From c6e89445e269d82296340cca55635fd01c3971eb Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Wed, 25 Sep 2024 18:22:39 +0100 Subject: [PATCH] CI(promote-images): fix prod ECR auth (#9146) A cherry-pick from the previous release (#9131) ## Problem Login to prod ECR doesn't work anymore: ``` Retrieving registries data through *** SDK... *** ECR detected with eu-central-1 region Error: The security token included in the request is invalid. ``` ## Summary of changes - Fix login to prod ECR by using `aws-actions/configure-aws-credentials` --- .github/workflows/build_and_test.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 9dcc9709eb..81a9fd99ae 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -862,6 +862,9 @@ jobs: needs: [ check-permissions, tag, test-images, vm-compute-node-image ] runs-on: ubuntu-22.04 + permissions: + id-token: write # for `aws-actions/configure-aws-credentials` + env: VERSIONS: v14 v15 v16 v17 @@ -906,13 +909,19 @@ jobs: docker buildx imagetools create -t neondatabase/neon-test-extensions-v16:latest \ neondatabase/neon-test-extensions-v16:${{ needs.tag.outputs.build-tag }} + - name: Configure AWS-prod credentials + if: github.ref_name == 'release'|| github.ref_name == 'release-proxy' + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-central-1 + mask-aws-account-id: true + role-to-assume: ${{ secrets.PROD_GHA_OIDC_ROLE }} + - name: Login to prod ECR uses: docker/login-action@v3 if: github.ref_name == 'release'|| github.ref_name == 'release-proxy' with: registry: 093970136003.dkr.ecr.eu-central-1.amazonaws.com - username: ${{ secrets.PROD_GHA_RUNNER_LIMITED_AWS_ACCESS_KEY_ID }} - password: ${{ secrets.PROD_GHA_RUNNER_LIMITED_AWS_SECRET_ACCESS_KEY }} - name: Copy all images to prod ECR if: github.ref_name == 'release'|| github.ref_name == 'release-proxy'