-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbuild-docker-image.yaml
More file actions
162 lines (142 loc) · 8.15 KB
/
build-docker-image.yaml
File metadata and controls
162 lines (142 loc) · 8.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: Build Docker Image
on:
workflow_call:
inputs:
repository:
description: 'Docker repository'
type: string
required: true
image_name:
description: 'Docker image name'
type: string
required: true
tag-for-production:
description: 'Whether or not to add a tag indicating this is being used in production'
type: boolean
required: false
default: false
context:
description: 'Build context path'
type: string
required: false
default: './'
push-role-name:
type: string
description: What's the IAM role name to use for Pushing to the ECR?
required: false
default: no-push
save-as-artifact:
type: boolean
description: 'Should the image be saved as an artifact?'
required: false
default: false
outputs:
artifact-name:
description: 'The name of the uploaded artifact of the image tarball'
value: ${{ jobs.build-image.outputs.artifact-name }}
permissions:
id-token: write
contents: write # needed for mutex
jobs:
build-image:
name: Build Docker Image
runs-on: ubuntu-24.04
outputs:
artifact-name: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}
steps:
- name: Parse ECR URL
if: ${{ inputs.push-role-name != 'no-push' }}
id: parse_ecr_url
run: |
ECR_URL="${{ inputs.repository}}"
# Extract the AWS Account ID, which is the first field
AWS_ACCOUNT_ID=$(echo "$ECR_URL" | cut -d. -f1)
# Extract the AWS Region, which is the fourth field in the URL structure
AWS_REGION=$(echo "$ECR_URL" | cut -d. -f4)
# Set the outputs for use in later steps
echo "aws_account_id=${AWS_ACCOUNT_ID}" >> "$GITHUB_OUTPUT"
echo "aws_region=${AWS_REGION}" >> "$GITHUB_OUTPUT"
shell: bash
- name: Checkout code
uses: actions/checkout@v5.0.0
with:
persist-credentials: false
- name: OIDC Auth for ECR
if: ${{ inputs.push-role-name != 'no-push' }}
uses: aws-actions/configure-aws-credentials@v5.1.0
with:
role-to-assume: arn:aws:iam::${{ steps.parse_ecr_url.outputs.aws_account_id }}:role/${{ inputs.push-role-name }}
aws-region: ${{ steps.parse_ecr_url.outputs.aws_region }}
- name: Calculate hash of files in build context
id: calculate-build-context-hash
run: |
python3 --version
BUILD_HASH=$(python3 .github/workflows/hash_git_files.py ${{ inputs.context }})
echo "build_context_tag=context-${BUILD_HASH}" >> "$GITHUB_OUTPUT"
echo "Calculated build context tag as: ${BUILD_HASH}"
IMAGE_NAME_WITH_NAMESPACE="${{ inputs.image_name }}"
IMAGE_NAME_NO_SLASHES="${IMAGE_NAME_WITH_NAMESPACE//\//-}"
echo "image_name_no_slashes=${IMAGE_NAME_NO_SLASHES}" >> "$GITHUB_OUTPUT"
echo "Image name without slashes: ${IMAGE_NAME_NO_SLASHES}"
- name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen. possible issue is https://github.com/actions/toolkit/issues/658
if: ${{ inputs.push-role-name != 'no-push' }}
uses: ben-z/gh-action-mutex@1ebad517141198e08d47cf72f3c0975316620a65 # v1.0.0-alpha.10
with:
branch: mutex-${{ inputs.repository }}-${{ inputs.image_name }}
timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
- name: Test if docker image exists
if: ${{ inputs.push-role-name != 'no-push' }}
id: check-if-exists
run: |
BUILD_HASH=${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
echo Checking for : $BUILD_HASH
if aws ecr describe-images --region ${{ steps.parse_ecr_url.outputs.aws_region }} --registry-id=${{ steps.parse_ecr_url.outputs.aws_account_id }} --repository-name=${{ inputs.image_name }} --image-ids=imageTag=$BUILD_HASH; then \
echo "Image was found in ECR"; \
echo "status=found" >> $GITHUB_OUTPUT
else \
echo "Image was not found in ECR"; \
echo "status=notfound" >> $GITHUB_OUTPUT
fi
- name: Login to Amazon ECR
if: ${{ inputs.push-role-name != 'no-push' && (steps.check-if-exists.outputs.status == 'notfound' || inputs.save-as-artifact ) }}
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2.0.1
- name: Pull existing image to package as artifact
if: ${{ inputs.save-as-artifact && steps.check-if-exists.outputs.status == 'found' }}
run: |
docker pull ${{ inputs.repository }}/${{ inputs.image_name }}:${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
- name: Set up Docker Buildx
if: ${{ (inputs.save-as-artifact && inputs.push-role-name == 'no-push') || steps.check-if-exists.outputs.status == 'notfound' }}
uses: docker/setup-buildx-action@v3.11.1
with:
version: v0.27.0
- name: Build Docker Image
if: ${{ (inputs.save-as-artifact && inputs.push-role-name == 'no-push') || steps.check-if-exists.outputs.status == 'notfound' }}
uses: docker/build-push-action@v6.18.0
with:
context: ${{ inputs.context }}
push: ${{ inputs.push-role-name != 'no-push' && steps.check-if-exists.outputs.status == 'notfound' }}
load: ${{ inputs.save-as-artifact }} # make the image available later for the `docker save` step
tags: ${{ inputs.repository }}/${{ inputs.image_name }}:${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
- name: Add git sha tag
if: ${{ inputs.push-role-name != 'no-push' }}
run: |
aws ecr batch-get-image --registry-id=${{ steps.parse_ecr_url.outputs.aws_account_id }} --repository-name=${{ inputs.image_name }} --image-ids imageTag=${{ steps.calculate-build-context-hash.outputs.build_context_tag }} --query 'images[].imageManifest' --output text > manifest.json
aws ecr put-image --registry-id=${{ steps.parse_ecr_url.outputs.aws_account_id }} --repository-name=${{ inputs.image_name }} --image-tag git-sha-${{ github.sha }} --image-manifest file://manifest.json
- name: Add tag for Production
if: ${{ inputs.push-role-name != 'no-push' && inputs.tag-for-production }}
run: |
aws ecr batch-get-image --registry-id=${{ steps.parse_ecr_url.outputs.aws_account_id }} --repository-name=${{ inputs.image_name }} --image-ids imageTag=${{ steps.calculate-build-context-hash.outputs.build_context_tag }} --query 'images[].imageManifest' --output text > manifest.json
# TODO: figure out some better conditional logic about adding a tag for the context in production, so we don't have to `|| true` at the end
aws ecr put-image --registry-id=${{ steps.parse_ecr_url.outputs.aws_account_id }} --repository-name=${{ inputs.image_name }} --image-tag production--${{ steps.calculate-build-context-hash.outputs.build_context_tag }} --image-manifest file://manifest.json || true
aws ecr put-image --registry-id=${{ steps.parse_ecr_url.outputs.aws_account_id }} --repository-name=${{ inputs.image_name }} --image-tag production--git-sha-${{ github.sha }} --image-manifest file://manifest.json
- name: Save Docker Image as tar
if: ${{ inputs.save-as-artifact }}
run: docker save -o ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}.tar ${{ inputs.repository }}/${{ inputs.image_name }}:${{ steps.calculate-build-context-hash.outputs.build_context_tag }}
- name: Upload Docker Image Artifact
if: ${{ inputs.save-as-artifact }}
uses: actions/upload-artifact@v5.0.0
with:
name: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}
path: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}.tar
if-no-files-found: error