Create new build-publish-develop workflow that pushes to develop imag…

…e ECR (#6696)

* Create new build-publish-develop workflow that pushes to develop image ECR

Update composite actions to allow AWS authentication via OIDC and rework inputs to support any registry path

* Remove unused image-name input for workflows and action, defaults are sufficient for both non-publish buids and release builds

* rename ecr-prefix input and secret to ecr-hostname, rename ecr-repo-path input to ecr-image-name with description, remove branching aws login logic as the underlying action handles it for us

.github/actions/build-sign-publish-chainlink/action.yml

@@ -1,6 +1,6 @@
 name: Build and Publish Chainlink
 
-description: A composite action that allows building and publishing signed chainlink images. Note that this action only supports public ECR repositories. The value of the registry to login to in the docker/login-action setup is hardcoded to 'public.ecr.aws'
+description: A composite action that allows building and publishing signed chainlink images.
 
 inputs:
   # Inputs for publishing
@@ -9,19 +9,21 @@ inputs:
     default: "false"
     required: false
 
-  image-name:
-    description: The name of the image, should match the repository name in ECR
-    required: true
-
-  ecr-registry:
-    description: The ECR registry to push to, used in docker/login-action and for tagging images
-    default: public.ecr.aws/chainlink
+  ecr-hostname:
+    description: The ECR registry scope
+    default: public.ecr.aws
+    required: false
+  ecr-image-name:
+    description: |
+      The image name with path, in the format of `[registry]/repository`. For private ECR repos the registry name is optional, where for public repos, it is required.
+      Eg. Public ECR repo `chainlink` and registry alias `chainlinklabs` should be `chainlinklabs/chainlink`. For a private ECR repo `chainlink` the image name should be `chainlink`
+    default: chainlink/chainlink
     required: false
   aws-access-key-id:
-    description: The IAM access key used to authenticate to ECR, used in configuring docker/login-action
+    description: The IAM access key used to authenticate to ECR, used in configuring docker/login-action. Omit this and aws-secret-access-key to attempt OIDC authentication
     required: false
   aws-secret-access-key:
-    description: The IAM access key secret used to authenticate to ECR, used in configuring docker/login-action
+    description: The IAM access key secret used to authenticate to ECR, used in configuring docker/login-action. Omit this and aws-secret-access-key to attempt OIDC authentication
     required: false
   aws-role-to-assume:
     description: The AWS role to assume as the CD user, if any. Used in configuring the docker/login-action
@@ -63,7 +65,7 @@ runs:
     shell: sh
     # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings
     run: |
-      SHARED_IMAGES=${{ inputs.ecr-registry }}/${{ inputs.image-name }}
+      SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}
 
       SHARED_TAG_LIST=$(cat << EOF
       type=ref,event=branch
@@ -90,6 +92,7 @@ runs:
       echo "EOF" >> $GITHUB_ENV
 
   - if: inputs.publish == 'true'
+    # Log in to AWS for publish to ECR, OIDC auth will be attempted instead if both access-key fields are empty
     name: Configure AWS Credentials
     uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e # v1.6.0
     with:
@@ -103,7 +106,7 @@ runs:
     name: Login to ECR
     uses: docker/login-action@42d299face0c5c43a0487c477f595ac9cf22f1a7 # v1.12.0
     with:
-      registry: public.ecr.aws
+      registry: ${{ inputs.ecr-hostname }}
 
   - name: Setup Docker Buildx
     uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
@@ -178,7 +181,7 @@ runs:
       echo "Fail build if non-root image runs as user: root"
       # if we're publishing the image, it doesn't get loaded into the local docker daemon
       # so we need to pull the image into our daemon
-      if [ $PUBLISH = "true" ]; then 
+      if [ $PUBLISH = "true" ]; then
        docker pull "${nonroot_image_name}"
       fi
       docker inspect "${nonroot_image_name}" | jq -r '.[].Config.User' | ( ! grep "root" )

.github/workflows/build-publish-develop.yml

@@ -0,0 +1,27 @@
+name: 'Push develop to private ECR'
+
+on:
+  push:
+    branches:
+      - develop
+
+jobs:
+  push-chainlink-develop:
+    runs-on: ubuntu-20.04
+    environment: build-develop
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+
+      - name: Build, sign and publish chainlink image
+        uses: ./.github/actions/build-sign-publish-chainlink
+        with:
+          publish: true
+          aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
+          aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          ecr-hostname: ${{ secrets.AWS_DEVELOP_ECR_HOSTNAME }}
+          ecr-image-name: chainlink

.github/workflows/build-publish.yml

@@ -20,7 +20,6 @@ jobs:
         uses: ./.github/actions/build-sign-publish-chainlink
         with:
           publish: true
-          image-name: chainlink
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}

.github/workflows/build.yml

@@ -18,5 +18,4 @@ jobs:
         uses: ./.github/actions/build-sign-publish-chainlink
         with:
           publish: false
-          image-name: test-chainlink
           sign-images: false