run: |
docker manifest create "${{ matrix.tag_public }}" ${{ matrix.manifests }}
docker manifest push "${{ matrix.tag_public }}"
set -x
docker manifest create "${{ matrix.tag_uri }}" ${{ matrix.manifest_uris }}
docker manifest push "${{ matrix.tag_uri }}"

0 comments on commit 58c6b85

Please sign in to comment.