From 58c6b8539535d7b7ee8d7881dc5ee3fc26f055f1 Mon Sep 17 00:00:00 2001 From: Josh W Lewis Date: Fri, 26 Jul 2024 11:33:28 -0500 Subject: [PATCH] Copy builder images to public ecr (#557) * Add public ecr publishing * Use id-token permission * Update ecr config vars * Use vars, not config * Run action on branch too * Comment out branch restriction * Use correct region * Fix ecr public address * Fix typo in ecr public address * Also mirror image index / manifest list to ECR * Use correct matrix argument * Rework publish manifests step * Use correct ecr.aws domain * Re-enable branch restriction Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com> * Use singular naming Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com> --------- Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com> --- .github/workflows/build-test-publish.yml | 63 ++++++++++++++++++------ 1 file changed, 49 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-test-publish.yml b/.github/workflows/build-test-publish.yml index a117a9a..ffba533 100644 --- a/.github/workflows/build-test-publish.yml +++ b/.github/workflows/build-test-publish.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + id-token: write defaults: run: @@ -165,19 +166,22 @@ jobs: include: - builder: builder-20 arch: amd64 - tag_public: heroku/builder:20 + tag_docker_hub: heroku/builder:20 - builder: builder-22 arch: amd64 - tag_public: heroku/builder:22 + tag_docker_hub: heroku/builder:22 + tag_ecr_public: heroku/builder:22 - builder: salesforce-functions arch: amd64 tag_private: heroku-22:builder-functions - builder: builder-24 arch: amd64 - tag_public: heroku/builder:24_linux-amd64 + tag_docker_hub: heroku/builder:24_linux-amd64 + tag_ecr_public: heroku/builder:24_linux-amd64 - builder: builder-24 arch: arm64 - tag_public: heroku/builder:24_linux-arm64 + tag_docker_hub: heroku/builder:24_linux-arm64 + tag_ecr_public: heroku/builder:24_linux-arm64 steps: - name: Restore Docker images from the cache uses: actions/cache/restore@v4 @@ -190,7 +194,7 @@ jobs: - name: Load Docker images into the Docker daemon run: zstd -dc --long=31 images.tar.zst | docker load - name: Log into Docker Hub - if: matrix.tag_public != '' + if: matrix.tag_docker_hub != '' run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | docker login -u '${{ secrets.DOCKER_HUB_USER }}' --password-stdin - name: Log into internal registry if: matrix.tag_private != '' @@ -202,13 +206,25 @@ jobs: | jq --exit-status -r '.raw_id_token' ) echo "${REGISTRY_TOKEN}" | docker login '${{ secrets.REGISTRY_HOST }}' -u '${{ secrets.REGISTRY_USER }}' --password-stdin + - name: Configure AWS credentials + if: matrix.tag_ecr_public != '' + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }} + aws-region: ${{ vars.AWS_REGION }} + - name: Log in to Amazon ECR Public + if: matrix.tag_ecr_public != '' + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 + with: + registry-type: public - name: Tag builder and push to Docker Hub - if: matrix.tag_public != '' + if: matrix.tag_docker_hub != '' run: | - PUBLIC_IMAGE_URI='${{ matrix.tag_public }}' + DOCKER_HUB_IMAGE_URI='${{ matrix.tag_docker_hub }}' set -x - docker tag '${{ matrix.builder }}' "${PUBLIC_IMAGE_URI}" - docker push "${PUBLIC_IMAGE_URI}" + docker tag '${{ matrix.builder }}' "${DOCKER_HUB_IMAGE_URI}" + docker push "${DOCKER_HUB_IMAGE_URI}" - name: Tag builder and push to internal registry if: matrix.tag_private != '' run: | @@ -216,6 +232,13 @@ jobs: set -x docker tag '${{ matrix.builder }}' "${PRIVATE_IMAGE_URI}" docker push "${PRIVATE_IMAGE_URI}" + - name: Tag builder and push to public ECR + if: matrix.tag_ecr_public != '' + run: | + ECR_PUBLIC_IMAGE_URI='public.ecr.aws/${{ matrix.tag_ecr_public }}' + set -x + docker tag '${{ matrix.builder }}' "${ECR_PUBLIC_IMAGE_URI}" + docker push "${ECR_PUBLIC_IMAGE_URI}" publish-manifest: runs-on: ubuntu-24.04 @@ -224,13 +247,25 @@ jobs: fail-fast: false matrix: include: - - tag_public: "heroku/builder:24" - manifests: "heroku/builder:24_linux-amd64 heroku/builder:24_linux-arm64" + - tag_uri: "docker.io/heroku/builder:24" + manifest_uris: "docker.io/heroku/builder:24_linux-amd64 docker.io/heroku/builder:24_linux-arm64" + - tag_uri: "public.ecr.aws/heroku/builder:24" + manifest_uris: "public.ecr.aws/heroku/builder:24_linux-amd64 public.ecr.aws/heroku/builder:24_linux-arm64" steps: - name: Log in to Docker Hub - if: matrix.tag_public != '' run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | docker login -u '${{ secrets.DOCKER_HUB_USER }}' --password-stdin + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }} + aws-region: ${{ vars.AWS_REGION }} + - name: Log in to Amazon ECR Public + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 + with: + registry-type: public - name: Create and push manifest lists run: | - docker manifest create "${{ matrix.tag_public }}" ${{ matrix.manifests }} - docker manifest push "${{ matrix.tag_public }}" + set -x + docker manifest create "${{ matrix.tag_uri }}" ${{ matrix.manifest_uris }} + docker manifest push "${{ matrix.tag_uri }}"