ECR #2870
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Periodically refresh AWS ECR creds | |
name: ECR | |
on: | |
workflow_dispatch: {} | |
schedule: | |
- cron: "10 * * * *" # Hourly | |
jobs: | |
ecr: | |
runs-on: [ubuntu-22.04] | |
permissions: | |
id-token: write # Necessary to get aws creds via oidc token exchange | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: AWS us-east-1 credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
# Defined at https://github.com/holos-run/holos-infra/blob/main/terraform/projects/nonprod-holos/shared_services/aws/github_oidc/main.tf#L90-L106 | |
role-to-assume: arn:aws:iam::271053619184:role/gha-app-role | |
aws-region: us-east-1 | |
output-credentials: true | |
- name: Login to Amazon ECR Public | |
id: login-ecr-public | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: public | |
- name: AWS us-east2 credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
# Defined at https://github.com/holos-run/holos-infra/blob/main/terraform/projects/nonprod-holos/shared_services/aws/github_oidc/main.tf#L90-L106 | |
role-to-assume: arn:aws:iam::271053619184:role/gha-app-role | |
aws-region: us-east-2 | |
output-credentials: true | |
- name: Login to Amazon ECR Private | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: Get Secret Writer Token # GITHUB_TOKEN does not have sufficient permission. | |
# Refer to https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow | |
id: generate-token | |
uses: actions/create-github-app-token@v1 | |
with: | |
app-id: ${{ vars.APP_ID }} | |
private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
- name: Docker Login | |
id: docker-login | |
env: | |
GH_TOKEN: ${{ steps.generate-token.outputs.token }} | |
run: | | |
# Log in to ecr and quay.io | |
echo -n ${{ steps.login-ecr.outputs.docker_password_271053619184_dkr_ecr_us_east_2_amazonaws_com }} | docker login --password-stdin --username ${{ steps.login-ecr.outputs.docker_username_271053619184_dkr_ecr_us_east_2_amazonaws_com }} ${{ steps.login-ecr.outputs.registry }} | |
echo -n ${{ steps.login-ecr-public.outputs.docker_password_public_ecr_aws }} | docker login --password-stdin --username ${{ steps.login-ecr-public.outputs.docker_username_public_ecr_aws }} ${{ steps.login-ecr-public.outputs.registry }} | |
echo -n '${{ secrets.QUAY_TOKEN }}' | docker login --password-stdin --username '${{ secrets.QUAY_USER }}' quay.io | |
base64 -w 0 ~/.docker/config.json | gh secret set DOCKER_CONFIG_BASE64 | |
echo -n ${{ steps.login-ecr.outputs.registry }} | gh variable set ECR_REGISTRY |