-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbuild_and_push_docker_image.yml
More file actions
137 lines (123 loc) · 6.24 KB
/
build_and_push_docker_image.yml
File metadata and controls
137 lines (123 loc) · 6.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Build and push docker image
on:
workflow_call:
secrets:
PUSH_IMAGE_ROLE:
required: true
inputs:
container_ecr:
type: string
description: "The name of the ECR repository to push the container image to."
required: true
container_image_tag:
type: string
description: "The tag to use for the container image."
required: true
docker_file:
type: string
description: "The Dockerfile to use for building the container image."
required: true
check_ecr_image_scan_results_script_tag:
type: string
description: "The tag to download check_ecr_image_scan_results.sh script."
required: false
default: "dev_container_build"
jobs:
build_image:
permissions:
id-token: write
runs-on: ${{ matrix.runner }}
strategy:
matrix:
include:
- arch: amd64
runner: ubuntu-22.04
- arch: arm64
runner: ubuntu-22.04-arm
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Build container
run: |
docker build -f "${DOCKER_FILE}" -t ${{ matrix.arch }}-image .
env:
DOCKER_FILE: ${{ inputs.docker_file }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
id: connect-aws-deploy
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
role-session-name: dev-container-build-${{ matrix.arch }}
output-credentials: true
- name: Retrieve AWS Account ID
id: retrieve-deploy-account-id
run: |
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
- name: Login to Amazon ECR
run: |
aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
- name: Push ${{ matrix.arch }} image to Amazon ECR
env:
ECR_REPOSITORY: ${{ inputs.container_ecr }}
IMAGE_TAG: ${{ inputs.container_image_tag }}
ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
ARCH: ${{ matrix.arch }}
run: |
docker tag "${ARCH}-image" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-${ARCH}"
docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-${ARCH}"
- name: Check dev container scan results
env:
REPOSITORY_NAME: ${{ inputs.container_ecr }}
IMAGE_TAG: ${{ inputs.container_image_tag }}-${{ matrix.arch }}
ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
SCRIPT_TAG: ${{ inputs.check_ecr_image_scan_results_script_tag }}
run: |
curl -L "https://raw.githubusercontent.com/NHSDigital/eps-common-workflows/refs/heads/${SCRIPT_TAG}/.github/scripts/check_ecr_image_scan_results.sh" -o /tmp/check_ecr_image_scan_results.sh
chmod +x /tmp/check_ecr_image_scan_results.sh
sleep 30
/tmp/check_ecr_image_scan_results.sh
create_multi_arch_manifest:
permissions:
id-token: write
runs-on: ubuntu-22.04
needs: [build_image]
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
role-session-name: multi-arch-manifest
output-credentials: true
- name: Retrieve AWS Account ID
id: retrieve-deploy-account-id
run: |
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
- name: Login to Amazon ECR
run: |
aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
- name: Create and push multi-architecture manifest for tag
env:
ECR_REPOSITORY: ${{ inputs.container_ecr }}
IMAGE_TAG: ${{ inputs.container_image_tag }}
ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
run: |
# Create manifest list combining both architectures
docker buildx imagetools create -t "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}" \
"${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" \
"${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
- name: Verify multi-architecture manifest
env:
ECR_REPOSITORY: ${{ inputs.container_ecr }}
IMAGE_TAG: ${{ inputs.container_image_tag }}
ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
run: |
echo "=== Verifying multi-architecture manifest ==="
docker buildx imagetools inspect "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}"