Skip to content

Check access job for forks and dependabot #500

Check access job for forks and dependabot

Check access job for forks and dependabot #500

Workflow file for this run

name: Build
on:
push:
branches: [main]
pull_request:
branches: [main]
release:
types: [published]
jobs:
check-access:
runs-on: ubuntu-latest
outputs:
has-token-access: ${{ steps.check.outputs.has-token-access }}
steps:
- id: check
run: |
echo "has-token-access=$(if [[ '${{ github.event.pull_request.head.repo.fork }}' == 'false' && '${{ github.actor }}' != 'dependabot[bot]' ]]; then echo 'true'; else echo 'false'; fi)" >> $GITHUB_OUTPUT
dotnet-tests:
needs: check-access
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run DotNet Tests
run: |
dotnet test --collect:"XPlat Code Coverage"
- name: Generate code coverage
run: |
dotnet tool install --global dotnet-reportgenerator-globaltool
reportgenerator \
"-reports:test/coverage/projects/**/coverage.opencover.xml" \
"-targetdir:coveragereport" \
-reporttypes:lcov
- name: Upload code coverage
if: needs.check-access.outputs.has-token-access == 'true'
uses: ./.github/actions/coverage-report
with:
lcov-file: coveragereport/lcov.info
title: DotNet Code Coverage Report
rust-tests:
needs: check-access
runs-on: ubuntu-latest
env:
CARGO_TERM_COLOR: always
steps:
- uses: actions/checkout@v4
- uses: moonrepo/setup-rust@v1
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@cargo-llvm-cov
- name: Generate code coverage
run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
- name: Upload code coverage
if: needs.check-access.outputs.has-token-access == 'true'
uses: ./.github/actions/coverage-report
with:
lcov-file: lcov.info
title: Rust Code Coverage Report
build-router-arm64:
needs: check-access
env:
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }}
runs-on: [self-hosted, arm64]
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run the certs script
run: |
./certs.sh
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Configure AWS Credentials
if: needs.check-access.outputs.has-token-access == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
if: needs.check-access.outputs.has-token-access == 'true'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build Router
id: build
uses: docker/build-push-action@v5
with:
context: .
file: ./DockerfileRouter
build-args: BUILD_ARCH=linux-arm64
platforms: linux/arm64
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}
- name: Export digest
run: |
mkdir -p /tmp/digests-router
rm /tmp/digests-router/* || true
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests-router/${digest#sha256:}"
- name: Upload digest
if: needs.check-access.outputs.has-token-access == 'true'
uses: actions/upload-artifact@v3
with:
name: digests-router
path: /tmp/digests-router/*
if-no-files-found: error
retention-days: 1
build-router:
needs: check-access
env:
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run the certs script
run: |
./certs.sh
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Configure AWS Credentials
if: needs.check-access.outputs.has-token-access == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
if: needs.check-access.outputs.has-token-access == 'true'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build Router
id: build
uses: docker/build-push-action@v5
with:
context: .
file: ./DockerfileRouter
build-args: BUILD_ARCH=linux-x64
platforms: linux/amd64
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}
- name: Export digest
run: |
mkdir -p /tmp/digests-router
rm /tmp/digests-router/* || true
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests-router/${digest#sha256:}"
- name: Upload digest
if: needs.check-access.outputs.has-token-access == 'true'
uses: actions/upload-artifact@v3
with:
name: digests-router
path: /tmp/digests-router/*
if-no-files-found: error
retention-days: 1
merge-router:
if: needs.check-access.outputs.has-token-access == 'true'
env:
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-router${{ github.event_name == 'pull_request' && '-dev' || '' }}
runs-on: ubuntu-latest
needs:
- check-access
- build-router
- build-router-arm64
permissions:
contents: read
id-token: write
steps:
- name: Clear digests
run: |
rm -rf /tmp/digests-router/* || true
- name: Download digests
uses: actions/download-artifact@v3
with:
name: digests-router
path: /tmp/digests-router
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
# type=sha
tags: |
enable=${{ github.event_name == 'release' }},type=raw,value=latest
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
- name: Set DOCKER_METADATA_OUTPUT_JSON environment variable
run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Create manifest list and push
working-directory: /tmp/digests-router
run: |
docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
build-extension-arm64:
needs: check-access
env:
ARCH: aarch64
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install gcc musl cross-compiler
uses: ./.github/actions/setup-gcc-musl-cross
with:
arch: ${{ env.ARCH }}
- uses: moonrepo/setup-rust@v1
with:
targets: "${{ env.ARCH }}-unknown-linux-musl"
cache-target: release
- name: Build extension
env:
CC: ${{ env.ARCH }}-linux-musl-gcc
run: |
cargo build --release --target ${{ env.ARCH }}-unknown-linux-musl
