Skip to content

Merge pull request #82 from VertaAI/ln/verta/CVE-2023-2253 #60

Merge pull request #82 from VertaAI/ln/verta/CVE-2023-2253

Merge pull request #82 from VertaAI/ln/verta/CVE-2023-2253 #60

Workflow file for this run

name: Build and Push
on:
pull_request:
types: [opened, reopened, synchronize]
push:
branches:
- verta/main
- 'release/*'
permissions:
id-token: write # This is required for requesting the JWT
contents: write # Read is required for actions/checkout, write is required to comment on commits
statuses: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
VERTA_ECR_REGISTRY: "493416687123.dkr.ecr.us-east-1.amazonaws.com"
jobs:
kaniko:
runs-on: ubuntu-latest
env:
ECR_REPOSITORY: "493416687123.dkr.ecr.us-east-1.amazonaws.com/external/kaniko-project/executor"
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
# need previous commit to find PR head commit info
fetch-depth: 2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::493416687123:role/github-actions
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Get branch names
id: branch_names
uses: tj-actions/branch-names@v7
- name: Get docker image tag
id: image_info
run: |
branch=$(echo ${{ steps.branch_names.outputs.current_branch }} | sed 's,/,_,g')
# PRs checkout a merge of PR head with target. Branches checkout current head of branch.
# When in a PR, use the PR head commit sha instead of the checkout commit sha.
pr_sha="${{ github.event.pull_request.head.sha }}"
sha=${pr_sha:-$GITHUB_SHA}
sha_details=$(TZ=UTC git show -s --format=%cd--%h --date='format-local:%Y-%m-%dT%H-%M-%S' --abbrev=7 $sha)
echo "sha=${sha}" >> $GITHUB_OUTPUT
echo "tag=${branch}-${sha_details}" >> $GITHUB_OUTPUT
- name: Update commit status with Docker image status
uses: ouzi-dev/commit-status-updater@v2
with:
name: "Tag: ${{ steps.image_info.outputs.tag }}"
description: "Publishing..."
- name: Inspect image to see if it already exists
id: should_publish
run: |
TARGETS=""
docker manifest inspect $ECR_REPOSITORY:${{ steps.image_info.outputs.tag }} || TARGETS="kaniko"
echo "targets=${TARGETS}" >> $GITHUB_OUTPUT
- name: Build and push Docker image to ECR
uses: docker/build-push-action@v4
if: "!(steps.should_publish.outputs.targets == '')"
env:
DOCKER_BUILDKIT: "1"
with:
# context: .
file: deploy/Dockerfile
push: true
# build-args: |
# VERSION=${{ steps.image_info.outputs.tag }}
tags: |
${{ env.ECR_REPOSITORY }}:${{ steps.image_info.outputs.tag }}
- name: Configure AWS credentials for us-west-2
# external components should mirror every merge to verta/main
if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' )
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::493416687123:role/github-actions
aws-region: us-west-2
- name: Login to Amazon ECR for us-west-2
id: login-ecr-release
if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' )
uses: aws-actions/amazon-ecr-login@v1
- name: Mirror Docker image to us-west-2
id: mirror-release
if: startsWith( github.ref, 'refs/heads/release/' ) || ( github.ref == 'refs/heads/verta/main' )
shell: bash
run: |
export TARGET_REPOSITORY=${ECR_REPOSITORY/us-east-1/us-west-2}
docker manifest inspect ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} || \
docker tag ${ECR_REPOSITORY}:${{ steps.image_info.outputs.tag }} ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }} && \
docker push ${TARGET_REPOSITORY}:${{ steps.image_info.outputs.tag }}
- name: Create commit comment
uses: peter-evans/commit-comment@v2
if: "!(steps.should_publish.outputs.targets == '')"
with:
body: "Docker Tag: ${{ steps.image_info.outputs.tag }}"
- name: Update commit status with Docker image status
uses: ouzi-dev/commit-status-updater@v2
with:
name: "Tag: ${{ steps.image_info.outputs.tag }}"
url: "${{ github.server_url }}/${{ github.repository }}/commit/${{ steps.image_info.outputs.sha }}#comments"
status: success