mirror of
https://github.com/neondatabase/neon.git
synced 2025-12-26 23:59:58 +00:00
feat(ci): push container images to ghcr.io as well (#10945)
## Problem There's new rate-limits coming on docker hub. To reduce our reliance on docker hub and the problems the limits are going to cause for us, we want to prepare for this by also pushing our container images to ghcr.io ## Summary of changes Push our images to ghcr.io as well and not just docker hub.
This commit is contained in:
JC Grünhage
GitHub
@@ -11,8 +11,12 @@ on:
|
|||||||
description: AWS region to log in to. Required when pushing to ECR.
|
description: AWS region to log in to. Required when pushing to ECR.
|
||||||
required: false
|
required: false
|
||||||
type: string
|
type: string
|
||||||
aws-account-ids:
|
aws-account-id:
|
||||||
description: Comma separated AWS account IDs to log in to for pushing to ECR. Required when pushing to ECR.
|
description: AWS account ID to log in to for pushing to ECR. Required when pushing to ECR.
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
|
aws-role-to-assume:
|
||||||
|
description: AWS role to assume to for pushing to ECR. Required when pushing to ECR.
|
||||||
required: false
|
required: false
|
||||||
type: string
|
type: string
|
||||||
azure-client-id:
|
azure-client-id:
|
||||||
@@ -31,16 +35,6 @@ on:
|
|||||||
description: ACR registry name. Required when pushing to ACR.
|
description: ACR registry name. Required when pushing to ACR.
|
||||||
required: false
|
required: false
|
||||||
type: string
|
type: string
|
||||||
secrets:
|
|
||||||
docker-hub-username:
|
|
||||||
description: Docker Hub username. Required when pushing to Docker Hub.
|
|
||||||
required: false
|
|
||||||
docker-hub-password:
|
|
||||||
description: Docker Hub password. Required when pushing to Docker Hub.
|
|
||||||
required: false
|
|
||||||
aws-role-to-assume:
|
|
||||||
description: AWS role to assume. Required when pushing to ECR.
|
|
||||||
required: false
|
|
||||||
|
|
||||||
permissions: {}
|
permissions: {}
|
||||||
|
|
||||||
@@ -53,6 +47,7 @@ jobs:
|
|||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
permissions:
|
permissions:
|
||||||
id-token: write # Required for aws/azure login
|
id-token: write # Required for aws/azure login
|
||||||
|
packages: write # required for pushing to GHCR
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
@@ -67,14 +62,14 @@ jobs:
|
|||||||
uses: aws-actions/configure-aws-credentials@v4
|
uses: aws-actions/configure-aws-credentials@v4
|
||||||
with:
|
with:
|
||||||
aws-region: "${{ inputs.aws-region }}"
|
aws-region: "${{ inputs.aws-region }}"
|
||||||
role-to-assume: "${{ secrets.aws-role-to-assume }}"
|
role-to-assume: "arn:aws:iam::${{ inputs.aws-account-id }}:role/${{ inputs.aws-role-to-assume }}"
|
||||||
role-duration-seconds: 3600
|
role-duration-seconds: 3600
|
||||||
|
|
||||||
- name: Login to ECR
|
- name: Login to ECR
|
||||||
if: contains(inputs.image-map, 'amazonaws.com/')
|
if: contains(inputs.image-map, 'amazonaws.com/')
|
||||||
uses: aws-actions/amazon-ecr-login@v2
|
uses: aws-actions/amazon-ecr-login@v2
|
||||||
with:
|
with:
|
||||||
registries: "${{ inputs.aws-account-ids }}"
|
registries: "${{ inputs.aws-account-id }}"
|
||||||
|
|
||||||
- name: Configure Azure credentials
|
- name: Configure Azure credentials
|
||||||
if: contains(inputs.image-map, 'azurecr.io/')
|
if: contains(inputs.image-map, 'azurecr.io/')
|
||||||
@@ -89,11 +84,19 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
az acr login --name=${{ inputs.acr-registry-name }}
|
az acr login --name=${{ inputs.acr-registry-name }}
