Fix credential refresh race during worker activation (#567) #282

Workflow file for this run

.github/workflows/container-image-cd.yml at 31c36e9

	name: Container Image CD

	on:
	push:
	branches:
	- main
	workflow_dispatch:

	env:
	ECR_REGISTRY: 795637471508.dkr.ecr.us-east-1.amazonaws.com
	GHCR_REGISTRY: ghcr.io
	IMAGE_NAME: duckgres

	jobs:
	build:
	name: Build ${{ matrix.platform }}
	if: github.repository == 'PostHog/duckgres'
	strategy:
	fail-fast: false
	matrix:
	include:
	- platform: linux/arm64
	runner: ubuntu-24.04-arm
	- platform: linux/amd64
	runner: ubuntu-24.04
	runs-on: ${{ matrix.runner }}
	permissions:
	id-token: write
	contents: read
	packages: write

	steps:
	- name: Check out
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
	with:
	role-to-assume: ${{ secrets.AWS_ECR_PUBLISH_IAM_ROLE }}
	aws-region: us-east-1

	- name: Login to Amazon ECR
	id: aws-ecr
	uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1

	- name: Login to GHCR
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: ${{ env.GHCR_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Prepare platform slug
	id: slug
	run: echo "arch=${PLATFORM#linux/}" >> "$GITHUB_OUTPUT"
	env:
	PLATFORM: ${{ matrix.platform }}

	- name: Build and push by digest
	id: build
	uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
	with:
	context: .
	push: true
	platforms: ${{ matrix.platform }}
	tags: \|
	${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ steps.slug.outputs.arch }}
	${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ steps.slug.outputs.arch }}
	build-args: \|
	VERSION=build-${{ github.sha }}
	COMMIT=${{ github.sha }}
	BUILD_TAGS=kubernetes
	cache-from: type=gha,scope=${{ steps.slug.outputs.arch }}
	cache-to: type=gha,mode=max,scope=${{ steps.slug.outputs.arch }}

	manifest:
	name: Create multi-arch manifest
	needs: build
	if: github.repository == 'PostHog/duckgres'
	runs-on: ubuntu-24.04
	permissions:
	id-token: write
	contents: read
	packages: write

	steps:
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
	with:
	role-to-assume: ${{ secrets.AWS_ECR_PUBLISH_IAM_ROLE }}
	aws-region: us-east-1

	- name: Login to Amazon ECR
	uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1

	- name: Login to GHCR
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
	with:
	registry: ${{ env.GHCR_REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Create and push ECR manifest
	id: ecr-manifest
	run: \|
	docker buildx imagetools create --tag ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \
	${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 \
	${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64
	digest=$(docker buildx imagetools inspect --raw ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \| sha256sum \| awk '{print "sha256:"$1}')
	echo "digest=${digest}" >> "$GITHUB_OUTPUT"

	- name: Create and push GHCR manifests
	run: \|
	for tag in "${{ github.sha }}" "latest"; do
	docker buildx imagetools create --tag ${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${tag} \
	${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 \
	${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64
	done

	- name: Get deployer token
	id: deployer
	uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3.0.0
	with:
	app_id: ${{ secrets.GH_APP_CHARTS_DEPLOYER_APP_ID }}
	private_key: ${{ secrets.GH_APP_CHARTS_DEPLOYER_PRIVATE_KEY }}

	- name: Trigger deployment via Charts repo
	uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
	with:
	token: ${{ steps.deployer.outputs.token }}
	repository: PostHog/charts
	event-type: commit_state_update
	client-payload: \|
	{
	"values": {
	"image": {
	"sha": "${{ github.sha }}@${{ steps.ecr-manifest.outputs.digest }}"
	}
	},
	"release": "duckgres",
	"commit": ${{ toJson(github.event.head_commit) }},
	"repository": ${{ toJson(github.repository) }},
	"labels": [],
	"timestamp": "${{ github.event.head_commit.timestamp }}"
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix credential refresh race during worker activation (#567) #282

Workflow file

Fix credential refresh race during worker activation (#567) #282

Uh oh!

Workflow file for this run