-
Notifications
You must be signed in to change notification settings - Fork 33
143 lines (131 loc) · 5.15 KB
/
build-docker-images.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
---
name: "Build Docker Images"
on:
# GHA does not support "shared_inputs" or some other form of workflow_call and workflow_dispatch
# input consolidation; instead, we must duplicate the input definitions for each event
# FUTURE: Consolidate the input definitions whenever possible
workflow_call:
inputs:
branch:
description: "The branch on which the build is based."
type: string
required: true
versionTag:
description: "The string to be used for the container image tag."
type: string
required: true
awsRegion:
description: "Override the AWS Region destination for uploaded artifacts. Default to `us-east-1`."
default: us-east-1
type: string
required: true
workflow_dispatch:
inputs:
branch:
description: >-
branch: Override the branch on which the build is based.
Default to selected reference in the `Use workflow from` drop-down when empty.
required: false
versionTag:
description: >-
versionTag: the string to be used for the container image tag.
required: true
default: X.Y.Z
awsRegion:
description: >-
awsRegion: Override the AWS Region destination for uploaded artifacts.
Default to `us-east-1`.
default: us-east-1
type: choice
options:
- us-east-1
- us-west-2
required: true
permissions:
id-token: write # This is required for requesting the AWS IAM OIDC JWT
contents: read # This is required for actions/checkout
env:
AWS_REGION: ${{ inputs.awsRegion }}
defaults:
run:
shell: bash
jobs:
build-images:
strategy:
matrix:
image:
[
{
name: "bfd-mgmt-eft-sftp-outbound-transfer-lambda",
dockerfile: "ops/jenkins/bfd-build-eft-sftp-outbound-transfer-lambda/Dockerfile",
contextDir: "ops/terraform/services/eft/lambda_src/sftp_outbound_transfer",
platform: "linux/amd64",
},
{
name: "bfd-mgmt-pipeline-ccw-manifests-verifier-lambda",
dockerfile: "ops/terraform/services/pipeline/modules/bfd_pipeline_ccw_manifests_verifier/lambda_src/Dockerfile",
contextDir: "ops/terraform/services/pipeline/modules/bfd_pipeline_ccw_manifests_verifier/lambda_src",
platform: "linux/arm64",
},
]
runs-on: ubuntu-latest
steps:
- name: Validate Inputs
run: |
echo "Validating inputs to ensure they conform to expected formats..."
echo "${{ inputs.versionTag }}" | grep -P '^\d+\.\d+\.\d+$|^\d+\.\d+\.\d+-[a-zA-Z0-9-]+$'
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ inputs.branch || github.ref_name }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.GHA_AWS_IAM_ROLE_ARN }}
role-session-name: build-images
aws-region: ${{ inputs.awsRegion }}
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: Get ECR Registry Namespace
run: |
ECR_REPOSITORY_NAMESPACE="$(aws ecr describe-registry --region "$AWS_REGION" | jq -r '.registryId').dkr.ecr.${AWS_REGION}.amazonaws.com"
echo "::add-mask::$ECR_REPOSITORY_NAMESPACE"
echo ECR_REPOSITORY_NAMESPACE=$ECR_REPOSITORY_NAMESPACE >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Setup tags
id: setup_tags
run: |
# Naively, if version tag does not contain a "-" we assume the version is not a release
# and the "latest" tag should not be pushed.
image_tags=""
if [[ "${{ inputs.versionTag }}" == *"-"* ]]; then
image_tags="$IMAGE_VERSIONED_TAG"
else
image_tags="$IMAGE_VERSIONED_TAG,$IMAGE_LATEST_TAG"
fi
echo image_tags=$image_tags >> $GITHUB_OUTPUT
env:
IMAGE_VERSIONED_TAG: ${{ env.ECR_REPOSITORY_NAMESPACE }}/${{ matrix.image.name }}:${{ inputs.versionTag }}
IMAGE_LATEST_TAG: ${{ env.ECR_REPOSITORY_NAMESPACE }}/${{ matrix.image.name }}:latest
- name: Build and Push
uses: docker/build-push-action@v5
with:
file: ${{ matrix.image.dockerfile }}
context: ${{ matrix.image.contextDir }}
push: true
tags: ${{ steps.setup_tags.outputs.image_tags }}
# AWS Lambda does not support multi-platform images, something that is enabled by default
# by this Action via the "provenance" flag. Until AWS Lambda supports this feature
# properly, we must explicitly disable provenance and specify the platform directly.
# See https://github.com/docker/buildx/issues/1533
provenance: false
platforms: ${{ matrix.image.platform }}
env:
DOCKER_BUILDKIT: 1