Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/.test-bake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@ on:
paths:
- '.github/workflows/.test-bake.yml'
- '.github/workflows/bake.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'
pull_request:
paths:
- '.github/workflows/.test-bake.yml'
- '.github/workflows/bake.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'

Expand Down Expand Up @@ -79,6 +81,54 @@ jobs:
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-ecr-public:
uses: ./.github/workflows/bake.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: true
sbom: true
set: |
*.args.VERSION={{meta.version}}
target: hello
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: public.ecr.aws
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
meta-tags: |
type=raw,value=bake-ecr-public-${{ github.run_id }}

bake-ecr-private:
uses: ./.github/workflows/bake.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: true
sbom: true
set: |
*.args.VERSION={{meta.version}}
target: hello
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
meta-images: |
175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
meta-tags: |
type=raw,value=bake-ecr-private-${{ github.run_id }}

bake-dockerhub:
uses: ./.github/workflows/bake.yml
permissions:
Expand Down
48 changes: 48 additions & 0 deletions .github/workflows/.test-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@ on:
paths:
- '.github/workflows/.test-build.yml'
- '.github/workflows/build.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'
pull_request:
paths:
- '.github/workflows/.test-build.yml'
- '.github/workflows/build.yml'
- '.github/workflows/setup-registry-identities.yml'
- '.github/workflows/verify.yml'
- 'test/**'

Expand Down Expand Up @@ -78,6 +80,52 @@ jobs:
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

build-ecr-public:
uses: ./.github/workflows/build.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
build-args: |
VERSION={{meta.version}}
file: test/hello.Dockerfile
output: image
push: true
sbom: true
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: public.ecr.aws
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
meta-tags: |
type=raw,value=build-ecr-public-${{ github.run_id }}

build-ecr-private:
uses: ./.github/workflows/build.yml
if: ${{ github.event_name != 'pull_request' }}
permissions:
contents: read
id-token: write
with:
build-args: |
VERSION={{meta.version}}
file: test/hello.Dockerfile
output: image
push: true
sbom: true
registry-identities: |
- type: aws-ecr
aws-region: us-east-1
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
meta-images: |
175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
meta-tags: |
type=raw,value=build-ecr-private-${{ github.run_id }}

build-dockerhub:
uses: ./.github/workflows/build.yml
permissions:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/.update-deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ jobs:
files: [
'.github/workflows/build.yml',
'.github/workflows/bake.yml',
'.github/workflows/setup-registry-identities.yml',
'.github/workflows/verify.yml'
],
sourceUrl: 'https://www.npmjs.com/package/@docker/github-builder-runtime',
Expand Down
47 changes: 44 additions & 3 deletions .github/workflows/bake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,10 @@ on:
type: string
description: "Variables to set in the Bake definition as list of key-value pair"
required: false
registry-identities:
type: string
description: "Keyless registry identity configuration as YAML objects"
required: false
# docker/metadata-action
set-meta-annotations:
type: boolean
Expand Down Expand Up @@ -179,6 +183,11 @@ env:
NPM_CONFIG_FETCH_RETRIES: "5"

jobs:
registry-identities:
uses: ./.github/workflows/setup-registry-identities.yml
with:
registry-identities: ${{ inputs.registry-identities }}

