Migrating to ECR and docker distroless images

Author: gonzalomarcote

.github/workflows/build-and-deploy.yaml

@@ -1,54 +1,53 @@
 name: "Build and deploy"
 
 on:
-    push:
-        branches:
-            - main
+  push:
+    branches:
+    - main
 
 concurrency:
-    # Cancel old runs if there is a new commit in the same branch
-    group: ${{ github.workflow }}-${{ github.ref }}
-    cancel-in-progress: true
+  # Cancel old runs if there is a new commit in the same branch
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-
-    build-base:
-        uses: ./.github/workflows/build-base.yaml
-        secrets: inherit
-        with:
-            push: true
-            tag: ${{ github.sha }}
-
-    build-relayer:
-        needs: [build-base]
-        uses: ./.github/workflows/build-relayer.yaml
-        secrets: inherit
-        with:
-          push: true
-          target: release
-          base_image: ${{ github.sha }}
-
-    build-attester:
-        needs: [build-base]
-        uses: ./.github/workflows/build-attester.yaml
-        secrets: inherit
-        with:
-          push: true
-          target: release
-          base_image: ${{ github.sha }}
-
-    build-custom-issuer:
-        needs: [build-base]
-        uses: ./.github/workflows/build-custom-issuer.yaml
-        secrets: inherit
-        with:
-          push: true
-          target: release
-          base_image: ${{ github.sha }}
-
-    deploy:
-        needs: [build-relayer, build-attester, build-custom-issuer]
-        uses: ./.github/workflows/deploy.yaml
-        secrets: inherit
-        with:
-          environment: 'staging'
+  build-base:
+    uses: ./.github/workflows/build-base.yaml
+    secrets: inherit
+    with:
+      push: true
+      tag: ${{ github.sha }}
+
+  build-relayer:
+    needs: [build-base]
+    uses: ./.github/workflows/build-relayer.yaml
+    secrets: inherit
+    with:
+      push: true
+      target: release
+      tag: ${{ github.sha }}
+
+  build-attester:
+    needs: [build-base]
+    uses: ./.github/workflows/build-attester.yaml
+    secrets: inherit
+    with:
+      push: true
+      target: release
+      tag: ${{ github.sha }}
+
+  build-custom-issuer:
+    needs: [build-base]
+    uses: ./.github/workflows/build-custom-issuer.yaml
+    secrets: inherit
+    with:
+      push: true
+      target: release
+      tag: ${{ github.sha }}
+
+  deploy:
+    needs: [build-relayer, build-attester, build-custom-issuer]
+    uses: ./.github/workflows/deploy.yaml
+    secrets: inherit
+    with:
+      environment: 'staging'

.github/workflows/build-attester.yaml

@@ -9,50 +9,81 @@ on:
       target:
         required: true
         type: string
-      base_image:
+      tag:
         required: true
         type: string
 
+permissions:
+    # Needed to configure aws credentials step
+    id-token: write
+    contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     timeout-minutes: 30
+
     steps:
-      # Checkout repository under $GITHUB_WORKSPACE path
+      - name: Shorten SHA TAG
+      id: env-vars
+      shell: bash
+      env:
+        FULL_SHA: ${{ inputs.tag }}
+      run: echo "TAG=${FULL_SHA::16}" >> $GITHUB_OUTPUT
+
       - name: Repository checkout
         uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          fetch-depth: 0
+          role-to-assume: arn:aws:iam::291847425310:role/gitHubDeploymentsRoleFastAuth
+          role-session-name: deploymentsRoleFastAuth
+          role-duration-seconds: 900
+          aws-region: us-east-1
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Login to ECR
+        uses: aws-actions/amazon-ecr-login@v2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
+      # Restore local cache
+      - name: Restore cache
+        uses: actions/cache@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PUSH_TOKEN }}
-
-      # Configure tag name
-      - name: Sets env vars
-        run: |
-          echo "DOCKER_IMAGE_NAME=${{ secrets.DOCKER_USERNAME }}/${{ github.event.repository.name }}-attester:${GITHUB_SHA:0:8}" >> $GITHUB_ENV
+          path: /tmp/.buildx-cache
+          key: ${{ github.job }}-${{ runner.os }}-buildx-attester
+          restore-keys: |
+            ${{ github.job }}-${{ runner.os }}-buildx-attester
 
       # Build docker image
       - name: Build docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
+        env:
+          TAG: ${{ steps.env-vars.outputs.TAG }}
         with:
           context: .
           file: docker/attester.Dockerfile
+          provenance: false
           target: ${{ inputs.target }}
           push: ${{ inputs.push }}
-          tags: ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/attester:${{ env.TAG }}
+            291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/attester:latest
+          outputs: type=image
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
           build-args: |
-            BASE_IMAGE=ghcr.io/peersyst/${{ github.event.repository.name }}-base:${{ inputs.base_image }}
+            BASE_IMAGE=291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/base:${{ env.TAG }}
             TURBO_TEAM=peersyst
           secrets: |
             turbo_token=${{ secrets.TURBO_TOKEN }}
+
+      # Save latest cache
+      - name: Save cache
+        if: always()
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/build-base.yaml

