-
Notifications
You must be signed in to change notification settings - Fork 0
121 lines (104 loc) · 3.61 KB
/
docker-build.yml
File metadata and controls
121 lines (104 loc) · 3.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Docker Build
on:
workflow_call:
inputs:
dockerfile:
description: "Path to Dockerfile"
type: string
default: "Dockerfile"
build_context:
description: "Docker build context"
type: string
default: "."
aws_account_id:
description: "AWS account ID"
type: string
default: "553637109631"
aws_region:
description: "AWS region"
type: string
default: "eu-central-1"
outputs:
image_uri:
description: "Full image URI with tag"
value: ${{ jobs.build.outputs.image_uri }}
image_tag:
description: "Primary image tag (sha-*)"
value: ${{ jobs.build.outputs.image_tag }}
permissions:
id-token: write
contents: read
jobs:
build:
name: Docker Build
runs-on: ubuntu-latest
outputs:
image_uri: ${{ steps.push.outputs.image_uri }}
image_tag: ${{ steps.tags.outputs.primary_tag }}
steps:
- name: Set session name
run: echo "SESSION_NAME=$(echo "${GITHUB_ACTOR}-${GITHUB_SHA:0:8}-${GITHUB_RUN_ID}" | head -c 64)" >> "$GITHUB_ENV"
- uses: actions/checkout@v6
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.PLATFORM_APP_ID }}
private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }}
owner: javaBin
- name: Checkout platform scripts
uses: actions/checkout@v6
with:
repository: javaBin/platform
token: ${{ steps.app-token.outputs.token }}
path: .platform
sparse-checkout: scripts
- name: Assume broker role via OIDC
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-broker
aws-region: ${{ inputs.aws_region }}
role-session-name: ${{ env.SESSION_NAME }}
- name: Get deploy credentials from broker
id: broker
env:
PROJECT: javabin
run: sh .platform/scripts/invoke-ci-broker.sh deploy
- name: Login to ECR
id: ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Determine image tags
id: tags
env:
TEAM: ${{ steps.broker.outputs.team }}
REPO_NAME: ${{ github.event.repository.name }}
REF_NAME: ${{ github.ref_name }}
REF: ${{ github.ref }}
REGISTRY: ${{ steps.ecr.outputs.registry }}
run: |
REPO="${REGISTRY}/${TEAM}-${REPO_NAME}"
SHA_TAG="sha-${GITHUB_SHA::8}"
echo "primary_tag=${SHA_TAG}" >> "$GITHUB_OUTPUT"
echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
TAGS="${REPO}:${SHA_TAG}"
if [ "${REF_NAME}" = "main" ] || [ "${REF_NAME}" = "master" ]; then
DATE_TAG="main-$(date -u +%Y%m%d-%H%M)"
TAGS="${TAGS},${REPO}:${DATE_TAG},${REPO}:latest"
fi
if echo "${REF}" | grep -q '^refs/tags/v'; then
TAGS="${TAGS},${REPO}:${REF_NAME}"
fi
echo "tags=${TAGS}" >> "$GITHUB_OUTPUT"
- uses: docker/setup-buildx-action@v4
- name: Build and push
uses: docker/build-push-action@v7
with:
context: ${{ inputs.build_context }}
file: ${{ inputs.dockerfile }}
push: true
tags: ${{ steps.tags.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Set output
id: push
run: echo "image_uri=${{ steps.tags.outputs.repo }}:${{ steps.tags.outputs.primary_tag }}" >> "$GITHUB_OUTPUT"