Skip to content

sync-ecr

sync-ecr #219

Workflow file for this run

# Copies all Pulumi Docker images for the supplied version from Docker Hub to
# AWS ECR Public Gallery.
name: Sync to ECR
on:
workflow_dispatch:
inputs:
pulumi_version:
description: The image tag to copy, fully specified, e.g. "3.18.1"
type: string
required: true
tag_latest:
description: Whether to also tag this version as "latest".
type: boolean
required: true
default: true
repository_dispatch:
types:
- sync-ecr
env:
DOCKER_USERNAME: pulumi
PULUMI_VERSION: ${{ github.event.inputs.pulumi_version || github.event.client_payload.ref }}
jobs:
sync-to-ecr:
name: Kitchen Sink images
runs-on: ubuntu-latest
strategy:
matrix:
image: ["pulumi", "pulumi-provider-build-environment"]
include:
# For the pulumi image add a the nonroot variant
- suffix: -nonroot
image: pulumi
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-region: us-east-2
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-duration-seconds: 3600
role-external-id: upload-pulumi-release
role-session-name: pulumi@githubActions
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
- name: Get Public ECR Authorization token
run: |
aws --region us-east-1 ecr-public get-authorization-token \
--query 'authorizationData.authorizationToken' | \
tr -d '"' | base64 --decode | cut -d: -f2 | \
docker login -u AWS --password-stdin https://public.ecr.aws
# TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
# - name: Tag ${{ env.PULUMI_VERSION }}-arm64 and push to AWS Public ECR
# run: |
# docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
# docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
# docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
- name: Tag ${{ env.PULUMI_VERSION }}-amd64 and push to AWS Public ECR
run: |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
- name: Push latest manifest
if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }}
run: |
# TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
docker manifest create \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }} \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }}
define-debian-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-debian-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix
id: define-debian-matrix
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-sync-matrix.py) >> "$GITHUB_OUTPUT"
debian-images:
name: Debian SDK and base images
runs-on: ubuntu-latest
needs: define-debian-matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-region: us-east-2
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-duration-seconds: 3600
role-external-id: upload-pulumi-release
role-session-name: pulumi@githubActions
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
- name: Get Public ECR Authorization token
run: |
aws --region us-east-1 ecr-public get-authorization-token \
--query 'authorizationData.authorizationToken' | \
tr -d '"' | base64 --decode | cut -d: -f2 | \
docker login -u AWS --password-stdin https://public.ecr.aws
# NOTE: The process we use for the Kichen Sink image, which is
# single-platform, will not work here. Pulling a multi-arch manifest from
# Docker Hub, tagging, then pushing will only result in the image of the
# host's architecture (e.g. linux/amd64) getting pushed to the desintation repo.
# For more information, see: https://docs.docker.com/registry/spec/manifest-v2-2/
#
# Prior to re-creating the manifests, we must pull, tag, and push the
# consituent images in the manifests because manifests cannot use source
# images from a different registry.
- name: Tag ${{ env.PULUMI_VERSION }}-debian-amd64 image and push to AWS Public ECR
run: |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64
- name: Tag ${{ env.PULUMI_VERSION }}-debian-arm64 and push to AWS Public ECR
run: |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64
- name: Push ${{ env.PULUMI_VERSION }}-debian manifest
run: |
docker manifest create \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian
- name: Push ${{ env.PULUMI_VERSION }} manifest
run: |
docker manifest create \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }} \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}
- name: Push latest manifest
if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }}
run: |
docker manifest create \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-amd64 \
public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-debian-arm64
docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest
define-ubi-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix
id: define-matrix
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-sync-matrix.py) >> "$GITHUB_OUTPUT"
# NOTE: If UBI images become multi platform, this job can be replaced by adding a similar step to "-debian" for "-ubi" the previous job.
ubi-images:
name: UBI SDK and base images
runs-on: ubuntu-latest
needs: define-ubi-matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.define-ubi-matrix.outputs.matrix) }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-region: us-east-2
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-duration-seconds: 3600
role-external-id: upload-pulumi-release
role-session-name: pulumi@githubActions
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
- name: Get Public ECR Authorization token
run: |
aws --region us-east-1 ecr-public get-authorization-token \
--query 'authorizationData.authorizationToken' | \
tr -d '"' | base64 --decode | cut -d: -f2 | \
docker login -u AWS --password-stdin https://public.ecr.aws
- name: Tag ${{ env.PULUMI_VERSION }}-ubi image and push to AWS Public ECR
run: |
docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi
docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi
docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}-ubi