diff --git a/.github/actions/push_on_ecr/action.yml b/.github/actions/push_on_ecr/action.yml new file mode 100644 index 0000000..907caa4 --- /dev/null +++ b/.github/actions/push_on_ecr/action.yml @@ -0,0 +1,51 @@ +name: Composite action push on ecr +description: Composite action push on ecr +inputs: + repository: + description: Repository name + required: true + aws_account_id: + description: Aws User code + required: true + aws_access_key: + description: Aws access key + required: true + aws_secret_access_key: + description: Aws secret access key + required: true + dockerfile: + description: Path for dockerfile + required: true + image_tag: + description: Directory that must be run against the linters + required: true + + aws_region: + description: Aws region + required: true + +runs: + using: "composite" + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ inputs.aws_region}} + aws-access-key-id: ${{ inputs.aws_access_key }} + aws-secret-access-key: ${{ inputs.secrets_aws_access_key }} + role-to-assume: arn:aws:iam::${{inputs.aws_account_id}}:role/${{inputs.aws_role_to_assume}} + + - name: Login to Amazon ECR Private + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + + - name: Build, tag, and push docker image to Amazon ECR + env: + REGISTRY: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com + REPOSITORY: ${{ inputs.repository }} + IMAGE_TAG: ${{ inputs.image_tag }} + run: | + docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ${{inputs.dockerfile}} + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + shell: bash \ No newline at end of file diff --git a/.github/workflows/_python.yml b/.github/workflows/_python.yml index 57b4c58..ca57c3a 100644 --- a/.github/workflows/_python.yml +++ b/.github/workflows/_python.yml @@ -95,11 +95,7 @@ on: type: string required: false default: '' - check_dockerfile: - description: Check dockerfile build. WARNING action total time may increase significantly - type: string - required: false - default: '' + use_postgres: description: Use postgres service @@ -419,12 +415,6 @@ jobs: shell: bash working-directory: ${{ inputs.check_docs_directory }} - - name: Build DockerFile - if: inputs.check_dockerfile - run: | - docker build -f ${{ inputs.check_dockerfile }} . - working-directory: ${{ inputs.working_directory }} - - name: Start services uses: ./.github/actions/services if: inputs.use_postgres || inputs.use_elastic_search || inputs.use_memcached || inputs.use_redis || inputs.use_rabbitmq || inputs.use_mongo diff --git a/.github/workflows/_release_and_tag.yml b/.github/workflows/_release_and_tag.yml index 901d207..0c36225 100644 --- a/.github/workflows/_release_and_tag.yml +++ b/.github/workflows/_release_and_tag.yml @@ -31,18 +31,53 @@ on: required: false default: #CyberSecurity + publish_on_ecr: + description: Publish on ecr + type: boolean + required: false + default: false + repository: + description: todo + type: string + required: false + dockerfile: + description: todo + type: string + required: false + aws_region: + description: todo + type: string + required: false + default: eu-central-1 + + jobs: release_and_tag: name: Create release and tag runs-on: ubuntu-latest - if: github.event.pull_request.merged == true && ( github.base_ref == 'master' || github.base_ref == 'main' ) + if: github.event.pull_request.merged == true steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # otherwise, you do not retrieve the tags + - name: Push on ecr branch + uses: ./.github/actions/push_on_ecr + if: github.base_ref == 'master' || github.base_ref == 'main' || github.base_ref == 'develop2' || github.base_ref == 'dev' + env: + TAG=${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || 'prod' }} + with: + repository: ${{ inputs.repository }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + dockerfile: ${{ inputs.dockerfile }} + image_tag: $TAG + aws_region: ${{ inputs.aws_region }} + - name: Check Tag id: check-tag + if: github.base_ref == 'master' || github.base_ref == 'main' run: | if [[ "${{ github.event.pull_request.title }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "match=true" >> $GITHUB_OUTPUT @@ -115,4 +150,16 @@ jobs: api_key: ${{ secrets.TWITTER_API_KEY }} api_key_secret: ${{ secrets.TWITTER_API_KEY_SECRET }} access_token: ${{ secrets.TWITTER_ACCESS_TOKEN }} - access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} \ No newline at end of file + access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} + + - name: Push on ecr tag + if: steps.check-tag.outputs.match == 'true' + uses: ./.github/actions/push_on_ecr + with: + repository: ${{ inputs.repository }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + dockerfile: ${{ inputs.dockerfile }} + image_tag: ${{ github.event.pull_request.title }} + aws_region: ${{ inputs.aws_region }} \ No newline at end of file diff --git a/.github/workflows/pull_request_automation.yml b/.github/workflows/pull_request_automation.yml index 80f23fe..c039368 100644 --- a/.github/workflows/pull_request_automation.yml +++ b/.github/workflows/pull_request_automation.yml @@ -73,7 +73,6 @@ jobs: check_migrations: true check_requirements_licenses: true check_docs_directory: - check_dockerfile: Dockerfile use_postgres: false use_memcached: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4987b88..02270d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,3 +20,7 @@ jobs: publish_on_test_pypi: false publish_on_npm: false publish_on_twitter: false + publish_on_ecr: false + repository: certego-test + dockerfile: Dockerfile + aws_region: eu-central-1 \ No newline at end of file diff --git a/actions/push_on_ecr/action.yml b/actions/push_on_ecr/action.yml new file mode 100644 index 0000000..907caa4 --- /dev/null +++ b/actions/push_on_ecr/action.yml @@ -0,0 +1,51 @@ +name: Composite action push on ecr +description: Composite action push on ecr +inputs: + repository: + description: Repository name + required: true + aws_account_id: + description: Aws User code + required: true + aws_access_key: + description: Aws access key + required: true + aws_secret_access_key: + description: Aws secret access key + required: true + dockerfile: + description: Path for dockerfile + required: true + image_tag: + description: Directory that must be run against the linters + required: true + + aws_region: + description: Aws region + required: true + +runs: + using: "composite" + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ inputs.aws_region}} + aws-access-key-id: ${{ inputs.aws_access_key }} + aws-secret-access-key: ${{ inputs.secrets_aws_access_key }} + role-to-assume: arn:aws:iam::${{inputs.aws_account_id}}:role/${{inputs.aws_role_to_assume}} + + - name: Login to Amazon ECR Private + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + + - name: Build, tag, and push docker image to Amazon ECR + env: + REGISTRY: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com + REPOSITORY: ${{ inputs.repository }} + IMAGE_TAG: ${{ inputs.image_tag }} + run: | + docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG ${{inputs.dockerfile}} + docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG + shell: bash \ No newline at end of file diff --git a/workflows/_python.yml b/workflows/_python.yml index 57b4c58..ca57c3a 100644 --- a/workflows/_python.yml +++ b/workflows/_python.yml @@ -95,11 +95,7 @@ on: type: string required: false default: '' - check_dockerfile: - description: Check dockerfile build. WARNING action total time may increase significantly - type: string - required: false - default: '' + use_postgres: description: Use postgres service @@ -419,12 +415,6 @@ jobs: shell: bash working-directory: ${{ inputs.check_docs_directory }} - - name: Build DockerFile - if: inputs.check_dockerfile - run: | - docker build -f ${{ inputs.check_dockerfile }} . - working-directory: ${{ inputs.working_directory }} - - name: Start services uses: ./.github/actions/services if: inputs.use_postgres || inputs.use_elastic_search || inputs.use_memcached || inputs.use_redis || inputs.use_rabbitmq || inputs.use_mongo diff --git a/workflows/_release_and_tag.yml b/workflows/_release_and_tag.yml index 901d207..502098e 100644 --- a/workflows/_release_and_tag.yml +++ b/workflows/_release_and_tag.yml @@ -31,18 +31,52 @@ on: required: false default: #CyberSecurity + publish_on_ecr: + description: Publish on ecr + type: boolean + required: false + default: false + repository: + description: todo + type: string + required: false + dockerfile: + description: todo + type: string + required: false + aws_region: + description: todo + type: string + required: false + default: eu-central-1 + + jobs: release_and_tag: name: Create release and tag runs-on: ubuntu-latest - if: github.event.pull_request.merged == true && ( github.base_ref == 'master' || github.base_ref == 'main' ) + if: github.event.pull_request.merged == true steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # otherwise, you do not retrieve the tags + - name: Push on ecr branch + uses: ./.github/actions/push_on_ecr + env: + TAG=${{ ( github.base_ref == 'main' || github.base_ref == 'master' ) && 'prod' || 'stag' }} + with: + repository: ${{ inputs.repository }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + dockerfile: ${{ inputs.dockerfile }} + image_tag: $TAG + aws_region: ${{ inputs.aws_region }} + - name: Check Tag id: check-tag + if: github.base_ref == 'master' || github.base_ref == 'main' run: | if [[ "${{ github.event.pull_request.title }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "match=true" >> $GITHUB_OUTPUT @@ -115,4 +149,16 @@ jobs: api_key: ${{ secrets.TWITTER_API_KEY }} api_key_secret: ${{ secrets.TWITTER_API_KEY_SECRET }} access_token: ${{ secrets.TWITTER_ACCESS_TOKEN }} - access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} \ No newline at end of file + access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }} + + - name: Push on ecr tag + if: steps.check-tag.outputs.match == 'true' + uses: ./.github/actions/push_on_ecr + with: + repository: ${{ inputs.repository }} + aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} + aws_access_key: ${{ secrets.AWS_ACCESS_KEY}} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + dockerfile: ${{ inputs.dockerfile }} + image_tag: ${{ github.event.pull_request.title }} + aws_region: ${{ inputs.aws_region }} \ No newline at end of file diff --git a/workflows/pull_request_automation.yml b/workflows/pull_request_automation.yml index 80f23fe..c039368 100644 --- a/workflows/pull_request_automation.yml +++ b/workflows/pull_request_automation.yml @@ -73,7 +73,6 @@ jobs: check_migrations: true check_requirements_licenses: true check_docs_directory: - check_dockerfile: Dockerfile use_postgres: false use_memcached: false diff --git a/workflows/release.yml b/workflows/release.yml index 4987b88..02270d6 100644 --- a/workflows/release.yml +++ b/workflows/release.yml @@ -20,3 +20,7 @@ jobs: publish_on_test_pypi: false publish_on_npm: false publish_on_twitter: false + publish_on_ecr: false + repository: certego-test + dockerfile: Dockerfile + aws_region: eu-central-1 \ No newline at end of file