|
||||||
|
|
||||||
|
- name: Login to GHCR
|
||||||
|
if: contains(inputs.image-map, 'ghcr.io/')
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ github.repository_owner }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Log in to Docker Hub
|
- name: Log in to Docker Hub
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
username: ${{ secrets.docker-hub-username }}
|
username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
||||||
password: ${{ secrets.docker-hub-password }}
|
password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
||||||
|
|
||||||
- name: Copy docker images to target registries
|
- name: Copy docker images to target registries
|
||||||
run: python scripts/push_with_image_map.py
|
run: python scripts/push_with_image_map.py
|
||||||
|
|||||||
48
.github/workflows/build_and_test.yml
vendored
48
.github/workflows/build_and_test.yml
vendored
@@ -866,68 +866,72 @@ jobs:
|
|||||||
push-neon-image-dev:
|
push-neon-image-dev:
|
||||||
needs: [ generate-image-maps, neon-image ]
|
needs: [ generate-image-maps, neon-image ]
|
||||||
uses: ./.github/workflows/_push-to-container-registry.yml
|
uses: ./.github/workflows/_push-to-container-registry.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write # Required for aws/azure login
|
||||||
|
packages: write # required for pushing to GHCR
|
||||||
with:
|
with:
|
||||||
image-map: '${{ needs.generate-image-maps.outputs.neon-dev }}'
|
image-map: '${{ needs.generate-image-maps.outputs.neon-dev }}'
|
||||||
aws-region: ${{ vars.AWS_ECR_REGION }}
|
aws-region: ${{ vars.AWS_ECR_REGION }}
|
||||||
aws-account-ids: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
aws-account-id: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
||||||
|
aws-role-to-assume: "gha-oidc-neon-admin"
|
||||||
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
||||||
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
||||||
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
||||||
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
||||||
secrets:
|
secrets: inherit
|
||||||
aws-role-to-assume: "${{ vars.DEV_AWS_OIDC_ROLE_ARN }}"
|
|
||||||
docker-hub-username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
||||||
docker-hub-password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
||||||
|
|
||||||
push-compute-image-dev:
|
push-compute-image-dev:
|
||||||
needs: [ generate-image-maps, vm-compute-node-image ]
|
needs: [ generate-image-maps, vm-compute-node-image ]
|
||||||
uses: ./.github/workflows/_push-to-container-registry.yml
|
uses: ./.github/workflows/_push-to-container-registry.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write # Required for aws/azure login
|
||||||
|
packages: write # required for pushing to GHCR
|
||||||
with:
|
with:
|
||||||
image-map: '${{ needs.generate-image-maps.outputs.compute-dev }}'
|
image-map: '${{ needs.generate-image-maps.outputs.compute-dev }}'
|
||||||
aws-region: ${{ vars.AWS_ECR_REGION }}
|
aws-region: ${{ vars.AWS_ECR_REGION }}
|
||||||
aws-account-ids: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
aws-account-id: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
||||||
|
aws-role-to-assume: "gha-oidc-neon-admin"
|
||||||
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
||||||
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
||||||
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
||||||
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
||||||
secrets:
|
secrets: inherit
|
||||||
aws-role-to-assume: "${{ vars.DEV_AWS_OIDC_ROLE_ARN }}"
|
|
||||||
