From e11ca7a44eff500a2ff0a14bbe9137fa2688a914 Mon Sep 17 00:00:00 2001 From: mickael Date: Sun, 27 Jul 2025 04:14:35 +0200 Subject: [PATCH 1/3] ci: add ECR container build --- .github/workflows/docker-build.ecr.yml | 82 +++++++++++++++++++ ...docker_image.yml => docker-build.ghcr.yml} | 8 +- 2 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/docker-build.ecr.yml rename .github/workflows/{docker_image.yml => docker-build.ghcr.yml} (90%) diff --git a/.github/workflows/docker-build.ecr.yml b/.github/workflows/docker-build.ecr.yml new file mode 100644 index 00000000..8cc9b052 --- /dev/null +++ b/.github/workflows/docker-build.ecr.yml @@ -0,0 +1,82 @@ +name: Build & Push Container + +on: + push: + branches: + - 'main' + tags: + - '*' + merge_group: + pull_request_target: + types: [labeled, synchronize, reopened, ready_for_review, opened] + +env: + PUSH_FROM_PR: >- + ${{ github.event_name == 'pull_request_target' && + ( + contains(github.event.pull_request.labels.*.name, 'push-container') || + contains(github.event.pull_request.labels.*.name, 'deploy-pr-temp-env') + ) + }} + +jobs: + terraform: + name: "ECR" + runs-on: ubuntu-latest + if: github.repository == 'coderamp-labs/gitingest' + + permissions: + id-token: write + contents: read + pull-requests: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ vars.CODERAMP_AWS_ECR_REGISTRY_PUSH_ROLE_ARN }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: eu-west-1 + + - name: Set current timestamp + id: vars + run: | + echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT + echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Docker Meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ${{ vars.ECR_REGISTRY_URL }} + flavor: | + latest=false + tags: | + type=ref,event=branch,branch=main,suffix=-${{ steps.vars.outputs.sha_short }}-${{ steps.vars.outputs.timestamp }} + type=pep440,pattern={{raw}} + type=ref,event=pr + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/amd64, linux/arm64 + push: ${{ github.event_name != 'pull_request_target' || env.PUSH_FROM_PR == 'true' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/.github/workflows/docker_image.yml b/.github/workflows/docker-build.ghcr.yml similarity index 90% rename from .github/workflows/docker_image.yml rename to .github/workflows/docker-build.ghcr.yml index 85c9a1f8..35c061b4 100644 --- a/.github/workflows/docker_image.yml +++ b/.github/workflows/docker-build.ghcr.yml @@ -17,9 +17,8 @@ concurrency: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} - # Now allow pushing from PRs when either 'push-container' OR 'deploy-pr-temp-env' is present: PUSH_FROM_PR: >- - ${{ github.event_name == 'pull_request' && + ${{ github.event_name == 'pull_request_target' && ( contains(github.event.pull_request.labels.*.name, 'push-container') || contains(github.event.pull_request.labels.*.name, 'deploy-pr-temp-env') @@ -31,6 +30,7 @@ permissions: jobs: docker-build: + name: "GHCR" runs-on: ubuntu-latest permissions: contents: read @@ -84,14 +84,14 @@ jobs: with: context: . platforms: linux/amd64, linux/arm64 - push: ${{ github.event_name != 'pull_request' || env.PUSH_FROM_PR == 'true' }} + push: ${{ github.event_name != 'pull_request_target' || env.PUSH_FROM_PR == 'true' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - name: Generate artifact attestation - if: github.event_name != 'pull_request' || env.PUSH_FROM_PR == 'true' + if: github.event_name != 'pull_request_target' || env.PUSH_FROM_PR == 'true' uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} From e9d153d0fdb6113ade1c92da966d8be25bfc9f69 Mon Sep 17 00:00:00 2001 From: mickael Date: Sun, 27 Jul 2025 04:16:06 +0200 Subject: [PATCH 2/3] use secrets --- .github/workflows/docker-build.ecr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-build.ecr.yml b/.github/workflows/docker-build.ecr.yml index 8cc9b052..5603771b 100644 --- a/.github/workflows/docker-build.ecr.yml +++ b/.github/workflows/docker-build.ecr.yml @@ -37,7 +37,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ vars.CODERAMP_AWS_ECR_REGISTRY_PUSH_ROLE_ARN }} + role-to-assume: ${{ secrets.CODERAMP_AWS_ECR_REGISTRY_PUSH_ROLE_ARN }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: eu-west-1 @@ -56,7 +56,7 @@ jobs: uses: docker/metadata-action@v5 with: images: | - ${{ vars.ECR_REGISTRY_URL }} + ${{ secrets.ECR_REGISTRY_URL }} flavor: | latest=false tags: | From f957391b0ae38cca16d9dca0601583ab63b166ea Mon Sep 17 00:00:00 2001 From: mickael Date: Sun, 27 Jul 2025 04:17:45 +0200 Subject: [PATCH 3/3] fix pr tag --- .github/workflows/docker-build.ecr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.ecr.yml b/.github/workflows/docker-build.ecr.yml index 5603771b..26d1b48f 100644 --- a/.github/workflows/docker-build.ecr.yml +++ b/.github/workflows/docker-build.ecr.yml @@ -61,8 +61,8 @@ jobs: latest=false tags: | type=ref,event=branch,branch=main,suffix=-${{ steps.vars.outputs.sha_short }}-${{ steps.vars.outputs.timestamp }} + type=ref,event=pr,suffix=-${{ steps.vars.outputs.sha_short }}-${{ steps.vars.outputs.timestamp }} type=pep440,pattern={{raw}} - type=ref,event=pr - name: Set up QEMU uses: docker/setup-qemu-action@v3