chore: npm-check-updates && yarn upgrade #8363
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Workflows pertaining to the jsii/superchain Docker image | |
| name: Docker Images | |
| on: | |
| merge_group: {} | |
| pull_request: | |
| branches: [main, release] | |
| push: | |
| branches: [main, release] | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| superchain: | |
| name: jsii/superchain | |
| permissions: | |
| contents: read | |
| id-token: write # Necessary for OIDC federation | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| debian: | |
| - 'bullseye' # 11 | |
| - 'bookworm' # 12 | |
| node: ['18', '20', '22'] # STOP! Before adding anything here, check our maintenance policy in the README | |
| exclude: | |
| # We publish bullseye only with Node >= 20 | |
| - debian: 'bullseye' | |
| node: '18' | |
| env: | |
| # Node version whose images will be aliased without the -nodeXX segment | |
| DEFAULT_NODE_MAJOR_VERSION: 18 | |
| steps: | |
| - name: Check out | |
| uses: actions/checkout@v4 | |
| # Determine if we should run the validation or not | |
| - name: Should this run? | |
| id: should-run | |
| run: |- | |
| if [ "${{ github.event_name }}" = "push" ]; then | |
| echo '⏯ Triggered by "push" event' | |
| echo "result=true" >> $GITHUB_OUTPUT | |
| elif [ "${{ github.base_ref }}" = "release" ]; then | |
| echo '⏯ Triggered by "pull_request" event against "release"' | |
| echo "result=true" >> $GITHUB_OUTPUT | |
| else | |
| # Fetch the base and head refs from origin so we can safely diff 'em | |
| git fetch --depth=1 --quiet origin ${{ github.base_ref }} | |
| # Otherwise, only run if the Dockerfile changed | |
| changed=$(git diff --name-only origin/${{ github.base_ref }}..HEAD) | |
| if grep Dockerfile <<< "${changed}" ; then | |
| echo '⏯ Dockerfile changed' | |
| echo "result=true" >> $GITHUB_OUTPUT | |
| else | |
| if grep '.github/workflows/docker-images.yml' <<< "${changed}" ; then | |
| echo '⏯ docker-images workflow changed' | |
| echo "result=true" >> $GITHUB_OUTPUT | |
| else | |
| echo '⏭ Dockerfile not changed' | |
| echo "result=false" >> $GITHUB_OUTPUT | |
| fi | |
| fi | |
| fi | |
| # Check if federation into AWS is configured. This is necessary because | |
| # GitHub does not interpret ${{ secret.FOO }} within `if:` conditions... | |
| # See: https://github.com/actions/runner/issues/520 | |
| - name: Check AWS federation configuration | |
| id: federate_to_aws | |
| if: steps.should-run.outputs.result == 'true' | |
| run: |- | |
| if [[ "${{ secrets.AWS_ROLE_TO_ASSUME }}" != "" ]]; then | |
| echo "🔑 Federation into AWS is possible (AWS_ROLE_TO_ASSUME is available)" | |
| echo "enabled=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "❌ Federation into AWS is disabled (no AWS_ROLE_TO_ASSUME secret found)" | |
| echo "enabled=false" >> $GITHUB_OUTPUT | |
| fi | |
| # Federate into the PR Validation AWS Account | |
| - name: Federate into AWS | |
| if: steps.should-run.outputs.result == 'true' && steps.federate_to_aws.outputs.enabled == 'true' | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: us-east-1 | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: GHA_aws-jsii_docker-images | |
| # Login to ECR Public registry, so we don't get throttled at 1 TPS | |
| - name: Login to ECR Public | |
| if: steps.should-run.outputs.result == 'true' && steps.federate_to_aws.outputs.enabled == 'true' | |
| run: |- | |
| aws ecr-public get-login-password --region=us-east-1 \ | |
| | docker login --username AWS --password-stdin public.ecr.aws | |
| - name: Slice DockerHub credentials | |
| id: credentials | |
| run: |- | |
| echo "username=$(cut -d: -f1 <<< '${{ secrets.DOCKER_CREDENTIALS }}')" >> "$GITHUB_OUTPUT" | |
| echo "password=$(cut -d: -f2 <<< '${{ secrets.DOCKER_CREDENTIALS }}')" >> "$GITHUB_OUTPUT" | |
| echo "::add-mask::$(cut -d: -f2 <<< '${{ secrets.DOCKER_CREDENTIALS }}')" | |
| # We only authenticate to Docker on the 'aws/jsii' repo, as forks will not have the secret | |
| - name: Login to Docker Hub | |
| if: steps.should-run.outputs.result == 'true' && github.repository == 'aws/jsii' | |
| # The DOCKER_CREDENTIALS secret is expected to contain a username:token pair | |
| run: |- | |
| docker login \ | |
| --username=${{ steps.credentials.outputs.username }} \ | |
| --password=${{ steps.credentials.outputs.password }} | |
| # Ensure we run with bash, because that's the syntax we're using here... | |
| shell: bash | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: arm64 | |
| - name: Set up docker buildx | |
| id: buildx | |
| if: steps.should-run.outputs.result == 'true' | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| # Disable parallelism because IO contention makes it too slow on GitHub | |
| # workers... | |
| config-inline: |- | |
| [worker.oci] | |
| max-parallelism = 1 | |
| # 1 pull per second from ECR Public | |
| - name: Jitter the start time to avoid ECR Public throttling | |
| id: sleep-start | |
| if: steps.should-run.outputs.result == 'true' && steps.federate_to_aws.outputs.enabled != true | |
| run: |- | |
| sleep $((RANDOM % 60)) | |
| - name: Determine build time | |
| id: build-time | |
| if: steps.should-run.outputs.result == 'true' | |
| run: |- | |
| echo "value=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT | |
| - name: Show Available Disk Space | |
| run: df -h && du -h | |
| - name: Free Disk Space | |
| uses: jlumbroso/free-disk-space@v1.3.1 | |
| - name: Build Image | |
| if: steps.should-run.outputs.result == 'true' | |
| run: |- | |
| docker buildx build \ | |
