mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-08 05:52:55 +00:00
201f56baf7
## Problem Azure login fails in `pin-build-tools-image` workflow because the job doesn't have the required permissions. ``` Error: Please make sure to give write permissions to id-token in the workflow. Error: Login failed with Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information. ``` ## Summary of changes - Add `id-token: write` permission to `pin-build-tools-image` - Add an input to force image tagging - Unify pushing to Docker Hub with other registries - Split the job into two to have less if's
102 lines
2.9 KiB
YAML
102 lines
2.9 KiB
YAML
name: 'Pin build-tools image'
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
from-tag:
|
|
description: 'Source tag'
|
|
required: true
|
|
type: string
|
|
force:
|
|
description: 'Force the image to be pinned'
|
|
default: false
|
|
type: boolean
|
|
workflow_call:
|
|
inputs:
|
|
from-tag:
|
|
description: 'Source tag'
|
|
required: true
|
|
type: string
|
|
force:
|
|
description: 'Force the image to be pinned'
|
|
default: false
|
|
type: boolean
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
concurrency:
|
|
group: pin-build-tools-image-${{ inputs.from-tag }}
|
|
cancel-in-progress: false
|
|
|
|
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
|
|
permissions: {}
|
|
|
|
env:
|
|
FROM_TAG: ${{ inputs.from-tag }}
|
|
TO_TAG: pinned
|
|
|
|
jobs:
|
|
check-manifests:
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
skip: ${{ steps.check-manifests.outputs.skip }}
|
|
|
|
steps:
|
|
- name: Check if we really need to pin the image
|
|
id: check-manifests
|
|
run: |
|
|
docker manifest inspect neondatabase/build-tools:${FROM_TAG} > ${FROM_TAG}.json
|
|
docker manifest inspect neondatabase/build-tools:${TO_TAG} > ${TO_TAG}.json
|
|
|
|
if diff ${FROM_TAG}.json ${TO_TAG}.json; then
|
|
skip=true
|
|
else
|
|
skip=false
|
|
fi
|
|
|
|
echo "skip=${skip}" | tee -a $GITHUB_OUTPUT
|
|
|
|
tag-image:
|
|
needs: check-manifests
|
|
|
|
# use format(..) to catch both inputs.force = true AND inputs.force = 'true'
|
|
if: needs.check-manifests.outputs.skip == 'false' || format('{0}', inputs.force) == 'true'
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
permissions:
|
|
id-token: write # for `azure/login`
|
|
|
|
steps:
|
|
- uses: docker/login-action@v3
|
|
|
|
with:
|
|
username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
|
|
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: 369495373322.dkr.ecr.eu-central-1.amazonaws.com
|
|
username: ${{ secrets.AWS_ACCESS_KEY_DEV }}
|
|
password: ${{ secrets.AWS_SECRET_KEY_DEV }}
|
|
|
|
- name: Azure login
|
|
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # @v2.1.1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_DEV_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_DEV_SUBSCRIPTION_ID }}
|
|
|
|
- name: Login to ACR
|
|
run: |
|
|
az acr login --name=neoneastus2
|
|
|
|
- name: Tag build-tools with `${{ env.TO_TAG }}` in Docker Hub, ECR, and ACR
|
|
run: |
|
|
docker buildx imagetools create -t 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${TO_TAG} \
|
|
-t neoneastus2.azurecr.io/neondatabase/build-tools:${TO_TAG} \
|
|
-t neondatabase/build-tools:${TO_TAG} \
|
|
neondatabase/build-tools:${FROM_TAG}
|