Fix failure to start if cert not found (#221) #605
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
release: | |
types: [published] | |
jobs: | |
check-access: | |
runs-on: ubuntu-latest | |
outputs: | |
has-token-access: ${{ steps.check.outputs.has-token-access }} | |
steps: | |
- id: check | |
run: | | |
echo "has-token-access=$(if [[ '${{ github.event.pull_request.head.repo.fork }}' != 'true' && '${{ github.actor }}' != 'dependabot[bot]' ]]; then echo 'true'; else echo 'false'; fi)" >> $GITHUB_OUTPUT | |
dotnet-tests: | |
needs: check-access | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run DotNet Tests | |
run: | | |
dotnet test --collect:"XPlat Code Coverage" | |
- name: Generate code coverage | |
run: | | |
dotnet tool install --global dotnet-reportgenerator-globaltool | |
reportgenerator \ | |
"-reports:test/coverage/projects/**/coverage.opencover.xml" \ | |
"-targetdir:coveragereport" \ | |
-reporttypes:lcov | |
- name: Upload code coverage | |
if: github.event_name == 'pull_request' && needs.check-access.outputs.has-token-access == 'true' | |
uses: ./.github/actions/coverage-report | |
with: | |
lcov-file: coveragereport/lcov.info | |
title: DotNet Code Coverage Report | |
rust-tests: | |
needs: check-access | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
env: | |
CARGO_TERM_COLOR: always | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: moonrepo/setup-rust@v1 | |
- name: Install cargo-llvm-cov | |
uses: taiki-e/install-action@cargo-llvm-cov | |
- name: Generate code coverage | |
run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info | |
- name: Upload code coverage | |
if: github.event_name == 'pull_request' && needs.check-access.outputs.has-token-access == 'true' | |
uses: ./.github/actions/coverage-report | |
with: | |
lcov-file: lcov.info | |
title: Rust Code Coverage Report | |
build-router-arm64: | |
needs: check-access | |
env: | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
runs-on: [self-hosted, arm64] | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run the certs script | |
run: | | |
./certs.sh | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Configure AWS Credentials | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
if: needs.check-access.outputs.has-token-access == 'true' | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Build Router | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./DockerfileRouter | |
build-args: BUILD_ARCH=linux-arm64 | |
platforms: linux/arm64 | |
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }} | |
- name: Export digest | |
run: | | |
mkdir -p /tmp/digests-router | |
rm /tmp/digests-router/* || true | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests-router/${digest#sha256:}" | |
- name: Upload digest | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: digests-router | |
path: /tmp/digests-router/* | |
if-no-files-found: error | |
retention-days: 1 | |
build-router: | |
needs: check-access | |
env: | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run the certs script | |
run: | | |
./certs.sh | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Configure AWS Credentials | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
if: needs.check-access.outputs.has-token-access == 'true' | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Build Router | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./DockerfileRouter | |
build-args: BUILD_ARCH=linux-x64 | |
platforms: linux/amd64 | |
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }} | |
- name: Export digest | |
run: | | |
mkdir -p /tmp/digests-router | |
rm /tmp/digests-router/* || true | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests-router/${digest#sha256:}" | |
- name: Upload digest | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: digests-router | |
path: /tmp/digests-router/* | |
if-no-files-found: error | |
retention-days: 1 | |
merge-router: | |
if: needs.check-access.outputs.has-token-access == 'true' | |
env: | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
runs-on: ubuntu-latest | |
needs: | |
- check-access | |
- build-router | |
- build-router-arm64 | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Clear digests | |
run: | | |
rm -rf /tmp/digests-router/* || true | |
- name: Download digests | |
uses: actions/download-artifact@v3 | |
with: | |
name: digests-router | |
path: /tmp/digests-router | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
# type=sha | |
tags: | | |
enable=${{ github.event_name == 'release' }},type=raw,value=latest | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
labels: | | |
org.opencontainers.image.source=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
- name: Set DOCKER_METADATA_OUTPUT_JSON environment variable | |
run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Create manifest list and push | |
working-directory: /tmp/digests-router | |
run: | | |
docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) | |
- name: Inspect image | |
run: | | |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} | |
build-extension-arm64: | |
needs: check-access | |
env: | |
ARCH: aarch64 | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
permissions: | |
contents: read | |
id-token: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install gcc musl cross-compiler | |
uses: ./.github/actions/setup-gcc-musl-cross | |
with: | |
arch: ${{ env.ARCH }} | |
- uses: moonrepo/setup-rust@v1 | |
with: | |
targets: "${{ env.ARCH }}-unknown-linux-musl" | |
cache-target: release | |
- name: Build extension | |
env: | |
CC: ${{ env.ARCH }}-linux-musl-gcc | |
run: | | |
