-
Notifications
You must be signed in to change notification settings - Fork 1
107 lines (91 loc) · 3.9 KB
/
docker-build-and-push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Docker image build and push
on:
push:
branches:
- main
permissions:
id-token: write
contents: write
env:
ECR_SUFFIX: ".dkr.ecr.ca-central-1.amazonaws.com"
STAGING_ACCOUNT_ID: "239043911459"
PRODUCTION_ACCOUNT_ID: "296255494825"
jobs:
docker-build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- lambda: blazer
image: database-tools/blazer
- lambda: google-cidr
image: lambda/google-cidr
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # tag=v2.11.1
id: changes
with:
filters: |
lambda:
- '${{ matrix.lambda }}/**'
- '.github/workflows/docker-build-and-push.yml'
- name: Build Docker image
if: steps.changes.outputs.lambda == 'true'
working-directory: ${{ matrix.lambda }}
run: make docker
# Staging image push
- name: Staging AWS credentials
if: steps.changes.outputs.lambda == 'true'
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with:
role-to-assume: arn:aws:iam::${{ env.STAGING_ACCOUNT_ID }}:role/notification-lambdas-apply
role-session-name: ECRPush
aws-region: ca-central-1
- name: Staging ECR login
if: steps.changes.outputs.lambda == 'true'
id: staging-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
- name: Staging ECR push
if: steps.changes.outputs.lambda == 'true'
run: |
STAGING_ECR="${{ env.STAGING_ACCOUNT_ID }}${{ env.ECR_SUFFIX }}"
docker tag ${{ matrix.image }} $STAGING_ECR/${{ matrix.image }}:$GITHUB_SHA
docker tag ${{ matrix.image }} $STAGING_ECR/${{ matrix.image }}:latest
docker push $STAGING_ECR/${{ matrix.image }}:$GITHUB_SHA
docker push $STAGING_ECR/${{ matrix.image }}:latest
- name: Staging ECR logout
if: steps.changes.outputs.lambda == 'true'
run: docker logout ${{ steps.staging-ecr.outputs.registry }}
# Production image push
- name: Production AWS credentials
if: steps.changes.outputs.lambda == 'true'
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with:
role-to-assume: arn:aws:iam::${{ env.PRODUCTION_ACCOUNT_ID }}:role/notification-lambdas-apply
role-session-name: ECRPush
aws-region: ca-central-1
- name: Production ECR login
if: steps.changes.outputs.lambda == 'true'
id: production-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
- name: Production ECR push
if: steps.changes.outputs.lambda == 'true'
run: |
PRODUCTION_ECR="${{ env.PRODUCTION_ACCOUNT_ID }}${{ env.ECR_SUFFIX }}"
docker tag ${{ matrix.image }} $PRODUCTION_ECR/${{ matrix.image }}:$GITHUB_SHA
docker tag ${{ matrix.image }} $PRODUCTION_ECR/${{ matrix.image }}:latest
docker push $PRODUCTION_ECR/${{ matrix.image }}:$GITHUB_SHA
docker push $PRODUCTION_ECR/${{ matrix.image }}:latest
- name: Production ECR logout
if: steps.changes.outputs.lambda == 'true'
run: docker logout ${{ steps.production-ecr.outputs.registry }}
- name: Generate docker SBOM
if: steps.changes.outputs.lambda == 'true'
uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
with:
docker_image: "${{ matrix.image }}"
dockerfile_path: "${{ matrix.lambda }}/Dockerfile"
sbom_name: "${{ matrix.lambda }}"
token: "${{ secrets.GITHUB_TOKEN }}"