-
Notifications
You must be signed in to change notification settings - Fork 2
130 lines (115 loc) · 4.09 KB
/
push-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Docker CI
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
paths:
- "app/**"
- "public/**"
- "bun.lockb"
- "package.json"
- "yarn.lock"
- "*config.*"
pull_request_target:
paths:
- "app/**"
- "public/**"
- "bun.lockb"
- "package.json"
- "yarn.lock"
- "*config.*"
workflow_dispatch:
inputs:
push:
description: 'whether to push image'
required: true
default: false
type: boolean
env:
REPOSITORY_OWNER: openup-labtakizawa
REPOSITORY: marukome0743/homepage
GHCR_REGISTRY: ghcr.io
GHCR_REPOSITORY: openup-labtakizawa/homepage
AWS_REGION: ap-northeast-1
ECR_REPOSITORY: homepage
LAMBDA_FUNCTION_NAME: homepage
IS_PUSH: ${{ inputs.push || github.event_name == 'push' && github.repository_owner == 'openup-labtakizawa' && github.ref_name == 'main' }}
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
if: github.repository_owner == env.REPOSITORY_OWNER
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PAT }}
- name: Login to GitHub Container Registry
if: fromJSON(env.IS_PUSH)
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
if: fromJSON(env.IS_PUSH)
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
if: fromJSON(env.IS_PUSH)
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Docker Meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.REPOSITORY }}
${{ env.GHCR_REGISTRY }}/${{ env.GHCR_REPOSITORY }}
tags: |
type=ref,event=tag
type=ref,event=pr,prefix=pr-
type=raw,value=canary,enable=${{ github.event_name != 'pull_request_target' }}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: ${{ fromJSON(env.IS_PUSH) && 'manifest,index' || 'manifest' }}
- name: Build and Push
uses: docker/build-push-action@v5
with:
context: .
platforms: ${{ fromJSON(env.IS_PUSH) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
push: ${{ fromJSON(env.IS_PUSH) }}
load: ${{ !fromJSON(env.IS_PUSH) }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: false
- name: Build and Push Image to Amazon ECR
if: fromJSON(env.IS_PUSH)
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
docker build --platform linux/arm64 -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
aws lambda update-function-code --function-name $LAMBDA_FUNCTION_NAME \
--architectures arm64 --image-uri $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
- name: Docker Scout
if: github.repository_owner == env.REPOSITORY_OWNER && github.event_name == 'pull_request_target'
uses: docker/scout-action@v1
with:
command: compare
image: ${{ env.REPOSITORY }}:${{ steps.meta.outputs.version }}
to: ${{ env.GHCR_REGISTRY }}/${{ env.GHCR_REPOSITORY }}:canary
only-severities: critical,high