2323 PUBLIC_ECR_NAMESPACE : z5c7y9u9
2424 PUBLIC_ECR_REPOSITORY : mosaic
2525 PUBLIC_ECR_REGION : us-east-1
26- DOCKER_PLATFORM : linux/amd64
26+ DEFAULT_BUILD_REF : bae62a54
27+ DOCKER_PLATFORMS : linux/amd64,linux/arm64
2728
2829permissions :
2930 contents : read
3031
3132concurrency :
32- group : docker-publish-ecr-${{ inputs.ref || github.ref }}
33+ group : docker-publish-ecr-${{ inputs.ref || 'bae62a54' }}
3334 cancel-in-progress : false
3435
3536jobs :
7576 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7677 with :
7778 persist-credentials : false
78- ref : ${{ inputs.ref || github.ref }}
79+ ref : ${{ inputs.ref || env.DEFAULT_BUILD_REF }}
7980
8081 - name : Resolve build metadata
8182 env :
@@ -86,13 +87,17 @@ jobs:
8687
8788 resolved_sha="$(git rev-parse HEAD)"
8889 short_sha="$(git rev-parse --short=8 HEAD)"
89- checkout_ref="${INPUT_REF:-${GITHUB_REF }}"
90+ checkout_ref="${INPUT_REF:-${DEFAULT_BUILD_REF }}"
9091 image_tag="${INPUT_IMAGE_TAG:-${short_sha}}"
92+ image_ref="${ECR_REGISTRY}/${ECR_REPOSITORY}:${image_tag}"
93+ public_image_ref="${PUBLIC_ECR_REGISTRY}/${PUBLIC_ECR_NAMESPACE}/${PUBLIC_ECR_REPOSITORY}:${image_tag}"
9194
9295 {
9396 echo "CHECKOUT_REF=${checkout_ref}"
9497 echo "RESOLVED_SHA=${resolved_sha}"
9598 echo "IMAGE_TAG=${image_tag}"
99+ echo "IMAGE_REF=${image_ref}"
100+ echo "PUBLIC_IMAGE_REF=${public_image_ref}"
96101 } >> "${GITHUB_ENV}"
97102
98103 - name : Cleanup space
@@ -126,22 +131,54 @@ jobs:
126131 - name : Set up Docker Buildx
127132 uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
128133
129- - name : Build Mosaic image
134+ - name : Configure public ECR credentials
135+ uses : aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
136+ with :
137+ role-to-assume : ${{ vars.PUBLIC_AWS_ROLE_TO_ASSUME }}
138+ aws-region : ${{ env.PUBLIC_ECR_REGION }}
139+
140+ - name : Login to public ECR
141+ run : |
142+ aws ecr-public get-login-password --region "${PUBLIC_ECR_REGION}" \
143+ | docker login --username AWS --password-stdin "${PUBLIC_ECR_REGISTRY}"
144+
145+ - name : Build and push Mosaic images
130146 run : |
131147 set -euo pipefail
132- local_image="mosaic-local:${IMAGE_TAG}"
133148 docker buildx build \
134- --platform "${DOCKER_PLATFORM }" \
149+ --platform "${DOCKER_PLATFORMS }" \
135150 --file docker/Dockerfile \
136- --tag "${local_image}" \
137- --load \
151+ --tag "${IMAGE_REF}" \
152+ --tag "${PUBLIC_IMAGE_REF}" \
153+ --push \
138154 .
