Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9df3340

Browse files
chore: port wave CI to push to internal ECR SEC-1395 (#1039)
* chore: port wave CI to push to internal ECR SEC-1395 * chore: inline push action steps for public repo SEC-1395 * Update .github/workflows/build.yml Co-authored-by: Alberto Chiusole <[email protected]> * Update .github/workflows/build.yml Co-authored-by: Alberto Chiusole <[email protected]> * chore: align local image tags with internal/enterprise ECR push names SEC-1395 --------- Co-authored-by: Alberto Chiusole <[email protected]>
1 parent 58211ab commit 9df3340

2 files changed

Lines changed: 87 additions & 4 deletions

File tree

.github/workflows/build.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ jobs:
3333
java_version: [21]
3434
permissions:
3535
contents: write
36+
id-token: write
3637

3738
steps:
3839
- name: Environment
@@ -80,11 +81,13 @@ jobs:
8081
sudo rm -rf /home/runner/work/wave/wave/build-workspace
8182
8283
- name: Release
84+
id: release
8385
if: "contains(github.event.head_commit.message, '[release]')"
8486
run: |
8587
bash publish.sh wave-api
8688
bash publish.sh wave-utils
8789
bash tag-and-push.sh
90+
echo "version=v$(cat VERSION)" >> $GITHUB_OUTPUT
8891
env:
8992
GRADLE_OPTS: '-Dorg.gradle.daemon=false'
9093
AWS_ACCESS_KEY_ID: ${{secrets.TOWER_CI_AWS_ACCESS}}
@@ -97,6 +100,79 @@ jobs:
97100
QUAY_PAT: ${{ secrets.QUAY_PAT }}
98101
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
99102

103+
- name: Login to legacy ECR
104+
if: "contains(github.event.head_commit.message, '[release]')"
105+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # ratchet:docker/[email protected]
106+
with:
107+
registry: 195996028523.dkr.ecr.eu-west-1.amazonaws.com
108+
username: ${{ secrets.TOWER_CI_AWS_ACCESS }}
109+
password: ${{ secrets.TOWER_CI_AWS_SECRET }}
110+
env:
111+
AWS_REGION: eu-west-1
112+
113+
- name: Push images to legacy ECR
114+
if: "contains(github.event.head_commit.message, '[release]')"
115+
run: |
116+
TAG="${{ steps.release.outputs.version }}"
117+
docker push 195996028523.dkr.ecr.eu-west-1.amazonaws.com/wave/app:$TAG
118+
docker push 195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/wave:$TAG
119+
120+
# Internal ECR push - inlined from seqeralabs/actions/push@a78e62713a7895bef99f404d736b72451dbdb917
121+
# because seqeralabs/actions is private and Wave is a public repo. See SEC-1409.
122+
- name: Configure AWS credentials for action role
123+
if: "contains(github.event.head_commit.message, '[release]')"
124+
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/[email protected]
125+
with:
126+
aws-region: eu-west-2
127+
role-to-assume: arn:aws:iam::232933512461:role/gha-seqeralabs-action-role
128+
role-session-name: GitHubActions-${{ github.run_id }}
129+
130+
- name: Configure AWS credentials for internal pusher
131+
if: "contains(github.event.head_commit.message, '[release]')"
132+
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/[email protected]
133+
with:
134+
aws-region: eu-west-2
135+
role-to-assume: arn:aws:iam::232933512461:role/gha-generic-internal-pusher
136+
role-session-name: ${{ github.event.repository.name }}
137+
role-chaining: true
138+
139+
- name: Login to internal Amazon ECR
140+
if: "contains(github.event.head_commit.message, '[release]')"
141+
id: login-ecr-internal
142+
uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # ratchet:aws-actions/[email protected]
143+
144+
- name: Push image to internal registry
145+
if: "contains(github.event.head_commit.message, '[release]')"
146+
shell: bash
147+
run: |
148+
LOCAL=server:${{ steps.release.outputs.version }}
149+
REMOTE="${{ steps.login-ecr-internal.outputs.registry }}/internal/${{ github.repository }}/${LOCAL}"
150+
docker tag "$LOCAL" "$REMOTE"
151+
docker push "$REMOTE"
152+
153+
# Enterprise ECR push - inlined from seqeralabs/actions/push@a78e62713a7895bef99f404d736b72451dbdb917 with custom-role-arn
154+
- name: Configure AWS credentials for platform pusher
155+
if: "contains(github.event.head_commit.message, '[release]')"
156+
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/[email protected]
157+
with:
158+
aws-region: eu-west-2
159+
role-to-assume: arn:aws:iam::232933512461:role/platform-ecr-pusher
160+
role-session-name: GitHubActions-${{ github.run_id }}
161+
162+
- name: Login to enterprise Amazon ECR
163+
if: "contains(github.event.head_commit.message, '[release]')"
164+
id: login-ecr-platform
165+
uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # ratchet:aws-actions/[email protected]
166+
167+
- name: Push image to enterprise registry
168+
if: "contains(github.event.head_commit.message, '[release]')"
169+
shell: bash
170+
run: |
171+
LOCAL=wave/server:${{ steps.release.outputs.version }}
172+
REMOTE="${{ steps.login-ecr-platform.outputs.registry }}/${LOCAL}"
173+
docker tag "$LOCAL" "$REMOTE"
174+
docker push "$REMOTE"
175+
100176
- name: Publish tests report
101177
if: failure()
102178
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

tag-and-push.sh

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,10 +42,17 @@ if [[ $RELEASE ]]; then
4242
# tag repo
4343
git tag $TAG $FORCE
4444
git push $REMOTE $TAG $FORCE
45-
# build and push the container
46-
./gradlew jib
47-
# build and push enterprise
48-
./gradlew -PjibRepo=195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/wave:$TAG jib
45+
46+
# Build images locally (jibDockerBuild loads to the local docker daemon).
47+
# Push happens from the workflow so we can also push to the new internal/enterprise ECR repos.
48+
echo "Building non-enterprise image $TAG"
49+
./gradlew jibDockerBuild
50+
docker tag 195996028523.dkr.ecr.eu-west-1.amazonaws.com/wave/app:$TAG server:$TAG
51+
52+
echo "Building enterprise image $TAG"
53+
./gradlew -PjibRepo=195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/wave:$TAG jibDockerBuild
54+
docker tag 195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/wave:$TAG wave/server:$TAG
55+
4956
# check for "draft" release
5057
grep -Ei '.*-(A[0-9]+|B[0-9]+|RC[0-9]+)$' VERSION &>/dev/null && DRAFT='--draft' || DRAFT=''
5158
# publish release notes

0 commit comments

Comments
 (0)