docker/build-push-action
1
0
Fork 0
mirror of https://github.com/docker/build-push-action.git synced 2026-05-30 09:58:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
df9c7450bf8dd309a16d534672b97936bdc81874
build-push-action/.github/workflows/.e2e-run.yml
Michael Zampani df9c7450bf feat(e2e): replace AWS_ACCESS_KEY_ID secrets with OIDC role assumption 
Adds aws-role-to-assume input to .e2e-run.yml. Adds configure-aws-credentials
step (pinned SHA, with role-session-name) before the Login to Registry step,
conditioned on ECR registry detection. Updates e2e.yml to pass the OIDC role
ARN and remove AWS secrets from the matrix credential expressions.

Role: arn:aws:iam::175142243308:role/official_gha_cicd
Action: aws-actions/configure-aws-credentials@7474bc4690

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-05-29 23:16:53 -07:00

162 lines
5.6 KiB
YAML
Raw Blame History

# reusable workflow
name: .e2e-run
permissions:
contents: read
on:
workflow_call:
inputs:
id:
required: false
type: string
type:
required: true
type: string
name:
required: true
type: string
registry:
required: false
type: string
slug:
required: false
type: string
aws-role-to-assume:
required: false
type: string
description: "IAM role ARN to assume via OIDC for ECR authentication. When set, configure-aws-credentials runs before registry login."
secrets:
registry_username:
required: false
registry_password:
required: false
env:
HARBOR_VERSION: v2.13.2
NEXUS_VERSION: 3.47.1
DISTRIBUTION_VERSION: 3.0.0
jobs:
run:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
include:
-
buildx_version: edge
buildkit_image: moby/buildkit:latest
-
buildx_version: latest
buildkit_image: moby/buildkit:buildx-stable-1
-
buildx_version: https://github.com/docker/buildx.git#master
buildkit_image: moby/buildkit:master
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
name: Set up env
if: inputs.type == 'local'
env:
ID: ${{ inputs.id }}
run: |
cat ./.github/e2e/${ID}/env >> $GITHUB_ENV
-
name: Set up BuildKit config
env:
TYPE: ${{ inputs.type }}
run: |
touch /tmp/buildkitd.toml
if [ "${TYPE}" = "local" ]; then
echo -e "[registry.\"${{ env.REGISTRY_FQDN }}\"]\nhttp = true\ninsecure = true" > /tmp/buildkitd.toml
fi
-
name: Set up Docker daemon
if: inputs.type == 'local'
run: |
if [ ! -e /etc/docker/daemon.json ]; then
echo '{}' | sudo tee /etc/docker/daemon.json >/dev/null
fi
DOCKERD_CONFIG=$(jq '.+{"insecure-registries":["http://${{ env.REGISTRY_FQDN }}"]}' /etc/docker/daemon.json)
sudo tee /etc/docker/daemon.json <<<"$DOCKERD_CONFIG" >/dev/null
cat /etc/docker/daemon.json
sudo service docker restart
-
name: Install ${{ inputs.name }}
if: inputs.type == 'local'
env:
ID: ${{ inputs.id }}
run: |
sudo -E bash ./.github/e2e/${ID}/install.sh
sudo chown $(id -u):$(id -g) -R ~/.docker
-
name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: ${{ env.REGISTRY_SLUG || inputs.slug }}
tags: |
type=ref,event=branch,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
type=ref,event=tag,enable=${{ matrix.buildx_version == 'latest' && matrix.buildkit_image == 'moby/buildkit:buildx-stable-1' }}
type=raw,gh-runid-${{ github.run_id }}
-
name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
with:
version: ${{ matrix.buildx_version }}
buildkitd-config: /tmp/buildkitd.toml
buildkitd-flags: --debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host
driver-opts: |
image=${{ matrix.buildkit_image }}
network=host
-
name: Configure AWS credentials
if: inputs.aws-role-to-assume != '' && (contains(inputs.registry, '.ecr.') || inputs.registry == 'public.ecr.aws')
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
role-to-assume: ${{ inputs.aws-role-to-assume }}
aws-region: us-east-1
role-session-name: gha-build-push-action-e2e-${{ github.run_id }}-${{ github.run_attempt }}
-
name: Login to Registry
if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ${{ env.REGISTRY_FQDN || inputs.registry }}
username: ${{ env.REGISTRY_USER || secrets.registry_username }}
password: ${{ env.REGISTRY_PASSWORD || secrets.registry_password }}
-
name: Build and push
uses: ./
with:
context: ./test
file: ./test/multi.Dockerfile
platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=${{ env.REGISTRY_SLUG || inputs.slug }}:master
cache-to: type=inline
-
name: Inspect image
env:
SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
run: |
docker pull ${SLUG}:${{ steps.meta.outputs.version }}
docker image inspect ${SLUG}:${{ steps.meta.outputs.version }}
-
name: Check manifest
env:
SLUG: ${{ env.REGISTRY_SLUG || inputs.slug }}
run: |
docker buildx imagetools inspect ${SLUG}:${{ steps.meta.outputs.version }} --format '{{json .}}'
Reference in New Issue View Git Blame Copy Permalink