| --quiet \ | |
| --builder ${{ steps.buildx.outputs.name }} \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --target superchain \ | |
| --pull \ | |
| --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \ | |
| --build-arg COMMIT_ID='${{ github.sha }}' \ | |
| --build-arg DEBIAN_VERSION=${{ matrix.debian }} \ | |
| --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \ | |
| -f superchain/Dockerfile \ | |
| . | |
| - name: Test Image | |
| if: steps.should-run.outputs.result == 'true' | |
| run: |- | |
| docker buildx build \ | |
| --builder ${{ steps.buildx.outputs.name }} \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --target superchain \ | |
| --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \ | |
| --build-arg COMMIT_ID='${{ github.sha }}' \ | |
| --build-arg DEBIAN_VERSION=${{ matrix.debian }} \ | |
| --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \ | |
| -f superchain/Dockerfile \ | |
| . | |
| # Re-authenticate to ECR Public, this time with image-push permissions | |
| - name: Federate with AWS role for ECR Public push | |
| if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main') | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: us-east-1 | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_FOR_ECR_PUBLIC_PUSH }} | |
| role-session-name: GHA_aws-jsii_docker-images-PUSH | |
| - name: Authenticate with ECR Public for Push | |
| if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main') | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| registry-type: public | |
| # Only when puhsing to main/release from now on | |
| - name: Publish (nightly) | |
| if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| # NOTE BELOW: The `--tag` flags can be provided multiple times... we use that capability... | |
| run: |- | |
| # If the current version is the default version, also tag this with the unqualified ':nightly' label | |
| if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then | |
| docker buildx build \ | |
| --builder ${{ steps.buildx.outputs.name }} \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --target superchain \ | |
| --push \ | |
| --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \ | |
| --build-arg COMMIT_ID='${{ github.sha }}' \ | |
| --build-arg DEBIAN_VERSION=${{ matrix.debian }} \ | |
| --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \ | |
| --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-nightly" \ | |
| --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \ | |
| --tag "jsii/superchain:1-${{ matrix.debian }}-slim-nightly" \ | |
| --tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \ | |
| -f superchain/Dockerfile \ | |
| . | |
| else | |
| docker buildx build \ | |
| --builder ${{ steps.buildx.outputs.name }} \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --target superchain \ | |
| --push \ | |
| --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \ | |
| --build-arg COMMIT_ID='${{ github.sha }}' \ | |
| --build-arg DEBIAN_VERSION=${{ matrix.debian }} \ | |
| --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \ | |
| --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \ | |
| --tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \ | |
| -f superchain/Dockerfile \ | |
| . | |
| fi | |
| - name: Update README (nightly) | |
| if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| uses: peter-evans/dockerhub-description@v4 | |
| with: | |
| username: ${{ steps.credentials.outputs.username }} | |
| password: ${{ steps.credentials.outputs.password }} | |
| repository: jsii/superchain | |
| readme-filepath: ./superchain/README.md | |
| - name: Publish (latest) | |
| if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/release' | |
| # NOTE BELOW: The `--tag` flags can be provided multiple times... we use that capability... | |
| run: |- | |
| # If the current version is the default version, also tag this with the unqualified ':1-*' label | |
| if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then | |
| docker buildx build \ | |
| --builder ${{ steps.buildx.outputs.name }} \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --target superchain \ | |
| --push \ | |
| --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \ | |
| --build-arg COMMIT_ID='${{ github.sha }}' \ | |
| --build-arg DEBIAN_VERSION=${{ matrix.debian }} \ | |
| --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \ | |
| --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim" \ | |
| --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \ | |
| --tag "jsii/superchain:1-${{ matrix.debian }}-slim" \ | |
| --tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \ | |
| -f superchain/Dockerfile \ | |
| . | |
| else | |
| docker buildx build \ | |
| --builder ${{ steps.buildx.outputs.name }} \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --target superchain \ | |
| --push \ | |
| --build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \ | |
| --build-arg COMMIT_ID='${{ github.sha }}' \ | |
| --build-arg DEBIAN_VERSION=${{ matrix.debian }} \ | |
| --build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \ | |
| --tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \ | |
| --tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \ | |
| -f superchain/Dockerfile \ | |
| . | |
| fi | |
| done: | |
| name: 'Done' | |
| runs-on: ['ubuntu-latest'] | |
| needs: ['superchain'] | |
| steps: | |
| # This is just a join target to simplify branch protection settings... | |
| - name: 'All done' | |
| run: |- | |
| echo "All done!" |