-
Notifications
You must be signed in to change notification settings - Fork 0
58 lines (55 loc) · 2.82 KB
/
ecr.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Periodically refresh AWS ECR creds
name: ECR
on:
workflow_dispatch: {}
schedule:
- cron: "10 * * * *" # Hourly
jobs:
ecr:
runs-on: [ubuntu-22.04]
permissions:
id-token: write # Necessary to get aws creds via oidc token exchange
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: AWS us-east-1 credentials
uses: aws-actions/configure-aws-credentials@v4
with:
# Defined at https://github.com/holos-run/holos-infra/blob/main/terraform/projects/nonprod-holos/shared_services/aws/github_oidc/main.tf#L90-L106
role-to-assume: arn:aws:iam::271053619184:role/gha-app-role
aws-region: us-east-1
output-credentials: true
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
- name: AWS us-east2 credentials
uses: aws-actions/configure-aws-credentials@v4
with:
# Defined at https://github.com/holos-run/holos-infra/blob/main/terraform/projects/nonprod-holos/shared_services/aws/github_oidc/main.tf#L90-L106
role-to-assume: arn:aws:iam::271053619184:role/gha-app-role
aws-region: us-east-2
output-credentials: true
- name: Login to Amazon ECR Private
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Get Secret Writer Token # GITHUB_TOKEN does not have sufficient permission.
# Refer to https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
id: generate-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Docker Login
id: docker-login
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Log in to ecr and quay.io
echo -n ${{ steps.login-ecr.outputs.docker_password_271053619184_dkr_ecr_us_east_2_amazonaws_com }} | docker login --password-stdin --username ${{ steps.login-ecr.outputs.docker_username_271053619184_dkr_ecr_us_east_2_amazonaws_com }} ${{ steps.login-ecr.outputs.registry }}
echo -n ${{ steps.login-ecr-public.outputs.docker_password_public_ecr_aws }} | docker login --password-stdin --username ${{ steps.login-ecr-public.outputs.docker_username_public_ecr_aws }} ${{ steps.login-ecr-public.outputs.registry }}
echo -n '${{ secrets.QUAY_TOKEN }}' | docker login --password-stdin --username '${{ secrets.QUAY_USER }}' quay.io
base64 -w 0 ~/.docker/config.json | gh secret set DOCKER_CONFIG_BASE64
echo -n ${{ steps.login-ecr.outputs.registry }} | gh variable set ECR_REGISTRY