@@ -10,40 +10,75 @@ on:
         required: true
         type: string
 
+permissions:
+    # Needed to configure aws credentials step
+    id-token: write
+    contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     timeout-minutes: 30
+
     steps:
-      # Checkout repository under $GITHUB_WORKSPACE path
+      - name: Shorten SHA TAG
+        id: env-vars
+        shell: bash
+        env:
+          FULL_SHA: ${{ inputs.tag }}
+        run: echo "TAG=${FULL_SHA::16}" >> $GITHUB_OUTPUT
+
       - name: Repository checkout
         uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-            fetch-depth: 0
+          role-to-assume: arn:aws:iam::291847425310:role/gitHubDeploymentsRoleFastAuth
+          role-session-name: deploymentsRoleFastAuth
+          role-duration-seconds: 900
+          aws-region: us-east-1
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Login to ECR
+        uses: aws-actions/amazon-ecr-login@v2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
+      # Restore local cache
+      - name: Restore cache
+        uses: actions/cache@v3
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          path: /tmp/.buildx-cache
+          key: ${{ github.job }}-${{ runner.os }}-buildx-base
+          restore-keys: |
+            ${{ github.job }}-${{ runner.os }}-buildx-base
 
       # Build docker image
       - name: Build docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
+        env:
+          TAG: ${{ steps.env-vars.outputs.TAG }}
         with:
-            context: .
-            file: docker/base.Dockerfile
-            push: ${{ inputs.push }}
-            tags: ghcr.io/peersyst/${{ github.event.repository.name }}-base:${{ inputs.tag }}
-            build-args: |
-                TURBO_TEAM=peersyst
-            secrets: |
-                turbo_token=${{ secrets.TURBO_TOKEN }}
+          context: .
+          file: docker/base.Dockerfile
+          provenance: false
+          push: ${{ inputs.push }}
+          tags: |
+            291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/base:${{ env.TAG }}
+            291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/base:latest
+          outputs: type=image
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          build-args: |
+            TURBO_TEAM=peersyst
+          secrets: |
+            turbo_token=${{ secrets.TURBO_TOKEN }}
+
+      # Save latest cache
+      - name: Save cache
+        if: always()
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/build-custom-issuer.yaml

@@ -9,51 +9,80 @@ on:
       target:
         required: true
         type: string
-      base_image:
+      tag:
         required: true
         type: string
+permissions:
+    # Needed to configure aws credentials step
+    id-token: write 
+    contents: read
 
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     timeout-minutes: 30
+
     steps:
-      # Checkout repository under $GITHUB_WORKSPACE path
+      - name: Shorten SHA TAG
+        id: env-vars
+        shell: bash
+        env:
+          FULL_SHA: ${{ inputs.tag }}
+        run: echo "TAG=${FULL_SHA::16}" >> $GITHUB_OUTPUT
+
       - name: Repository checkout
         uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          fetch-depth: 0
+          role-to-assume: arn:aws:iam::291847425310:role/gitHubDeploymentsRoleFastAuth
+          role-session-name: deploymentsRoleFastAuth
+          role-duration-seconds: 900
+          aws-region: us-east-1
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Login to ECR
+        uses: aws-actions/amazon-ecr-login@v2
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
+      # Restore local cache
+      - name: Restore cache
+        uses: actions/cache@v3
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Configure tag name
-      - name: Sets env vars
-        run: |
-          echo "DOCKER_IMAGE_NAME=ghcr.io/peersyst/${{ github.event.repository.name }}-custom-issuer:${GITHUB_SHA:0:8}" >> $GITHUB_ENV
+          path: /tmp/.buildx-cache
+          key: ${{ github.job }}-${{ runner.os }}-buildx-custom-issuer
+          restore-keys: |
+            ${{ github.job }}-${{ runner.os }}-buildx-custom-issuer
 
       # Build docker image
       - name: Build docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
+        env:
+          TAG: ${{ steps.env-vars.outputs.TAG }}
         with:
           context: .
           file: docker/custom-issuer.Dockerfile
+          provenance: false
           target: ${{ inputs.target }}
           push: ${{ inputs.push }}
-          tags: ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/custom-issuer:${{ env.TAG }}
+            291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/custom-issuer:latest
+          outputs: type=image
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
           build-args: |
-            BASE_IMAGE=ghcr.io/peersyst/${{ github.event.repository.name }}-base:${{ inputs.base_image }}
+            BASE_IMAGE=291847425310.dkr.ecr.us-east-1.amazonaws.com/fast-auth/base:${{ env.TAG }}
             TURBO_TEAM=peersyst
           secrets: |
             turbo_token=${{ secrets.TURBO_TOKEN }}
+
+      # Save latest cache
+      - name: Save cache
+        if: always()
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache