From 89bc80311b6abf0601cb57ebff57273a2c0529ac Mon Sep 17 00:00:00 2001 From: mikethms Date: Mon, 19 Aug 2024 11:53:17 +0200 Subject: [PATCH] [sc-38541] zxcvbn to ECR --- .github/workflows/build.yml | 70 +++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e9f3be0..12be931 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,12 @@ on: types: [ released ] push: branches: ['**'] +permissions: + id-token: write + contents: read +env: + ECR_REPO_URL: ${{ secrets.AWS_RELEASE_ECR_REPO }} + DEV_ECR_REPO_URL: ${{ secrets.AWS_DEVELOPMENT_ECR_REPO }} jobs: build-zxcvbn-i18n-api-container: name: Build zxcvbn-i18n-api container @@ -19,43 +25,47 @@ jobs: uses: ScientaNL/github-actions-env-toolkit@1.1.0 - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - - name: DockerHub Login - uses: docker/login-action@v2 + - name: Configure AWS Credentials for release + uses: aws-actions/configure-aws-credentials@v4 + if: github.event_name == 'release' with: - username: ${{ secrets.DOCKERHUB_PUBLIC_USERNAME }} - password: ${{ secrets.DOCKERHUB_PUBLIC_TOKEN }} + aws-region: eu-central-1 + role-to-assume: ${{ secrets.AWS_RELEASE_ECR_ROLE }} + role-session-name: "GithubActions-Release" - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Login to Amazon ECR Operations + id: login-ecr-ops + if: github.event_name == 'release' + uses: aws-actions/amazon-ecr-login@v2 + with: + registries: ${{ secrets.AWS_OPERATIONS_ACCOUNT_ID }} - - name: Cache Docker layers - uses: actions/cache@v3 + - name: Configure AWS Credentials for development + uses: aws-actions/configure-aws-credentials@v4 with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Build & push Docker image for branch - if: github.event_name == 'push' - uses: docker/build-push-action@v3 + aws-region: eu-west-3 + role-to-assume: ${{ secrets.AWS_DEVELOPMENT_ECR_ROLE }} + role-session-name: "GithubActions-DEV" + + - name: Login to Amazon ECR Development + id: login-ecr-dev + uses: aws-actions/amazon-ecr-login@v2 with: - push: true - tags: scienta/zxcvbn-i18n-api:branch-${{env.GITHUB_REF_NAME_SLUG}} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache - build-args: | - - API_VERSION=${{env.GITHUB_REF_NAME_SLUG}}-${{env.GITHUB_SHA_SHORT}} + registries: ${{ secrets.AWS_DEVELOPMENT_ACCOUNT_ID }} - - name: Build & push Docker image for release - if: github.event_name == 'release' - uses: docker/build-push-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build & push Docker image + uses: docker/build-push-action@v6 with: push: true - tags: scienta/zxcvbn-i18n-api:${{env.GITHUB_REF_NAME_SLUG}} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache + tags: | + ${{ env.DEV_ECR_REPO_URL }}/scienta/zxcvbn-i18n-api:${{ github.event_name == 'push' && 'branch-' || '' }}${{env.GITHUB_REF_NAME_SLUG}} + ${{ github.event_name == 'release' && format('{0}/scienta/zxcvbn-i18n-api:{1}', env.ECR_REPO_URL, env.GITHUB_REF_NAME_SLUG) || '' }} build-args: | - - API_VERSION=${{env.GITHUB_REF_NAME_SLUG}} + - API_VERSION=${{ github.event_name == 'push' && format('{0}-{1}', env.GITHUB_REF_NAME_SLUG, env.GITHUB_SHA_SHORT) || env.GITHUB_REF_NAME_SLUG }} + cache-from: type=registry,ref=${{ env.DEV_ECR_REPO_URL }}/scienta/zxcvbn-i18n-api:cache + cache-to: image-manifest=true,oci-mediatypes=true,type=registry,mode=max,ref=${{ env.DEV_ECR_REPO_URL }}/scienta/zxcvbn-i18n-api:cache