Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/.test-bake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@ on:
paths:
- '.github/workflows/.test-bake.yml'
- '.github/workflows/bake.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'
pull_request:
paths:
- '.github/workflows/.test-bake.yml'
- '.github/workflows/bake.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'

Expand Down Expand Up @@ -79,6 +81,54 @@ jobs:
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-ecr-public:
uses: ./.github/workflows/bake.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: true
sbom: true
set: |
*.args.VERSION={{meta.version}}
target: hello
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: public.ecr.aws
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
meta-tags: |
type=raw,value=bake-ecr-public-${{ github.run_id }}

bake-ecr-private:
uses: ./.github/workflows/bake.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: true
sbom: true
set: |
*.args.VERSION={{meta.version}}
target: hello
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
meta-images: |
175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
meta-tags: |
type=raw,value=bake-ecr-private-${{ github.run_id }}

bake-dockerhub:
uses: ./.github/workflows/bake.yml
permissions:
Expand Down
48 changes: 48 additions & 0 deletions .github/workflows/.test-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@ on:
paths:
- '.github/workflows/.test-build.yml'
- '.github/workflows/build.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'
pull_request:
paths:
- '.github/workflows/.test-build.yml'
- '.github/workflows/build.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'

Expand Down Expand Up @@ -78,6 +80,52 @@ jobs:
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

build-ecr-public:
uses: ./.github/workflows/build.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
build-args: |
VERSION={{meta.version}}
file: test/hello.Dockerfile
output: image
push: true
sbom: true
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: public.ecr.aws
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
meta-tags: |
type=raw,value=build-ecr-public-${{ github.run_id }}

build-ecr-private:
uses: ./.github/workflows/build.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
build-args: |
VERSION={{meta.version}}
file: test/hello.Dockerfile
output: image
push: true
sbom: true
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
meta-images: |
175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
meta-tags: |
type=raw,value=build-ecr-private-${{ github.run_id }}

build-dockerhub:
uses: ./.github/workflows/build.yml
permissions:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/.update-deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ jobs:
files: [
'.github/workflows/build.yml',
'.github/workflows/bake.yml',
'.github/workflows/setup-registry-identities.yml',
'.github/workflows/verify.yml'
],
sourceUrl: 'https://www.npmjs.com/package/@docker/github-builder-runtime',
Expand Down
89 changes: 86 additions & 3 deletions .github/workflows/bake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,10 @@ on:
type: string
description: "Variables to set in the Bake definition as list of key-value pair"
required: false
registry-identities:
type: string
description: "Keyless registry identity configuration as YAML objects"
required: false
# docker/metadata-action
set-meta-annotations:
type: boolean
Expand Down Expand Up @@ -179,6 +183,11 @@ env:
NPM_CONFIG_FETCH_RETRIES: "5"

jobs:
registry-identities:
uses: ./.github/workflows/setup-registry-identities.yml
with:
registry-identities: ${{ inputs.registry-identities }}

prepare:
runs-on: ubuntu-24.04
outputs:
Expand Down Expand Up @@ -571,7 +580,10 @@ jobs:
build:
runs-on: ${{ matrix.runner }}
needs:
- registry-identities
- prepare
env:
REGISTRY_AUTHS_PRESENT: ${{ secrets.registry-auths != '' }}
strategy:
fail-fast: ${{ inputs.fail-fast }}
matrix:
Expand Down Expand Up @@ -953,9 +965,43 @@ jobs:
core.info(JSON.stringify(bakeOverrides, null, 2));
core.setOutput('overrides', bakeOverrides.join(os.EOL));
});
-
name: Configure AWS credentials
if: ${{ needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
with:
role-to-assume: ${{ needs.registry-identities.outputs.aws-ecr-role-to-assume }}
aws-region: ${{ needs.registry-identities.outputs.aws-ecr-region }}
-
name: Login to Amazon ECR
if: ${{ needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ needs.registry-identities.outputs.aws-ecr-registry-auth }}
-
name: Authenticate to Google Cloud
id: gcp-wif-auth
if: ${{ needs.registry-identities.outputs.gcp-wif-enabled == 'true' }}
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
token_format: access_token
workload_identity_provider: ${{ needs.registry-identities.outputs.gcp-wif-workload-identity-provider }}
service_account: ${{ needs.registry-identities.outputs.gcp-wif-service-account }}
project_id: ${{ needs.registry-identities.outputs.gcp-wif-project-id }}
create_credentials_file: false
export_environment_variables: false
-
name: Login to Google Artifact Registry
if: ${{ needs.registry-identities.outputs.gcp-wif-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: |
- registry: ${{ needs.registry-identities.outputs.gcp-wif-registry }}
username: oauth2accesstoken
password: ${{ steps.gcp-wif-auth.outputs.access_token }}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ inputs.push && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down Expand Up @@ -987,7 +1033,7 @@ jobs:
core.setOutput('digest', imageDigest);
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down Expand Up @@ -1114,8 +1160,11 @@ jobs:
output-type: ${{ inputs.output }}
signed: ${{ needs.prepare.outputs.sign }}
needs:
- registry-identities
- prepare
- build
env:
REGISTRY_AUTHS_PRESENT: ${{ secrets.registry-auths != '' }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -1152,9 +1201,43 @@ jobs:
labels: ${{ inputs.meta-labels }}
annotations: ${{ inputs.meta-annotations }}
bake-target: ${{ inputs.meta-bake-target }}
-
name: Configure AWS credentials
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
with:
role-to-assume: ${{ needs.registry-identities.outputs.aws-ecr-role-to-assume }}
aws-region: ${{ needs.registry-identities.outputs.aws-ecr-region }}
-
name: Login to Amazon ECR
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ needs.registry-identities.outputs.aws-ecr-registry-auth }}
-
name: Authenticate to Google Cloud
id: gcp-wif-auth
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.gcp-wif-enabled == 'true' }}
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
token_format: access_token
workload_identity_provider: ${{ needs.registry-identities.outputs.gcp-wif-workload-identity-provider }}
service_account: ${{ needs.registry-identities.outputs.gcp-wif-service-account }}
project_id: ${{ needs.registry-identities.outputs.gcp-wif-project-id }}
create_credentials_file: false
export_environment_variables: false
-
name: Login to Google Artifact Registry
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.gcp-wif-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: |
- registry: ${{ needs.registry-identities.outputs.gcp-wif-registry }}
username: oauth2accesstoken
password: ${{ steps.gcp-wif-auth.outputs.access_token }}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ inputs.push && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
Loading
Loading