sync-ecr #216
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copies all Pulumi Docker images for the supplied version from Docker Hub to | |
# AWS ECR Public Gallery. | |
name: Sync to ECR | |
on: | |
workflow_dispatch: | |
inputs: | |
pulumi_version: | |
description: The image tag to copy, fully specified, e.g. "3.18.1" | |
type: string | |
required: true | |
tag_latest: | |
description: Whether to also tag this version as "latest". | |
type: boolean | |
required: true | |
default: true | |
repository_dispatch: | |
types: | |
- sync-ecr | |
env: | |
DOCKER_USERNAME: pulumi | |
PULUMI_VERSION: ${{ github.event.inputs.pulumi_version || github.event.client_payload.ref }} | |
jobs: | |
sync-to-ecr: | |
name: Kitchen Sink images | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
image: ["pulumi", "pulumi-provider-build-environment"] | |
include: | |
# For the pulumi image add a the nonroot variant | |
- suffix: -nonroot | |
image: pulumi | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-region: us-east-2 | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
role-duration-seconds: 3600 | |
role-external-id: upload-pulumi-release | |
role-session-name: pulumi@githubActions | |
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} | |
- name: Get Public ECR Authorization token | |
run: | | |
aws --region us-east-1 ecr-public get-authorization-token \ | |
--query 'authorizationData.authorizationToken' | \ | |
tr -d '"' | base64 --decode | cut -d: -f2 | \ | |
docker login -u AWS --password-stdin https://public.ecr.aws | |
# TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297 | |
# - name: Tag ${{ env.PULUMI_VERSION }}-arm64 and push to AWS Public ECR | |
# run: | | |
# docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 | |
# docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 | |
# docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 | |
- name: Tag ${{ env.PULUMI_VERSION }}-amd64 and push to AWS Public ECR | |
run: | | |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 | |
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 | |
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 | |
- name: Push latest manifest | |
if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }} | |
run: | | |
# TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297 | |
docker manifest create \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }} \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 | |
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }} | |
define-debian-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.define-debian-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@master | |
- name: Define Matrix | |
id: define-debian-matrix | |
run: | | |
echo matrix=$(python ./.github/scripts/matrix/gen-sync-matrix.py) >> "$GITHUB_OUTPUT" | |
debian-images: | |
name: Debian SDK and base images | |
runs-on: ubuntu-latest | |
needs: define-debian-matrix | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }} | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-region: us-east-2 | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
role-duration-seconds: 3600 | |
role-external-id: upload-pulumi-release | |
role-session-name: pulumi@githubActions | |
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} | |
- name: Get Public ECR Authorization token | |
run: | | |
aws --region us-east-1 ecr-public get-authorization-token \ | |
--query 'authorizationData.authorizationToken' | \ | |
tr -d '"' | base64 --decode | cut -d: -f2 | \ | |
docker login -u AWS --password-stdin https://public.ecr.aws | |
# NOTE: The process we use for the Kichen Sink image, which is | |
# single-platform, will not work here. Pulling a multi-arch manifest from | |
# Docker Hub, tagging, then pushing will only result in the image of the | |
# host's architecture (e.g. linux/amd64) getting pushed to the desintation repo. | |
# For more information, see: https://docs.docker.com/registry/spec/manifest-v2-2/ | |
# | |
# Prior to re-creating the manifests, we must pull, tag, and push the | |
# consituent images in the manifests because manifests cannot use source | |
# images from a different registry. | |
- name: Tag ${{ env.PULUMI_VERSION }}-debian-amd64 image and push to AWS Public ECR | |
run: | | |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 | |
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 | |
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 | |
- name: Tag ${{ env.PULUMI_VERSION }}-debian-arm64 and push to AWS Public ECR | |
run: | | |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 | |
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 | |
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 | |
- name: Push ${{ env.PULUMI_VERSION }}-debian manifest | |
run: | | |
docker manifest create \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 | |
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian | |
- name: Push ${{ env.PULUMI_VERSION }} manifest | |
run: | | |
docker manifest create \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }} \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 | |
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }} | |
- name: Push latest manifest | |
if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }} | |
run: | | |
docker manifest create \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 \ | |
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 | |
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest | |
define-ubi-matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.define-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@master | |
- name: Define Matrix | |
id: define-matrix | |
run: | | |
echo matrix=$(python ./.github/scripts/matrix/gen-sync-matrix.py) >> "$GITHUB_OUTPUT" | |
# NOTE: If UBI images become multi platform, this job can be replaced by adding a similar step to "-debian" for "-ubi" the previous job. | |
ubi-images: | |
name: UBI SDK and base images | |
runs-on: ubuntu-latest | |
needs: define-ubi-matrix | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJSON(needs.define-ubi-matrix.outputs.matrix) }} | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-region: us-east-2 | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
role-duration-seconds: 3600 | |
role-external-id: upload-pulumi-release | |
role-session-name: pulumi@githubActions | |
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} | |
- name: Get Public ECR Authorization token | |
run: | | |
aws --region us-east-1 ecr-public get-authorization-token \ | |
--query 'authorizationData.authorizationToken' | \ | |
tr -d '"' | base64 --decode | cut -d: -f2 | \ | |
docker login -u AWS --password-stdin https://public.ecr.aws | |
- name: Tag ${{ env.PULUMI_VERSION }}-ubi image and push to AWS Public ECR | |
run: | | |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi | |
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi | |
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi |