neon/.github/workflows/_push-to-container-registry.yml

name: Push images to Container Registry
on:
  workflow_call:
    inputs:
      # Example: {"docker.io/neondatabase/neon:13196061314":["369495373322.dkr.ecr.eu-central-1.amazonaws.com/neon:13196061314","neoneastus2.azurecr.io/neondatabase/neon:13196061314"]}
      image-map:
        description: JSON map of images, mapping from a source image to an array of target images that should be pushed.
        required: true
        type: string
      aws-region:
        description: AWS region to log in to. Required when pushing to ECR.
        required: false
        type: string
      aws-account-ids:
        description: Comma separated AWS account IDs to log in to for pushing to ECR. Required when pushing to ECR.
        required: false
        type: string
      azure-client-id:
        description: Client ID of Azure managed identity or Entra app. Required when pushing to ACR.
        required: false
        type: string
      azure-subscription-id:
        description: Azure subscription ID. Required when pushing to ACR.
        required: false
        type: string
      azure-tenant-id:
        description: Azure tenant ID. Required when pushing to ACR.
        required: false
        type: string
      acr-registry-name:
        description: ACR registry name. Required when pushing to ACR.
        required: false
        type: string
    secrets:
      docker-hub-username:
        description: Docker Hub username. Required when pushing to Docker Hub.
        required: false
      docker-hub-password:
        description: Docker Hub password. Required when pushing to Docker Hub.
        required: false
      aws-role-to-assume:
        description: AWS role to assume. Required when pushing to ECR.
        required: false

permissions: {}

defaults:
  run:
    shell: bash -euo pipefail {0}

jobs:
  push-to-container-registry:
    runs-on: ubuntu-22.04
    permissions:
      id-token: write  # Required for aws/azure login
    steps:
      - uses: actions/checkout@v4
        with:
          sparse-checkout: scripts/push_with_image_map.py
          sparse-checkout-cone-mode: false

      - name: Print image-map
        run: echo '${{ inputs.image-map }}' | jq

      - name: Configure AWS credentials
        if: contains(inputs.image-map, 'amazonaws.com/')
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: "${{ inputs.aws-region }}"
          role-to-assume: "${{ secrets.aws-role-to-assume }}"
          role-duration-seconds: 3600

      - name: Login to ECR
        if: contains(inputs.image-map, 'amazonaws.com/')
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registries: "${{ inputs.aws-account-ids }}"

      - name: Configure Azure credentials
        if: contains(inputs.image-map, 'azurecr.io/')
        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a  # @v2.1.1
        with:
          client-id: ${{ inputs.azure-client-id }}
          subscription-id: ${{ inputs.azure-subscription-id }}
          tenant-id: ${{ inputs.azure-tenant-id }}

      - name: Login to ACR
        if: contains(inputs.image-map, 'azurecr.io/')
        run: |
          az acr login --name=${{ inputs.acr-registry-name }}

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.docker-hub-username }}
          password: ${{ secrets.docker-hub-password }}

      - name: Copy docker images to target registries
        run: python scripts/push_with_image_map.py
        env:
          IMAGE_MAP: ${{ inputs.image-map }}