3333 java_version : [21]
3434 permissions :
3535 contents : write
36+ id-token : write
3637
3738 steps :
3839 - name : Environment
@@ -80,11 +81,13 @@ jobs:
8081 sudo rm -rf /home/runner/work/wave/wave/build-workspace
8182
8283 - name : Release
84+ id : release
8385 if : " contains(github.event.head_commit.message, '[release]')"
8486 run : |
8587 bash publish.sh wave-api
8688 bash publish.sh wave-utils
8789 bash tag-and-push.sh
90+ echo "version=v$(cat VERSION)" >> $GITHUB_OUTPUT
8891 env :
8992 GRADLE_OPTS : ' -Dorg.gradle.daemon=false'
9093 AWS_ACCESS_KEY_ID : ${{secrets.TOWER_CI_AWS_ACCESS}}
@@ -97,6 +100,79 @@ jobs:
97100 QUAY_PAT : ${{ secrets.QUAY_PAT }}
98101 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
99102
103+ - name : Login to legacy ECR
104+ if : " contains(github.event.head_commit.message, '[release]')"
105+ uses :
docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # ratchet:docker/[email protected] 106+ with :
107+ registry : 195996028523.dkr.ecr.eu-west-1.amazonaws.com
108+ username : ${{ secrets.TOWER_CI_AWS_ACCESS }}
109+ password : ${{ secrets.TOWER_CI_AWS_SECRET }}
110+ env :
111+ AWS_REGION : eu-west-1
112+
113+ - name : Push images to legacy ECR
114+ if : " contains(github.event.head_commit.message, '[release]')"
115+ run : |
116+ TAG="${{ steps.release.outputs.version }}"
117+ docker push 195996028523.dkr.ecr.eu-west-1.amazonaws.com/wave/app:$TAG
118+ docker push 195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/wave:$TAG
119+
120+ # Internal ECR push - inlined from seqeralabs/actions/push@a78e62713a7895bef99f404d736b72451dbdb917
121+ # because seqeralabs/actions is private and Wave is a public repo. See SEC-1409.
122+ - name : Configure AWS credentials for action role
123+ if : " contains(github.event.head_commit.message, '[release]')"
124+ uses :
aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/[email protected] 125+ with :
126+ aws-region : eu-west-2
127+ role-to-assume : arn:aws:iam::232933512461:role/gha-seqeralabs-action-role
128+ role-session-name : GitHubActions-${{ github.run_id }}
129+
130+ - name : Configure AWS credentials for internal pusher
131+ if : " contains(github.event.head_commit.message, '[release]')"
132+ uses :
aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/[email protected] 133+ with :
134+ aws-region : eu-west-2
135+ role-to-assume : arn:aws:iam::232933512461:role/gha-generic-internal-pusher
136+ role-session-name : ${{ github.event.repository.name }}
137+ role-chaining : true
138+
139+ - name : Login to internal Amazon ECR
140+ if : " contains(github.event.head_commit.message, '[release]')"
141+ id : login-ecr-internal
142+ uses :
aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # ratchet:aws-actions/[email protected] 143+
144+ - name : Push image to internal registry
145+ if : " contains(github.event.head_commit.message, '[release]')"
146+ shell : bash
147+ run : |
148+ LOCAL=server:${{ steps.release.outputs.version }}
149+ REMOTE="${{ steps.login-ecr-internal.outputs.registry }}/internal/${{ github.repository }}/${LOCAL}"
150+ docker tag "$LOCAL" "$REMOTE"
151+ docker push "$REMOTE"
152+
153+ # Enterprise ECR push - inlined from seqeralabs/actions/push@a78e62713a7895bef99f404d736b72451dbdb917 with custom-role-arn
154+ - name : Configure AWS credentials for platform pusher
155+ if : " contains(github.event.head_commit.message, '[release]')"
156+ uses :
aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/[email protected] 157+ with :
158+ aws-region : eu-west-2
159+ role-to-assume : arn:aws:iam::232933512461:role/platform-ecr-pusher
160+ role-session-name : GitHubActions-${{ github.run_id }}
161+
162+ - name : Login to enterprise Amazon ECR
163+ if : " contains(github.event.head_commit.message, '[release]')"
164+ id : login-ecr-platform
165+ uses :
aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # ratchet:aws-actions/[email protected] 166+
167+ - name : Push image to enterprise registry
168+ if : " contains(github.event.head_commit.message, '[release]')"
169+ shell : bash
170+ run : |
171+ LOCAL=wave/server:${{ steps.release.outputs.version }}
172+ REMOTE="${{ steps.login-ecr-platform.outputs.registry }}/${LOCAL}"
173+ docker tag "$LOCAL" "$REMOTE"
174+ docker push "$REMOTE"
175+
100176 - name : Publish tests report
101177 if : failure()
102178 uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
0 commit comments