139155
156+ - name : Reconfigure private AWS credentials
157+ uses : aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
158+ with :
159+ role-to-assume : ${{ vars.AWS_ROLE_TO_ASSUME }}
160+ aws-region : ${{ env.AWS_REGION }}
161+
162+ - name : Login to ECR for follow-up checks
163+ run : |
164+ aws ecr get-login-password --region "${AWS_REGION}" \
165+ | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
166+
167+ - name : Resolve pushed image digest
168+ id : digest
169+ run : |
170+ set -euo pipefail
171+ digest="$(aws ecr describe-images \
172+ --repository-name "${ECR_REPOSITORY}" \
173+ --image-ids imageTag="${IMAGE_TAG}" \
174+ --query 'imageDetails[0].imageDigest' \
175+ --output text)"
176+ echo "digest=${digest}" >> "${GITHUB_OUTPUT}"
177+
140178 - name : Scan Mosaic image with Trivy
141179 run : |
142180 set -euo pipefail
143181 mkdir -p trivy-results
144- local_image="mosaic-local:${IMAGE_TAG}"
145182 docker run --rm \
146183 -v /var/run/docker.sock:/var/run/docker.sock \
147184 aquasec/trivy:0.65.0 \
@@ -151,7 +188,7 @@ jobs:
151188 --ignore-unfixed \
152189 --exit-code 0 \
153190 --no-progress \
154- "${local_image }" > trivy-results/mosaic.txt
191+ "${IMAGE_REF }" > trivy-results/mosaic.txt
155192
156193 - name : Upload Trivy results artifact
157194 if : always()
@@ -161,59 +198,19 @@ jobs:
161198 path : trivy-results/mosaic.txt
162199 if-no-files-found : ignore
163200
164- - name : Tag and push Mosaic image
165- run : |
166- set -euo pipefail
167- local_image="mosaic-local:${IMAGE_TAG}"
168- image_ref="${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
169- docker tag "${local_image}" "${image_ref}"
170- docker push "${image_ref}"
171-
172- - name : Resolve pushed image digest
173- id : digest
174- run : |
175- set -euo pipefail
176- digest="$(aws ecr describe-images \
177- --repository-name "${ECR_REPOSITORY}" \
178- --image-ids imageTag="${IMAGE_TAG}" \
179- --query 'imageDetails[0].imageDigest' \
180- --output text)"
181- echo "digest=${digest}" >> "${GITHUB_OUTPUT}"
182-
183- - name : Configure public ECR credentials
184- uses : aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
185- with :
186- role-to-assume : ${{ vars.PUBLIC_AWS_ROLE_TO_ASSUME }}
187- aws-region : ${{ env.PUBLIC_ECR_REGION }}
188-
189- - name : Login to public ECR
190- run : |
191- aws ecr-public get-login-password --region "${PUBLIC_ECR_REGION}" \
192- | docker login --username AWS --password-stdin "${PUBLIC_ECR_REGISTRY}"
193-
194- - name : Tag and push public Mosaic image
195- run : |
196- set -euo pipefail
197- local_image="mosaic-local:${IMAGE_TAG}"
198- public_image_ref="${PUBLIC_ECR_REGISTRY}/${PUBLIC_ECR_NAMESPACE}/${PUBLIC_ECR_REPOSITORY}:${IMAGE_TAG}"
199- docker tag "${local_image}" "${public_image_ref}"
200- docker push "${public_image_ref}"
201-
202201 - name : Append publish summary
203202 if : always()
204203 env :
205204 IMAGE_DIGEST : ${{ steps.digest.outputs.digest }}
206205 run : |
207206 trivy_artifact="trivy-mosaic-${IMAGE_TAG}"
208- image_ref="${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
209- public_image_ref="${PUBLIC_ECR_REGISTRY}/${PUBLIC_ECR_NAMESPACE}/${PUBLIC_ECR_REPOSITORY}:${IMAGE_TAG}"
210207 {
211208 echo "## Mosaic image publish"
212209 echo
213210 echo "- Checkout ref: \`${CHECKOUT_REF}\`"
214211 echo "- Resolved SHA: \`${RESOLVED_SHA}\`"
215- echo "- Image: \`${image_ref }\`"
216- echo "- Public image: \`${public_image_ref }\`"
212+ echo "- Image: \`${IMAGE_REF }\`"
213+ echo "- Public image: \`${PUBLIC_IMAGE_REF }\`"
217214 echo "- Digest: \`${IMAGE_DIGEST}\`"
218215 echo "- Trivy artifact: \`${trivy_artifact}\`"
219216 echo
0 commit comments