Upload Docker images to AWS ECR Nonprod Repositories (#1713)

2024-11-21 12:05:42 +01:00 · 2021-11-15 13:23:51 -05:00 · 2021-11-15 13:23:51 -05:00 · 27351762de
commit 27351762de
parent e3143271d7
2 changed files with 58 additions and 31 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -248,7 +248,9 @@ jobs:
        uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
        with:
          keyvault: "bitwarden-prod-kv"
-          secrets: "docker-password,
+          secrets: "aws-ecr-access-key-id,
+                    aws-ecr-secret-access-key,
+                    docker-password,
                    docker-username,
                    dct-delegate-2-repo-passphrase,
                    dct-delegate-2-key"
@ -278,7 +280,6 @@ jobs:
          DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
        run: |
          mkdir -p ~/.docker/trust/private
-
          echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key

      - name: Setup service name
@ -306,34 +307,12 @@ jobs:
        run: |
          if [ "${{ matrix.service_name }}" = "K8S-Proxy" ]; then
            docker build -f ${{ matrix.base_path }}/Nginx/Dockerfile-k8s \
-              -t ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} ${{ matrix.base_path }}/Nginx
+              -t ${{ steps.setup.outputs.service_name }} ${{ matrix.base_path }}/Nginx
          else
-            docker build -t ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
+            docker build -t ${{ steps.setup.outputs.service_name }} \
              ${{ matrix.base_path }}/${{ matrix.service_name }}
          fi

-      - name: Tag rc
-        if: github.ref == 'refs/heads/rc'
-        run: |
-          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
-            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
-
-      - name: Tag hotfix
-        if: github.ref == 'refs/heads/hotfix'
-        run: |
-          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
-            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
-
-      - name: Tag dev
-        if: github.ref == 'refs/heads/master'
-        run: |
-          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
-            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
-
-      - name: List Docker images
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
-        run: docker images
-
      - name: Docker Trust setup
        if: |
          matrix.docker_repo == 'bitwarden'
@ -342,27 +321,74 @@ jobs:
          DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
        run: |
          echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
-          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
+          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV  

-      - name: Push rc images
+      - name: Tag and Push RC to Docker Hub
        if: github.ref == 'refs/heads/rc'
        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc

-      - name: Push hotfix images
+      - name: Tag and Push Hotfix to Docker Hub
        if: github.ref == 'refs/heads/hotfix'
        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix

-      - name: Push dev images
+      - name: Tag and Push Dev to Docker Hub
        if: github.ref == 'refs/heads/master'
        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev

      - name: Log out of Docker
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
        run: docker logout

+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@0d9a5be0dceea74e09396820e1e522ba4a110d2f  # v1
+        with:
+          aws-access-key-id: ${{ steps.retrieve-secrets.outputs.aws-ecr-access-key-id }}
+          aws-secret-access-key: ${{ steps.retrieve-secrets.outputs.aws-ecr-secret-access-key }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2  # v1
+
+      - name: Tag and Push RC to AWS ECR nonprod registry
+        if: github.ref == 'refs/heads/rc'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:rc-${IMAGE_TAG:(-8)}
+          docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:rc-${IMAGE_TAG:(-8)}
+
+      - name: Tag and Push Hotfix to AWS ECR nonprod registry
+        if: github.ref == 'refs/heads/hotfix'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:hotfix-${IMAGE_TAG:(-8)}
+          docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:hotfix-${IMAGE_TAG:(-8)}
+
+      - name: Tag and Push Dev to AWS ECR nonprod registry
+        if: github.ref == 'refs/heads/master'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:dev-${IMAGE_TAG:(-8)}
+          docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:dev-${IMAGE_TAG:(-8)}
+

  upload:
    name: Upload
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -117,7 +117,8 @@ jobs:
  release-docker:
    name: Build Docker images
    runs-on: ubuntu-20.04
-    needs: setup
+    needs:
+      - setup
    env:
      _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
      _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}