docker-hub-username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
||||||
docker-hub-password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
||||||
|
|
||||||
push-neon-image-prod:
|
push-neon-image-prod:
|
||||||
if: github.ref_name == 'release' || github.ref_name == 'release-proxy' || github.ref_name == 'release-compute'
|
if: github.ref_name == 'release' || github.ref_name == 'release-proxy' || github.ref_name == 'release-compute'
|
||||||
needs: [ generate-image-maps, neon-image, test-images ]
|
needs: [ generate-image-maps, neon-image, test-images ]
|
||||||
uses: ./.github/workflows/_push-to-container-registry.yml
|
uses: ./.github/workflows/_push-to-container-registry.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write # Required for aws/azure login
|
||||||
|
packages: write # required for pushing to GHCR
|
||||||
with:
|
with:
|
||||||
image-map: '${{ needs.generate-image-maps.outputs.neon-prod }}'
|
image-map: '${{ needs.generate-image-maps.outputs.neon-prod }}'
|
||||||
aws-region: ${{ vars.AWS_ECR_REGION }}
|
aws-region: ${{ vars.AWS_ECR_REGION }}
|
||||||
aws-account-ids: "${{ vars.NEON_PROD_AWS_ACCOUNT_ID }}"
|
aws-account-id: "${{ vars.NEON_PROD_AWS_ACCOUNT_ID }}"
|
||||||
|
aws-role-to-assume: "gha-oidc-neon-admin"
|
||||||
azure-client-id: ${{ vars.AZURE_PROD_CLIENT_ID }}
|
azure-client-id: ${{ vars.AZURE_PROD_CLIENT_ID }}
|
||||||
azure-subscription-id: ${{ vars.AZURE_PROD_SUBSCRIPTION_ID }}
|
azure-subscription-id: ${{ vars.AZURE_PROD_SUBSCRIPTION_ID }}
|
||||||
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
||||||
acr-registry-name: ${{ vars.AZURE_PROD_REGISTRY_NAME }}
|
acr-registry-name: ${{ vars.AZURE_PROD_REGISTRY_NAME }}
|
||||||
secrets:
|
secrets: inherit
|
||||||
aws-role-to-assume: "${{ secrets.PROD_GHA_OIDC_ROLE }}"
|
|
||||||
docker-hub-username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
||||||
docker-hub-password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
||||||
|
|
||||||
push-compute-image-prod:
|
push-compute-image-prod:
|
||||||
if: github.ref_name == 'release' || github.ref_name == 'release-proxy' || github.ref_name == 'release-compute'
|
if: github.ref_name == 'release' || github.ref_name == 'release-proxy' || github.ref_name == 'release-compute'
|
||||||
needs: [ generate-image-maps, vm-compute-node-image, test-images ]
|
needs: [ generate-image-maps, vm-compute-node-image, test-images ]
|
||||||
uses: ./.github/workflows/_push-to-container-registry.yml
|
uses: ./.github/workflows/_push-to-container-registry.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write # Required for aws/azure login
|
||||||
|
packages: write # required for pushing to GHCR
|
||||||
with:
|
with:
|
||||||
image-map: '${{ needs.generate-image-maps.outputs.compute-prod }}'
|
image-map: '${{ needs.generate-image-maps.outputs.compute-prod }}'
|
||||||
aws-region: ${{ vars.AWS_ECR_REGION }}
|
aws-region: ${{ vars.AWS_ECR_REGION }}
|
||||||
aws-account-ids: "${{ vars.NEON_PROD_AWS_ACCOUNT_ID }}"
|
aws-account-id: "${{ vars.NEON_PROD_AWS_ACCOUNT_ID }}"
|
||||||
|
aws-role-to-assume: "gha-oidc-neon-admin"
|
||||||
azure-client-id: ${{ vars.AZURE_PROD_CLIENT_ID }}
|
azure-client-id: ${{ vars.AZURE_PROD_CLIENT_ID }}
|
||||||
azure-subscription-id: ${{ vars.AZURE_PROD_SUBSCRIPTION_ID }}
|
azure-subscription-id: ${{ vars.AZURE_PROD_SUBSCRIPTION_ID }}
|
||||||
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
||||||
acr-registry-name: ${{ vars.AZURE_PROD_REGISTRY_NAME }}
|
acr-registry-name: ${{ vars.AZURE_PROD_REGISTRY_NAME }}
|
||||||
secrets:
|
secrets: inherit
|
||||||
aws-role-to-assume: "${{ secrets.PROD_GHA_OIDC_ROLE }}"
