name: 'Update build tools image tag' # This workflow it used to update tag of build tools in ECR. # The most common use case is adding/moving `pinned` tag to `${GITHUB_RUN_IT}` image. on: workflow_dispatch: inputs: from-tag: description: 'Source tag' required: true type: string to-tag: description: 'Destination tag' required: true type: string default: 'pinned' defaults: run: shell: bash -euo pipefail {0} env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_DEV }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY_DEV }} permissions: {} jobs: tag-image: runs-on: [ self-hosted, gen3, small ] container: golang:1.19-bullseye env: IMAGE: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools FROM_TAG: ${{ inputs.from-tag }} TO_TAG: ${{ inputs.to-tag }} outputs: next-digest-buildtools: ${{ steps.next-digest.outputs.next-digest-buildtools }} prev-digest-buildtools: ${{ steps.prev-digest.outputs.prev-digest-buildtools }} steps: - name: Install Crane & ECR helper run: | go install github.com/google/go-containerregistry/cmd/crane@a54d64203cffcbf94146e04069aae4a97f228ee2 # v0.16.1 go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@adf1bafd791ae7d4ff098108b1e91f36a4da5404 # v0.7.1 - name: Configure ECR login run: | mkdir /github/home/.docker/ echo "{\"credsStore\":\"ecr-login\"}" > /github/home/.docker/config.json - name: Get source image digest id: next-digest run: | NEXT_DIGEST=$(crane digest ${IMAGE}:${FROM_TAG} || true) if [ -z "${NEXT_DIGEST}" ]; then echo >&2 "Image ${IMAGE}:${FROM_TAG} does not exist" exit 1 fi echo "Current ${IMAGE}@${FROM_TAG} image is ${IMAGE}@${NEXT_DIGEST}" echo "next-digest-buildtools=$NEXT_DIGEST" >> $GITHUB_OUTPUT - name: Get destination image digest (if already exists) id: prev-digest run: | PREV_DIGEST=$(crane digest ${IMAGE}:${TO_TAG} || true) if [ -z "${PREV_DIGEST}" ]; then echo >&2 "Image ${IMAGE}:${TO_TAG} does not exist (it's ok)" else echo >&2 "Current ${IMAGE}@${TO_TAG} image is ${IMAGE}@${PREV_DIGEST}" echo "prev-digest-buildtools=$PREV_DIGEST" >> $GITHUB_OUTPUT fi - name: Tag image run: | crane tag "${IMAGE}:${FROM_TAG}" "${TO_TAG}" rollback-tag-image: needs: tag-image if: ${{ !success() }} runs-on: [ self-hosted, gen3, small ] container: golang:1.19-bullseye env: IMAGE: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools FROM_TAG: ${{ inputs.from-tag }} TO_TAG: ${{ inputs.to-tag }} steps: - name: Install Crane & ECR helper run: | go install github.com/google/go-containerregistry/cmd/crane@a54d64203cffcbf94146e04069aae4a97f228ee2 # v0.16.1 go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@adf1bafd791ae7d4ff098108b1e91f36a4da5404 # v0.7.1 - name: Configure ECR login run: | mkdir /github/home/.docker/ echo "{\"credsStore\":\"ecr-login\"}" > /github/home/.docker/config.json - name: Restore previous tag if needed run: | NEXT_DIGEST="${{ needs.tag-image.outputs.next-digest-buildtools }}" PREV_DIGEST="${{ needs.tag-image.outputs.prev-digest-buildtools }}" if [ -z "${NEXT_DIGEST}" ]; then echo >&2 "Image ${IMAGE}:${FROM_TAG} does not exist, nothing to rollback" exit 0 fi if [ -z "${PREV_DIGEST}" ]; then # I guess we should delete the tag here/untag the image, but crane does not support it # - https://github.com/google/go-containerregistry/issues/999 echo >&2 "Image ${IMAGE}:${TO_TAG} did not exist, but it was created by the job, no need to rollback" exit 0 fi CURRENT_DIGEST=$(crane digest "${IMAGE}:${TO_TAG}") if [ "${CURRENT_DIGEST}" == "${NEXT_DIGEST}" ]; then crane tag "${IMAGE}@${PREV_DIGEST}" "${TO_TAG}" echo >&2 "Successfully restored ${TO_TAG} tag from ${IMAGE}@${CURRENT_DIGEST} to ${IMAGE}@${PREV_DIGEST}" else echo >&2 "Image ${IMAGE}:${TO_TAG}@${CURRENT_DIGEST} is not required to be restored" fi