prepare:
runs-on: ubuntu-24.04
outputs:
Expand Down Expand Up @@ -571,7 +580,10 @@ jobs:
build:
runs-on: ${{ matrix.runner }}
needs:
- registry-identities
- prepare
env:
REGISTRY_AUTHS_PRESENT: ${{ secrets.registry-auths != '' }}
strategy:
fail-fast: ${{ inputs.fail-fast }}
matrix:
Expand Down Expand Up @@ -953,9 +965,22 @@ jobs:
core.info(JSON.stringify(bakeOverrides, null, 2));
core.setOutput('overrides', bakeOverrides.join(os.EOL));
});
-
name: Configure AWS credentials
if: ${{ needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
with:
role-to-assume: ${{ needs.registry-identities.outputs.aws-ecr-role-to-assume }}
aws-region: ${{ needs.registry-identities.outputs.aws-ecr-region }}
-
name: Login to Amazon ECR
if: ${{ needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ needs.registry-identities.outputs.aws-ecr-registry-auth }}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ inputs.push && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down Expand Up @@ -987,7 +1012,7 @@ jobs:
core.setOutput('digest', imageDigest);
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down Expand Up @@ -1114,8 +1139,11 @@ jobs:
output-type: ${{ inputs.output }}
signed: ${{ needs.prepare.outputs.sign }}
needs:
- registry-identities
- prepare
- build
env:
REGISTRY_AUTHS_PRESENT: ${{ secrets.registry-auths != '' }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -1152,9 +1180,22 @@ jobs:
labels: ${{ inputs.meta-labels }}
annotations: ${{ inputs.meta-annotations }}
bake-target: ${{ inputs.meta-bake-target }}
-
name: Configure AWS credentials
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
with:
role-to-assume: ${{ needs.registry-identities.outputs.aws-ecr-role-to-assume }}
aws-region: ${{ needs.registry-identities.outputs.aws-ecr-region }}
-
name: Login to Amazon ECR
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ needs.registry-identities.outputs.aws-ecr-registry-auth }}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ inputs.push && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
47 changes: 44 additions & 3 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,10 @@ on:
type: string
description: "Ulimit options (e.g., nofile=1024:1024)"
required: false
registry-identities:
type: string
description: "Keyless registry identity configuration as YAML objects"
required: false
# docker/metadata-action
set-meta-annotations:
type: boolean
Expand Down Expand Up @@ -182,6 +186,11 @@ env:
NPM_CONFIG_FETCH_RETRIES: "5"

jobs:
registry-identities:
uses: ./.github/workflows/setup-registry-identities.yml
with:
registry-identities: ${{ inputs.registry-identities }}

prepare:
runs-on: ubuntu-24.04
outputs:
Expand Down Expand Up @@ -463,7 +472,10 @@ jobs:
build:
runs-on: ${{ matrix.runner }}
needs:
- registry-identities
- prepare
env:
REGISTRY_AUTHS_PRESENT: ${{ secrets.registry-auths != '' }}
strategy:
fail-fast: ${{ inputs.fail-fast }}
matrix:
Expand Down Expand Up @@ -811,9 +823,22 @@ jobs:
// for a public repository, we set max provenance mode
core.setOutput('provenance', Build.resolveProvenanceAttrs(`mode=max,version=v1`));
}
-
name: Configure AWS credentials
if: ${{ needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
with:
role-to-assume: ${{ needs.registry-identities.outputs.aws-ecr-role-to-assume }}
aws-region: ${{ needs.registry-identities.outputs.aws-ecr-region }}
-
name: Login to Amazon ECR
if: ${{ needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ needs.registry-identities.outputs.aws-ecr-registry-auth }}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ inputs.push && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down Expand Up @@ -842,7 +867,7 @@ jobs:
GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
-
name: Login to registry for signing
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down Expand Up @@ -969,8 +994,11 @@ jobs:
output-type: ${{ inputs.output }}
signed: ${{ needs.prepare.outputs.sign }}
needs:
- registry-identities
- prepare
- build
env:
REGISTRY_AUTHS_PRESENT: ${{ secrets.registry-auths != '' }}
steps:
-
name: Install dependencies
Expand Down Expand Up @@ -1006,9 +1034,22 @@ jobs:
flavor: ${{ inputs.meta-flavor }}
labels: ${{ inputs.meta-labels }}
annotations: ${{ inputs.meta-annotations }}
-
name: Configure AWS credentials
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
with:
role-to-assume: ${{ needs.registry-identities.outputs.aws-ecr-role-to-assume }}
aws-region: ${{ needs.registry-identities.outputs.aws-ecr-region }}
-
name: Login to Amazon ECR
if: ${{ inputs.push && inputs.output == 'image' && needs.registry-identities.outputs.aws-ecr-enabled == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ needs.registry-identities.outputs.aws-ecr-registry-auth }}
-
name: Login to registry
if: ${{ inputs.push && inputs.output == 'image' }}
if: ${{ inputs.push && inputs.output == 'image' && env.REGISTRY_AUTHS_PRESENT == 'true' }}
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry-auth: ${{ secrets.registry-auths }}
Expand Down
Loading
Loading