|
|
||||||
docker-hub-username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
||||||
docker-hub-password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
||||||
|
|
||||||
# This is a bit of a special case so we're not using a generated image map.
|
# This is a bit of a special case so we're not using a generated image map.
|
||||||
add-latest-tag-to-neon-extensions-test-image:
|
add-latest-tag-to-neon-extensions-test-image:
|
||||||
@@ -940,9 +944,7 @@ jobs:
|
|||||||
"docker.io/neondatabase/neon-test-extensions-v16:${{ needs.tag.outputs.build-tag }}": ["docker.io/neondatabase/neon-test-extensions-v16:latest"],
|
"docker.io/neondatabase/neon-test-extensions-v16:${{ needs.tag.outputs.build-tag }}": ["docker.io/neondatabase/neon-test-extensions-v16:latest"],
|
||||||
"docker.io/neondatabase/neon-test-extensions-v17:${{ needs.tag.outputs.build-tag }}": ["docker.io/neondatabase/neon-test-extensions-v17:latest"]
|
"docker.io/neondatabase/neon-test-extensions-v17:${{ needs.tag.outputs.build-tag }}": ["docker.io/neondatabase/neon-test-extensions-v17:latest"]
|
||||||
}
|
}
|
||||||
secrets:
|
secrets: inherit
|
||||||
docker-hub-username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
||||||
docker-hub-password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
||||||
|
|
||||||
trigger-custom-extensions-build-and-wait:
|
trigger-custom-extensions-build-and-wait:
|
||||||
needs: [ check-permissions, tag ]
|
needs: [ check-permissions, tag ]
|
||||||
|
|||||||
12
.github/workflows/pin-build-tools-image.yml
vendored
12
.github/workflows/pin-build-tools-image.yml
vendored
@@ -65,6 +65,7 @@ jobs:
|
|||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
id-token: write # Required for aws/azure login
|
id-token: write # Required for aws/azure login
|
||||||
|
packages: write # required for pushing to GHCR
|
||||||
|
|
||||||
uses: ./.github/workflows/_push-to-container-registry.yml
|
uses: ./.github/workflows/_push-to-container-registry.yml
|
||||||
with:
|
with:
|
||||||
@@ -72,12 +73,15 @@ jobs:
|
|||||||
{
|
{
|
||||||
"docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bullseye": [
|
"docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bullseye": [
|
||||||
"docker.io/neondatabase/build-tools:pinned-bullseye",
|
"docker.io/neondatabase/build-tools:pinned-bullseye",
|
||||||
|
"ghcr.io/neondatabase/build-tools:pinned-bullseye",
|
||||||
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bullseye",
|
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bullseye",
|
||||||
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bullseye"
|
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bullseye"
|
||||||
],
|
],
|
||||||
"docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bookworm": [
|
"docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bookworm": [
|
||||||
"docker.io/neondatabase/build-tools:pinned-bookworm",
|
"docker.io/neondatabase/build-tools:pinned-bookworm",
|
||||||
"docker.io/neondatabase/build-tools:pinned",
|
"docker.io/neondatabase/build-tools:pinned",
|
||||||
|
"ghcr.io/neondatabase/build-tools:pinned-bookworm",
|
||||||
|
"ghcr.io/neondatabase/build-tools:pinned",
|
||||||
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bookworm",
|
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bookworm",
|
||||||
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned",
|
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned",
|
||||||
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bookworm",
|
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bookworm",
|
||||||
@@ -85,12 +89,10 @@ jobs:
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
aws-region: ${{ vars.AWS_ECR_REGION }}
|
aws-region: ${{ vars.AWS_ECR_REGION }}
|
||||||
aws-account-ids: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
aws-account-id: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
||||||
|
aws-role-to-assume: "gha-oidc-neon-admin"
|
||||||
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
||||||
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
||||||
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
||||||
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
||||||
secrets:
|
secrets: inherit
|
||||||
aws-role-to-assume: "${{ vars.DEV_AWS_OIDC_ROLE_ARN }}"
|
|
||||||
docker-hub-username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
||||||
docker-hub-password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
||||||
|
|||||||
@@ -27,6 +27,7 @@ components = {
|
|||||||
registries = {
|
registries = {
|
||||||
"dev": [
|
"dev": [
|
||||||
"docker.io/neondatabase",
|
"docker.io/neondatabase",
|
||||||
|
"ghcr.io/neondatabase",
|
||||||
f"{dev_aws}.dkr.ecr.{aws_region}.amazonaws.com",
|
f"{dev_aws}.dkr.ecr.{aws_region}.amazonaws.com",
|
||||||
f"{dev_acr}.azurecr.io/neondatabase",
|
f"{dev_acr}.azurecr.io/neondatabase",
|
||||||
],
|
],
|
||||||
|
|||||||
Reference in New Issue
Block a user