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Configure AWS Credentials
if: needs.check-access.outputs.has-token-access == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
if: needs.check-access.outputs.has-token-access == 'true'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build Lambda
id: build
uses: docker/build-push-action@v5
with:
context: .
file: ./DockerfileExtensionCross
build-args: BUILD_ARCH=linux-arm64
platforms: linux/arm64
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}
- name: Export digest
run: |
mkdir -p /tmp/digests
rm /tmp/digests/* || true
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
if: needs.check-access.outputs.has-token-access == 'true'
uses: actions/upload-artifact@v3
with:
name: digests-extension
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
build-extension:
needs: check-access
env:
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}
ARCH: x86_64
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install gcc musl cross-compiler
uses: ./.github/actions/setup-gcc-musl-cross
with:
arch: ${{ env.ARCH }}
- uses: moonrepo/setup-rust@v1
with:
targets: "${{ env.ARCH }}-unknown-linux-musl"
cache-target: release
- name: Build extension
env:
CC: ${{ env.ARCH }}-linux-musl-gcc
run: |
cargo build --release --target ${{ env.ARCH }}-unknown-linux-musl
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Configure AWS Credentials
if: needs.check-access.outputs.has-token-access == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
if: needs.check-access.outputs.has-token-access == 'true'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build
id: build
uses: docker/build-push-action@v5
with:
context: .
file: ./DockerfileExtensionCross
build-args: |
ARCH=x86_64
TARGET_PLATFORM=linux/amd64
platforms: linux/amd64
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=${{ needs.check-access.outputs.has-token-access == 'true' }},name-canonical=true,push=${{ needs.check-access.outputs.has-token-access == 'true' }}
- name: Export digest
run: |
mkdir -p /tmp/digests
rm /tmp/digests/* || true
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
if: needs.check-access.outputs.has-token-access == 'true'
uses: actions/upload-artifact@v3
with:
name: digests-extension
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge-extension:
if: needs.check-access.outputs.has-token-access == 'true'
env:
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}
runs-on: ubuntu-latest
needs:
- check-access
- build-extension
- build-extension-arm64
permissions:
contents: read
id-token: write
steps:
- name: Clear digests
run: |
rm -rf /tmp/digests/* || true
- name: Download digests
uses: actions/download-artifact@v3
with:
name: digests-extension
path: /tmp/digests
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
# type=sha
tags: |
enable=${{ github.event_name == 'release' }},type=raw,value=latest
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
- name: Set DOCKER_METADATA_OUTPUT_JSON environment variable
run: echo "DOCKER_METADATA_OUTPUT_JSON=$(echo '${{ toJson(steps.meta.outputs) }}' | tr '\n' ' ')" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $((jq -r '.json' | jq -cr '.tags | map("-t " + .) | join(" ")') <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
build-demoapp:
env:
REGISTRY_IMAGE: public.ecr.aws/pwrdrvr/lambda-dispatch-demo-app${{ github.event_name == 'pull_request' && '-dev' || '' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
needs:
- check-access
- merge-extension
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
tags: |
enable=${{ github.event_name == 'release' }},type=raw,value=latest
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
- name: Compute PR Suffix
id: prSuffix
run: |
if [ -n "${{ github.event.pull_request.number }}" ]; then
echo "imageTag=pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
echo "prSuffix=-pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
echo "prSuffixPackageVersion=-pr.${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
echo "PR_SUFFIX=-pr-"${{ github.event.pull_request.number }} >> $GITHUB_ENV
else
TAG_OR_BRANCH=$(echo $GITHUB_REF | sed -e 's|refs/tags/v||' -e 's|refs/heads/||')
echo "imageTag=${TAG_OR_BRANCH}" >> $GITHUB_OUTPUT
echo "prSuffix=" >> $GITHUB_OUTPUT
echo "prSuffixPackageVersion=" >> $GITHUB_OUTPUT
echo "PR_SUFFIX=" >> $GITHUB_ENV
fi
- name: Swap in tagged image name in the Dockerfile
run: |
sed -i "s|FROM lambda-dispatch-extension|FROM public.ecr.aws/pwrdrvr/lambda-dispatch-extension${{ github.event_name == 'pull_request' && '-dev' || '' }}:${{ steps.prSuffix.outputs.imageTag }}|g" ./DockerfileLambdaDemoApp
- name: Configure AWS Credentials
if: needs.check-access.outputs.has-token-access == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
role-session-name: lambda-dispatch-ghpublic-build
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/builder-writeRole
aws-region: us-east-1
- name: Login to ECR Public
if: needs.check-access.outputs.has-token-access == 'true'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: ./DockerfileLambdaDemoApp
platforms: linux/amd64,linux/arm64
push: ${{ needs.check-access.outputs.has-token-access == 'true' }}
tags: ${{ steps.meta.outputs.tags }}