From ac0d2a44d40d5835c0c6bbbfca1704201dc4e530 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 09:54:09 +0200 Subject: [PATCH 1/8] chore: update container.yaml, cleanup --- .github/workflows/build-image.yaml | 19 -------- .github/workflows/container.yaml | 75 +++++++++++++++++------------- .github/workflows/kubernetes.yaml | 12 ----- 3 files changed, 43 insertions(+), 63 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 7384bce..49335bb 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -22,25 +22,6 @@ on: description: If provided, runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). default: "" type: string - registryHostname: - required: false - description: The hostname for the container registry - default: ghcr.io - type: string - registryOrg: - required: false - description: The registry organization - default: parcellab - type: string - registryUsername: - required: false - description: The username for the container registry - default: parcellab-dev-bot - type: string - repository_kind: - required: false - description: Using as a dummy, to be removed in the future versions - type: string enableContainerScan: required: false description: Apply the container scan diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 5494aaf..d830d8f 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -2,6 +2,10 @@ name: Reusable Container on: workflow_call: inputs: + appName: + required: true + description: The container image name + type: string contextPath: required: false description: The container context to build the image @@ -17,25 +21,11 @@ on: description: The file path for the Container image default: Containerfile type: string - name: - required: true - description: The container image name - type: string - registryHostname: - required: false - description: The hostname for the container registry - default: ghcr.io - type: string registryOrg: required: false description: The registry organization default: parcellab type: string - registryUsername: - required: false - description: The username for the container registry - default: parcellab-dev-bot - type: string runner: required: false description: Runner type @@ -53,34 +43,55 @@ on: required: true description: The password for the container registry jobs: - container: + build-ecr-single: + permissions: + id-token: write + contents: read runs-on: ${{ inputs.runner }} steps: - name: Checkout current git repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Login to Container Registry - uses: docker/login-action@v1 + uses: docker/setup-buildx-action@v2 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 with: - registry: ${{ inputs.registryHostname }} - username: ${{ inputs.registryUsername }} - password: ${{ secrets.registryPassword }} - - name: Build and push latest version - uses: docker/build-push-action@v4 + aws-region: eu-central-1 + role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + - name: Create ECR repository if it doesn't exist + run: | + aws ecr describe-repositories --repository-names ${{ inputs.registryOrg }}/${{ inputs.appName }} || \ + aws ecr create-repository --repository-name ${{ inputs.registryOrg }}/${{ inputs.appName }} + LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' + aws ecr put-lifecycle-policy --repository-name ${{ inputs.registryOrg }}/${{ inputs.appName }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Build image + uses: docker/build-push-action@v6 with: build-args: | GITHUB_SHA=${{ github.sha }} - NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} VERSION=${{ inputs.version }} + NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} ${{ inputs.extraBuildArgs }} - cache-from: type=registry,ref=${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }} - cache-to: type=inline + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}//${{ inputs.registryOrg }}/${{ inputs.appName }}:cache context: ${{ inputs.contextPath }} + load: true file: ${{ inputs.filePath }} platforms: linux/amd64 - push: true - tags: | - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }}:latest - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }}:${{ inputs.version }} - ${{ inputs.registryHostname }}/${{ inputs.registryOrg }}/${{ inputs.name }}:${{ github.sha }} + - name: Scan for vulnerabilities + if: inputs.enableContainerScan + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:latest + dockerfile: Containerfile + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + - name: Push image to ECR + run: | + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }} diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index ece1856..761c0e4 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -42,16 +42,6 @@ on: description: If provided, runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). default: "" type: string - registryHostname: - required: false - description: The hostname for the container registry - default: ghcr.io - type: string - registryOrg: - required: false - description: The registry organization - default: parcellab - type: string registryUsername: required: false description: The username for the container registry @@ -178,8 +168,6 @@ jobs: artifactPath: ${{ inputs.artifactPath }} imageTargets: ${{ inputs.imageTargets }} preScript: ${{ inputs.preScript }} - registryHostname: ${{ inputs.registryHostname }} - registryOrg: ${{ inputs.registryOrg }} registryUsername: ${{ inputs.registryUsername }} enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} From aac5452e52e9507fe232519e12a79acc82d2eaab Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 09:58:29 +0200 Subject: [PATCH 2/8] add assume role --- .github/workflows/container.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index d830d8f..11d4e98 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -39,9 +39,10 @@ on: npmGithubReadToken: required: false description: The Github token with permissions to read NPM private packages - registryPassword: + AWS_ROLE_TO_ASSUME: required: true - description: The password for the container registry + description: AWS OIDC role for GitHub to assume + jobs: build-ecr-single: permissions: From b890b07545d52ef70c16e7534594a0a51294776a Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 10:33:12 +0200 Subject: [PATCH 3/8] fix cache path --- .github/workflows/container.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 11d4e98..e0146dd 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -77,7 +77,7 @@ jobs: NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} ${{ inputs.extraBuildArgs }} cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:cache - cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}//${{ inputs.registryOrg }}/${{ inputs.appName }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:cache context: ${{ inputs.contextPath }} load: true file: ${{ inputs.filePath }} From 11afb75a4a199200873247ce81b457413259a763 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 10:58:42 +0200 Subject: [PATCH 4/8] add tags --- .github/workflows/container.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index e0146dd..e384415 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -82,6 +82,10 @@ jobs: load: true file: ${{ inputs.filePath }} platforms: linux/amd64 + tags: | + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:${{ github.sha }} - name: Scan for vulnerabilities if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v3 From e87cf61fe7452ddaa07d8c8475d4d8144380e5c8 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 11:03:07 +0200 Subject: [PATCH 5/8] fix registry name --- .github/workflows/container.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index e384415..2473c16 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -61,10 +61,10 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Create ECR repository if it doesn't exist run: | - aws ecr describe-repositories --repository-names ${{ inputs.registryOrg }}/${{ inputs.appName }} || \ - aws ecr create-repository --repository-name ${{ inputs.registryOrg }}/${{ inputs.appName }} + aws ecr describe-repositories --repository-names ${{ inputs.appName }} || \ + aws ecr create-repository --repository-name ${{ inputs.appName }} LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}' - aws ecr put-lifecycle-policy --repository-name ${{ inputs.registryOrg }}/${{ inputs.appName }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + aws ecr put-lifecycle-policy --repository-name ${{ inputs.appName }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 From 6c50b01e177f4fe5b7279157dd002033da1db3ea Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 11:13:36 +0200 Subject: [PATCH 6/8] fix repo names everywhere --- .github/workflows/container.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 2473c16..4b59eb1 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -76,21 +76,21 @@ jobs: VERSION=${{ inputs.version }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} ${{ inputs.extraBuildArgs }} - cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:cache - cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:cache + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:cache context: ${{ inputs.contextPath }} load: true file: ${{ inputs.filePath }} platforms: linux/amd64 tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:${{ inputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:${{ github.sha }} - name: Scan for vulnerabilities if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v3 with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }}:latest + image: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }}:latest dockerfile: Containerfile severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} @@ -99,4 +99,4 @@ jobs: TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to ECR run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ inputs.registryOrg }}/${{ inputs.appName }} + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ inputs.appName }} From 495f62ac47ae2214ef07d038fdbeb3a26d20446f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 11:33:47 +0200 Subject: [PATCH 7/8] removing inputs --- .github/workflows/container.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 4b59eb1..6b4daea 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -21,11 +21,6 @@ on: description: The file path for the Container image default: Containerfile type: string - registryOrg: - required: false - description: The registry organization - default: parcellab - type: string runner: required: false description: Runner type From a958d93b7520f3cf0ebe6168239a9455140711e9 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 9 Sep 2025 11:41:04 +0200 Subject: [PATCH 8/8] add enableContainerScan input --- .github/workflows/container.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index 6b4daea..dde7d48 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -11,6 +11,11 @@ on: description: The container context to build the image default: . type: string + enableContainerScan: + required: false + description: Apply the container scan + default: true + type: boolean extraBuildArgs: required: false description: Extra build arguments for building the docker image (KEY=VALUE separated by new lines)