-
Notifications
You must be signed in to change notification settings - Fork 6
141 lines (124 loc) · 5.44 KB
/
ecrbuild-template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# Based on https://docs.github.com/en/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service
name: aws ecr build template
on:
workflow_call:
inputs:
package:
type: string
runner:
type: string
default: ubuntu-latest
target:
type: string
publish_to_ghcr:
type: boolean
default: false
ghcr_image_name:
type: string
required: false
outputs:
image-sha:
description: "Image SHA"
value: ${{ jobs.build.outputs.image-sha }}
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
env:
PACKAGE: ${{ inputs.package }}
AWS_REGION: us-east-1 # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY_PREFIX: pubpub-v7 # set this to your Amazon ECR repository name
TARGET: ${{ inputs.target }}
jobs:
build:
name: Build
runs-on: ${{ inputs.runner }}
outputs:
image-sha: ${{ steps.label.outputs.label }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.IAM_ROLE_TO_ASSUME }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# necessary in order to upload build source maps to sentry
- name: Get sentry token
id: sentry-token
uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
SENTRY_AUTH_TOKEN, ${{ vars.SENTRY_AUTH_TOKEN_ARN }}
- name: setup docker buildx
uses: docker/setup-buildx-action@v3
- name: Create and use a new builder instance
run: |
docker buildx create --name cached-builder --use
- name: Get image label
id: label
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
run: |
sha_short=$(git describe --always --abbrev=40 --dirty)
if [[ -z $PACKAGE ]]
then
package_suffix=""
echo "target=monorepo" >> $GITHUB_OUTPUT
else
package_suffix="-${PACKAGE}"
echo "target=${TARGET:-next-app-${PACKAGE}}" >> $GITHUB_OUTPUT
fi
echo "label=$ECR_REGISTRY/$ECR_REPOSITORY_PREFIX$package_suffix:$sha_short" >> $GITHUB_OUTPUT
if [[ ${{ inputs.publish_to_ghcr }} == "true" && -n ${{ inputs.ghcr_image_name }} ]]
then
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
echo "ghcr_latest_label=ghcr.io/pubpub/${{ inputs.ghcr_image_name }}:latest" >> $GITHUB_OUTPUT
echo "ghcr_sha_label=ghcr.io/pubpub/${{ inputs.ghcr_image_name }}:$sha_short" >> $GITHUB_OUTPUT
echo "ghcr_timestamp_label=ghcr.io/pubpub/${{ inputs.ghcr_image_name }}:$TIMESTAMP" >> $GITHUB_OUTPUT
fi
- name: Check if SENTRY_AUTH_TOKEN is set
run: |
if [[ -z ${{ env.SENTRY_AUTH_TOKEN }} ]]
then
echo "SENTRY_AUTH_TOKEN is not set"
exit 1
fi
- name: Build, tag, and push image to Amazon ECR
uses: docker/build-push-action@v6
id: build-image
env:
REGISTRY_REF: ${{steps.login-ecr.outputs.registry}}/${{env.ECR_REPOSITORY_PREFIX}}-${{env.PACKAGE}}:cache
LABEL: ${{ steps.label.outputs.label }}
TARGET: ${{ steps.label.outputs.target }}
SENTRY_AUTH_TOKEN: ${{ env.SENTRY_AUTH_TOKEN }}
with:
context: .
# cache-from: type=registry,ref=${{env.REGISTRY_REF}}
# cache-to: type=registry,mode=max,image-manifest=true,oci-mediatypes=true,ref=${{env.REGISTRY_REF}}
builder: cached-builder
build-args: |
PACKAGE=${{ inputs.package }}
CI=true
secrets: |
SENTRY_AUTH_TOKEN=${{ env.SENTRY_AUTH_TOKEN }}
target: ${{ steps.label.outputs.target }}
tags: |
${{ steps.label.outputs.label }}
${{ steps.label.outputs.ghcr_latest_label }}
${{ steps.label.outputs.ghcr_sha_label }}
${{ steps.label.outputs.ghcr_timestamp_label }}
platforms: linux/amd64
push: true