-
Notifications
You must be signed in to change notification settings - Fork 2
feat: add push to Amazon ECR for container image #65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 1 commit
74cc178
c190462
e1cef19
63cd3bd
a45fee5
b2be276
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| name: TEMPORARY AWS Push Test | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["main"] | ||
| pull_request: | ||
| branches: ["main"] | ||
| paths: | ||
| - "user-management/**" | ||
| - ".github/**" | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| REGISTRY: ghcr.io | ||
| IMAGE_NAME_USER_SERVICE: ${{ github.repository_owner }}/stickerlandia/user-management-service | ||
| REPOSITORY_URL: github.com/${{ github.repository }} | ||
| ECR_REPOSITORY_URL: 772954894450.dkr.ecr.eu-west-1.amazonaws.com/stickerlandia-user-management | ||
|
|
||
| jobs: | ||
| push-image: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| attestations: write | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| - name: Get Commit Info | ||
| id: get_sha | ||
| run: | | ||
| echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | ||
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | ||
| aws-region: "us-east-1" | ||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | ||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
| uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
| with: | ||
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_USER_SERVICE }} | ||
| tags: | | ||
| latest | ||
| ${{ env.COMMIT_SHA }} | ||
|
|
||
| - name: Build and push Docker image to Amazon ECR | ||
| id: push-ecr | ||
| uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | ||
| with: | ||
| context: ./user-management | ||
| file: ./user-management/src/Stickerlandia.UserManagement.Api/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| build-args: | | ||
| GIT_COMMIT_SHA=${{ env.COMMIT_SHA }} | ||
| GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }} | ||
| DD_GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }} | ||
| DD_GIT_COMMIT_SHA=${{ env.COMMIT_SHA }} | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,6 +14,7 @@ env: | |
| REGISTRY: ghcr.io | ||
| IMAGE_NAME_USER_SERVICE: ${{ github.repository_owner }}/stickerlandia/user-management-service | ||
| REPOSITORY_URL: github.com/${{ github.repository }} | ||
| ECR_REPOSITORY_URL: 772954894450.dkr.ecr.eu-west-1.amazonaws.com/stickerlandia-user-management | ||
|
|
||
| jobs: | ||
| unit-test: | ||
|
|
@@ -139,6 +140,15 @@ jobs: | |
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | ||
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | ||
| aws-region: "us-east-1" | ||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔴 High: Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)Pin GitHub Actions by commit hash to ensure supply chain security. Using a branch ( - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
||
|
|
||
| - name: Extract metadata (tags, labels) for Docker | ||
| id: meta | ||
|
|
@@ -149,7 +159,7 @@ jobs: | |
| latest | ||
| ${{ env.COMMIT_SHA }} | ||
|
|
||
| - name: Build and push Docker image | ||
| - name: Build and push Docker image to Github Container Registry | ||
| id: push | ||
| uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | ||
| with: | ||
|
|
@@ -164,3 +174,19 @@ jobs: | |
| GIT_REPOSITORY_URL=${{ env.REPOSITORY_URL }} | ||
| DD_GIT_REPOSITORY_URL=${{ env.REPOSITORY_URL }} | ||
| DD_GIT_COMMIT_SHA=${{ env.COMMIT_SHA }} | ||
|
|
||
| - name: Build and push Docker image to Amazon ECR | ||
| id: push-ecr | ||
| uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | ||
| with: | ||
| context: ./user-management | ||
| file: ./user-management/src/Stickerlandia.UserManagement.Api/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| build-args: | | ||
| GIT_COMMIT_SHA=${{ env.COMMIT_SHA }} | ||
| GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }} | ||
| DD_GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }} | ||
| DD_GIT_COMMIT_SHA=${{ env.COMMIT_SHA }} | ||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 High: Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Default permissions for the
GITHUB_TOKENare expected to be restricted (contents: readandpackages: read).Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.