Merge pull request #82 from VertaAI/ln/verta/CVE-2023-2253 #60
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Push | |
on: | |
pull_request: | |
types: [opened, reopened, synchronize] | |
push: | |
branches: | |
- verta/main | |
- 'release/*' | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: write # Read is required for actions/checkout, write is required to comment on commits | |
statuses: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
VERTA_ECR_REGISTRY: "493416687123.dkr.ecr.us-east-1.amazonaws.com" | |
jobs: | |
kaniko: | |
runs-on: ubuntu-latest | |
env: | |
ECR_REPOSITORY: "493416687123.dkr.ecr.us-east-1.amazonaws.com/external/kaniko-project/executor" | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
with: | |
# need previous commit to find PR head commit info | |
fetch-depth: 2 | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: arn:aws:iam::493416687123:role/github-actions | |
aws-region: us-east-1 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Get branch names | |
id: branch_names | |
uses: tj-actions/branch-names@v7 | |
- name: Get docker image tag | |
id: image_info | |
run: | | |
branch=$(echo ${{ steps.branch_names.outputs.current_branch }} | sed 's,/,_,g') | |
# PRs checkout a merge of PR head with target. Branches checkout current head of branch. | |
# When in a PR, use the PR head commit sha instead of the checkout commit sha. | |
pr_sha="${{ github.event.pull_request.head.sha }}" | |
sha=${pr_sha:-$GITHUB_SHA} | |
sha_details=$(TZ=UTC git show -s --format=%cd--%h --date='format-local:%Y-%m-%dT%H-%M-%S' --abbrev=7 $sha) | |
echo "sha=${sha}" >> $GITHUB_OUTPUT | |
echo "tag=${branch}-${sha_details}" >> $GITHUB_OUTPUT | |
- name: Update commit status with Docker image status | |
uses: ouzi-dev/commit-status-updater@v2 | |
with: | |
name: "Tag: ${{ steps.image_info.outputs.tag }}" | |
description: "Publishing..." | |
- name: Inspect image to see if it already exists | |
id: should_publish | |
run: | | |
TARGETS="" | |
docker manifest inspect $ECR_REPOSITORY:${{ steps.image_info.outputs.tag }} || TARGETS="kaniko" | |
echo "targets=${TARGETS}" >> $GITHUB_OUTPUT | |
- name: Build and push Docker image to ECR | |
uses: docker/build-push-action@v4 | |
if: "!(steps.should_publish.outputs.targets == '')" | |
env: | |
DOCKER_BUILDKIT: "1" | |
with: | |
# context: . | |
file: deploy/Dockerfile | |
push: true | |
# build-args: | | |
# VERSION=${{ steps.image_info.outputs.tag }} | |
tags: | | |
${{ env.ECR_REPOSITORY }}:${{ steps.image_info.outputs.tag }} | |
- name: Configure AWS credentials for us-west-2 | |
# external components should mirror every merge to verta/main | |
if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' ) | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
role-to-assume: arn:aws:iam::493416687123:role/github-actions | |
aws-region: us-west-2 | |
- name: Login to Amazon ECR for us-west-2 | |
id: login-ecr-release | |
if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' ) | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Mirror Docker image to us-west-2 | |
id: mirror-release | |
if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' ) | |
shell: bash | |
run: | | |
export TARGET_REPOSITORY=${ECR_REPOSITORY/us-east-1/us-west-2} | |
docker manifest inspect ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} || \ | |
docker tag ${ECR_REPOSITORY}:${{ steps.image_info.outputs.tag }} ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} && \ | |
docker push ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} | |
- name: Create commit comment | |
uses: peter-evans/commit-comment@v2 | |
if: "!(steps.should_publish.outputs.targets == '')" | |
with: | |
body: "Docker Tag: ${{ steps.image_info.outputs.tag }}" | |
- name: Update commit status with Docker image status | |
uses: ouzi-dev/commit-status-updater@v2 | |
with: | |
name: "Tag: ${{ steps.image_info.outputs.tag }}" | |
url: "${{ github.server_url }}/${{ github.repository }}/commit/${{ steps.image_info.outputs.sha }}#comments" | |
status: success |