cargo build --release --target ${{ env.ARCH }}-unknown-linux-musl | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Configure AWS Credentials | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
if: needs.check-access.outputs.has-token-access == 'true' | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Build Lambda | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./DockerfileExtensionCross | |
build-args: BUILD_ARCH=linux-arm64 | |
platforms: linux/arm64 | |
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }} | |
- name: Export digest | |
run: | | |
mkdir -p /tmp/digests | |
rm /tmp/digests/* || true | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests/${digest#sha256:}" | |
- name: Upload digest | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: digests-extension | |
path: /tmp/digests/* | |
if-no-files-found: error | |
retention-days: 1 | |
build-extension: | |
needs: check-access | |
env: | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
ARCH: x86_64 | |
permissions: | |
contents: read | |
id-token: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install gcc musl cross-compiler | |
uses: ./.github/actions/setup-gcc-musl-cross | |
with: | |
arch: ${{ env.ARCH }} | |
- uses: moonrepo/setup-rust@v1 | |
with: | |
targets: "${{ env.ARCH }}-unknown-linux-musl" | |
cache-target: release | |
- name: Build extension | |
env: | |
CC: ${{ env.ARCH }}-linux-musl-gcc | |
run: | | |
cargo build --release --target ${{ env.ARCH }}-unknown-linux-musl | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Configure AWS Credentials | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
if: needs.check-access.outputs.has-token-access == 'true' | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Build | |
id: build | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./DockerfileExtensionCross | |
build-args: | | |
ARCH=x86_64 | |
TARGET_PLATFORM=linux/amd64 | |
platforms: linux/amd64 | |
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }} | |
- name: Export digest | |
run: | | |
mkdir -p /tmp/digests | |
rm /tmp/digests/* || true | |
digest="${{ steps.build.outputs.digest }}" | |
touch "/tmp/digests/${digest#sha256:}" | |
- name: Upload digest | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: digests-extension | |
path: /tmp/digests/* | |
if-no-files-found: error | |
retention-days: 1 | |
merge-extension: | |
if: needs.check-access.outputs.has-token-access == 'true' | |
env: | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
runs-on: ubuntu-latest | |
needs: | |
- check-access | |
- build-extension | |
- build-extension-arm64 | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Clear digests | |
run: | | |
rm -rf /tmp/digests/* || true | |
- name: Download digests | |
uses: actions/download-artifact@v3 | |
with: | |
name: digests-extension | |
path: /tmp/digests | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
# type=sha | |
tags: | | |
enable=${{ github.event_name == 'release' }},type=raw,value=latest | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
labels: | | |
org.opencontainers.image.source=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
- name: Set DOCKER_METADATA_OUTPUT_JSON environment variable | |
run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Create manifest list and push | |
working-directory: /tmp/digests | |
run: | | |
docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) | |
- name: Inspect image | |
run: | | |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} | |
build-demoapp: | |
env: | |
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-demo-app${{ github.event_name == 'pull_request' && '-dev' || '' }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
needs: | |
- check-access | |
- merge-extension | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY_IMAGE }} | |
tags: | | |
enable=${{ github.event_name == 'release' }},type=raw,value=latest | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
labels: | | |
org.opencontainers.image.source=${{ github.event.repository.html_url }} | |
org.opencontainers.image.revision=${{ github.sha }} | |
- name: Compute PR Suffix | |
id: prSuffix | |
run: | | |
if [ -n "${{ github.event.pull_request.number }}" ]; then | |
echo "imageTag=pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
echo "prSuffix=-pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
echo "prSuffixPackageVersion=-pr.${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
echo "PR_SUFFIX=-pr-"${{ github.event.pull_request.number }} >> $GITHUB_ENV | |
else | |
TAG_OR_BRANCH=$(echo $GITHUB_REF | sed -e 's|refs/tags/v||' -e 's|refs/heads/||') | |
echo "imageTag=${TAG_OR_BRANCH}" >> $GITHUB_OUTPUT | |
echo "prSuffix=" >> $GITHUB_OUTPUT | |
echo "prSuffixPackageVersion=" >> $GITHUB_OUTPUT | |
echo "PR_SUFFIX=" >> $GITHUB_ENV | |
fi | |
- name: Swap in tagged image name in the Dockerfile | |
run: | | |
sed -i "s|FROM lambda-dispatch-extension|FROM public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}:${{ steps.prSuffix.outputs.imageTag }}|g" ./DockerfileLambdaDemoApp | |
- name: Configure AWS Credentials | |
if: needs.check-access.outputs.has-token-access == 'true' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-session-name: lambda-dispatch-ghpublic-build | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole | |
aws-region: us-east-1 | |
- name: Login to ECR Public | |
if: needs.check-access.outputs.has-token-access == 'true' | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: Build and push | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./DockerfileLambdaDemoApp | |
platforms: linux/amd64,linux/arm64 | |
push: ${{ needs.check-access.outputs.has-token-access == 'true' }} | |
tags: ${{ steps.meta.outputs.tags }} |