Fix issue with ACR protect image step in publish phase (#3814) #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create new official release | |
on: | |
# run when a release is published, | |
# which creates a new tag | |
push: | |
tags: | |
- v2* | |
jobs: | |
build-and-push: | |
runs-on: [self-hosted, 1ES.Pool=aso-1es-pool] | |
permissions: | |
contents: write # Required to write a release | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # required to access tags | |
submodules: "true" | |
- name: Force docker to SSD | |
run: sudo scripts/v2/linux-docker-use-ssd.sh --containerd true | |
- name: Build & run devcontainer image | |
# this always builds a new image from scratch rather than from the build-devcontainer-image workflow output | |
# so that we pick up the latest versions of everything | |
# NB: if you update this also update live-validation.yml, pre-release-tests.yaml and create-release-experimental.yml | |
id: devcontainer | |
run: | | |
docker build --tag devcontainer:latest .devcontainer | |
mkdir -p $HOME/.docker # in case it doesn't exist | |
container_id=$(docker create -w /workspace -v $GITHUB_WORKSPACE:/workspace -v /var/run/docker.sock:/var/run/docker.sock devcontainer:latest) | |
docker start "$container_id" | |
echo "container_id=$container_id" >> $GITHUB_ENV | |
- name: Build required release files | |
run: | | |
container_id=${{env.container_id}} | |
docker exec "$container_id" task make-release-artifacts | |
- name: Upload release assets | |
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # this is v2.7.0, but pinned | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ github.ref }} | |
file: "v2/out/release/*" | |
file_glob: true | |
- name: Docker login | |
run: | | |
container_id=${{env.container_id}} | |
docker exec -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e DOCKER_REGISTRY "$container_id" task docker-login | |
env: | |
DOCKER_REGISTRY: ${{ secrets.REGISTRY_LOGIN }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} | |
- name: Build, tag and push docker image | |
run: | | |
container_id=${{env.container_id}} | |
docker exec -e DOCKER_PUSH_TARGET "$container_id" task controller:docker-push-multiarch | |
env: | |
DOCKER_PUSH_TARGET: ${{ secrets.REGISTRY_PUBLIC }} | |
DOCKER_REGISTRY: ${{ secrets.REGISTRY_LOGIN }} | |
- name: Protect image | |
run: | | |
container_id=${{env.container_id}} | |
docker exec -e DOCKER_PUSH_TARGET -e DOCKER_REGISTRY -e AZURE_TENANT_ID -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_SUBSCRIPTION_ID "$container_id" task controller:acr-protect-image | |
env: | |
DOCKER_PUSH_TARGET: ${{ secrets.REGISTRY_PUBLIC }} | |
DOCKER_REGISTRY: ${{ secrets.REGISTRY_LOGIN }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |