devplatform-upload-action-ecr/action.yaml at main · govuk-one-login/devplatform-upload-action-ecr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: "Upload Containers to ECR, update references in CF templates"
description: "Packages and uploads, replaces reference in (eg) template.yaml"
inputs:
  role-to-assume-arn:
    description: "The secret with the ARN of the role to assume (required) eg secrets.GH_ACTIONS_ROLE_ARN"
    required: true
  container-sign-kms-key-arn:
    description: "The secret with the ARN of the key to sign container images e.g. secrets.CONTAINER_SIGN_KMS_KEY"
    required: false
    default: "none"
  build-and-push-image-only:
    description: "Only run docker build, push and signing steps. Skip packaging and artifact uploads"
    required: false
    default: "false"
  template-file:
    description: "The name of the CF template for the application. This defaults to template.yaml"
    required: false
    default: template.yaml
  working-directory:
    description: "The working directory containing the app"
    required: false
    default: .
  artifact-bucket-name:
    description: "The secret with the name of the artifact S3 bucket (required) eg secrets.ARTIFACT_SOURCE_BUCKET_NAME"
    required: true
  ecr-repo-name:
    description: "The secret with the name of the ECR Repo (required) eg secrets.ECR_REPOSITORY"
    required: true
  dockerfile:
    description: The Dockerfile to use for the build
    required: false
    default: Dockerfile
  docker-build-path:
    description: The Dockerfile path to use for the build
    required: false
  docker-platform:
    description: The target architecture for the image build
    required: false
    default: ""
  checkout-repo:
    description: Checks out the repo as the first step of the action. Default "true".
    required: false
    default: "true"
  private-docker-registry:
    description: Private Docker registry URL
    required: false
    default: ""
  private-docker-login-username:
    description: Login username to the private docker registry
    required: false
    default: ""
  private-docker-login-password:
    description: Login password to the private docker registry
    required: false
    default: ""
  push-latest-tag:
    description: Float 'latest' tag to the latest image version. This requires tag immutability disabled, a typical use case is test-image-repository containers
    required: false
    default: "false"
  version-number:
    description: The version number of the application being deployed. This defaults to ""'
    required: false
    default: ""

runs:
  using: "composite"

  steps:
    - name: Checkout repo
      if: ${{ inputs.checkout-repo == 'true' }}
      uses: actions/checkout@v4

    - name: Set up Python 3.8
      uses: actions/setup-python@v5
      with:
        python-version: "3.8"

    - name: Set up AWS creds
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ inputs.role-to-assume-arn }}
        aws-region: eu-west-2

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v2
      with:
        mask-password: "true" # pragma: allowlist secret

    - name: Login to private Docker Registry
      if: ${{ inputs.private-docker-registry != '' }}
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.private-docker-registry }}
        username: ${{ inputs.private-docker-login-username }}
        password: ${{ inputs.private-docker-login-password }}

    - name: Install Cosign
      uses: sigstore/cosign-installer@main
      with:
        cosign-release: "v3.0.3"

    - name: Upload Fargates to S3
      env:
        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
        CONTAINER_SIGN_KMS_KEY_ARN: ${{ inputs.container-sign-kms-key-arn }}
        GITHUB_SHA: ${{ github.sha }}
        PUSH_LATEST_TAG: ${{ inputs.push-latest-tag }}
        BUILD_AND_PUSH_IMAGE_ONLY: ${{ inputs.build-and-push-image-only }}
        WORKING_DIRECTORY: ${{ inputs.working-directory }}
        TEMPLATE_FILE: ${{ inputs.template-file }}
        ECR_REPO_NAME: ${{ inputs.ecr-repo-name }}
        ARTIFACT_BUCKET_NAME: ${{ inputs.artifact-bucket-name }}
        DOCKERFILE: ${{ inputs.dockerfile }}
        DOCKER_BUILD_PATH: ${{ inputs.docker-build-path }}
        DOCKER_PLATFORM: ${{ inputs.docker-platform }}
        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
        COMMIT_MESSAGES: ${{ join(github.event.commits.*.message, ' | ') }}
        GITHUB_ACTOR: ${{ github.actor }}
        VERSION_NUMBER: ${{ inputs.version-number }}
      run: ${{ github.action_path }}/scripts/build-tag-push-ecr.sh
      shell: bash