mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-08 05:52:55 +00:00
1f0dea9a1a
## Problem There's new rate-limits coming on docker hub. To reduce our reliance on docker hub and the problems the limits are going to cause for us, we want to prepare for this by also pushing our container images to ghcr.io ## Summary of changes Push our images to ghcr.io as well and not just docker hub.
99 lines
3.5 KiB
YAML
99 lines
3.5 KiB
YAML
name: 'Pin build-tools image'
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
from-tag:
|
|
description: 'Source tag'
|
|
required: true
|
|
type: string
|
|
force:
|
|
description: 'Force the image to be pinned'
|
|
default: false
|
|
type: boolean
|
|
workflow_call:
|
|
inputs:
|
|
from-tag:
|
|
description: 'Source tag'
|
|
required: true
|
|
type: string
|
|
force:
|
|
description: 'Force the image to be pinned'
|
|
default: false
|
|
type: boolean
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
concurrency:
|
|
group: pin-build-tools-image-${{ inputs.from-tag }}
|
|
cancel-in-progress: false
|
|
|
|
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-manifests:
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
skip: ${{ steps.check-manifests.outputs.skip }}
|
|
|
|
steps:
|
|
- name: Check if we really need to pin the image
|
|
id: check-manifests
|
|
env:
|
|
FROM_TAG: ${{ inputs.from-tag }}
|
|
TO_TAG: pinned
|
|
run: |
|
|
docker manifest inspect "docker.io/neondatabase/build-tools:${FROM_TAG}" > "${FROM_TAG}.json"
|
|
docker manifest inspect "docker.io/neondatabase/build-tools:${TO_TAG}" > "${TO_TAG}.json"
|
|
|
|
if diff "${FROM_TAG}.json" "${TO_TAG}.json"; then
|
|
skip=true
|
|
else
|
|
skip=false
|
|
fi
|
|
|
|
echo "skip=${skip}" | tee -a $GITHUB_OUTPUT
|
|
|
|
tag-image:
|
|
needs: check-manifests
|
|
|
|
# use format(..) to catch both inputs.force = true AND inputs.force = 'true'
|
|
if: needs.check-manifests.outputs.skip == 'false' || format('{0}', inputs.force) == 'true'
|
|
|
|
permissions:
|
|
id-token: write # Required for aws/azure login
|
|
packages: write # required for pushing to GHCR
|
|
|
|
uses: ./.github/workflows/_push-to-container-registry.yml
|
|
with:
|
|
image-map: |
|
|
{
|
|
"docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bullseye": [
|
|
"docker.io/neondatabase/build-tools:pinned-bullseye",
|
|
"ghcr.io/neondatabase/build-tools:pinned-bullseye",
|
|
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bullseye",
|
|
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bullseye"
|
|
],
|
|
"docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bookworm": [
|
|
"docker.io/neondatabase/build-tools:pinned-bookworm",
|
|
"docker.io/neondatabase/build-tools:pinned",
|
|
"ghcr.io/neondatabase/build-tools:pinned-bookworm",
|
|
"ghcr.io/neondatabase/build-tools:pinned",
|
|
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bookworm",
|
|
"${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned",
|
|
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bookworm",
|
|
"${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned"
|
|
]
|
|
}
|
|
aws-region: ${{ vars.AWS_ECR_REGION }}
|
|
aws-account-id: "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}"
|
|
aws-role-to-assume: "gha-oidc-neon-admin"
|
|
azure-client-id: ${{ vars.AZURE_DEV_CLIENT_ID }}
|
|
azure-subscription-id: ${{ vars.AZURE_DEV_SUBSCRIPTION_ID }}
|
|
azure-tenant-id: ${{ vars.AZURE_TENANT_ID }}
|
|
acr-registry-name: ${{ vars.AZURE_DEV_REGISTRY_NAME }}
|
|
secrets: inherit
|