diff --git a/.github/workflows/docker-build.ecr.yml b/.github/workflows/docker-build.ecr.yml new file mode 100644 index 00000000..26d1b48f --- /dev/null +++ b/.github/workflows/docker-build.ecr.yml @@ -0,0 +1,82 @@ +name: Build & Push Container + +on: + push: + branches: + - 'main' + tags: + - '*' + merge_group: + pull_request_target: + types: [labeled, synchronize, reopened, ready_for_review, opened] + +env: + PUSH_FROM_PR: >- + ${{ github.event_name == 'pull_request_target' && + ( + contains(github.event.pull_request.labels.*.name, 'push-container') || + contains(github.event.pull_request.labels.*.name, 'deploy-pr-temp-env') + ) + }} + +jobs: + terraform: + name: "ECR" + runs-on: ubuntu-latest + if: github.repository == 'coderamp-labs/gitingest' + + permissions: + id-token: write + contents: read + pull-requests: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.CODERAMP_AWS_ECR_REGISTRY_PUSH_ROLE_ARN }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: eu-west-1 + + - name: Set current timestamp + id: vars + run: | + echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT + echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Docker Meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ secrets.ECR_REGISTRY_URL }} + flavor: | + latest=false + tags: | + type=ref,event=branch,branch=main,suffix=-${{ steps.vars.outputs.sha_short }}-${{ steps.vars.outputs.timestamp }} + type=ref,event=pr,suffix=-${{ steps.vars.outputs.sha_short }}-${{ steps.vars.outputs.timestamp }} + type=pep440,pattern={{raw}} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/amd64, linux/arm64 + push: ${{ github.event_name != 'pull_request_target' || env.PUSH_FROM_PR == 'true' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.github/workflows/docker_image.yml b/.github/workflows/docker-build.ghcr.yml similarity index 90% rename from .github/workflows/docker_image.yml rename to .github/workflows/docker-build.ghcr.yml index 85c9a1f8..35c061b4 100644 --- a/.github/workflows/docker_image.yml +++ b/.github/workflows/docker-build.ghcr.yml @@ -17,9 +17,8 @@ concurrency: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - # Now allow pushing from PRs when either 'push-container' OR 'deploy-pr-temp-env' is present: PUSH_FROM_PR: >- - ${{ github.event_name == 'pull_request' && + ${{ github.event_name == 'pull_request_target' && ( contains(github.event.pull_request.labels.*.name, 'push-container') || contains(github.event.pull_request.labels.*.name, 'deploy-pr-temp-env') @@ -31,6 +30,7 @@ permissions: jobs: docker-build: + name: "GHCR" runs-on: ubuntu-latest permissions: contents: read @@ -84,14 +84,14 @@ jobs: with: context: . platforms: linux/amd64, linux/arm64 - push: ${{ github.event_name != 'pull_request' || env.PUSH_FROM_PR == 'true' }} + push: ${{ github.event_name != 'pull_request_target' || env.PUSH_FROM_PR == 'true' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - name: Generate artifact attestation - if: github.event_name != 'pull_request' || env.PUSH_FROM_PR == 'true' + if: github.event_name != 'pull_request_target' || env.PUSH_FROM_PR == 'true' uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}