sync #521
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE refs | |
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script | |
name: sync | |
on: | |
pull_request: {} | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: "0 8 * * *" | |
workflow_dispatch: {} | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
security-events: write | |
concurrency: | |
group: ${{ github.run_id }} | |
cancel-in-progress: false | |
jobs: | |
sync: | |
env: | |
ECR: 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 | |
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main | |
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v2.0.0 | |
with: | |
aws-region: ap-southeast-2 | |
role-to-assume: arn:aws:iam::862640294325:role/github-actions-geonet-ecr-push | |
role-duration-seconds: 3600 | |
role-session-name: github-actions-GeoNet--base-images | |
if: github.ref_name == 'main' | |
- name: prepare auth podman | |
env: | |
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} | |
DOCKER_USER: geonetci | |
RUN_ECR: ${{ github.ref_name == 'main' || 'FALSE' }} | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
auth_tmp=$(mktemp) | |
echo '{}' > $auth_tmp # JSON formating is required | |
podman login --authfile=$auth_tmp -u ${{ github.actor }} --password $GH_TOKEN ghcr.io | |
echo -n $DOCKER_TOKEN | podman login --authfile=$auth_tmp -u $DOCKER_USER --password-stdin docker.io | |
if [ "$RUN_ECR" != "FALSE" ]; then | |
aws ecr get-login-password --region ap-southeast-2 | podman login "$ECR" -u AWS --password-stdin | |
fi | |
podman secret create skopeo-auth $auth_tmp | |
rm $auth_tmp | |
- name: dry run copy to ghcr.io | |
run: | | |
podman run --secret=skopeo-auth -v "${PWD}:/src" -w /src ghcr.io/geonet/base-images/stable:v1.17 sync --retry-times 1 --authfile /run/secrets/skopeo-auth --dry-run --preserve-digests --src yaml --dest docker sync-ghcr.yml ghcr.io/geonet/base-images | |
- name: copy to ghcr.io | |
run: | | |
podman run --secret=skopeo-auth -v "${PWD}:/src" -w /src ghcr.io/geonet/base-images/stable:v1.17 sync --retry-times 1 --authfile /run/secrets/skopeo-auth --preserve-digests --keep-going --src yaml --dest docker sync-ghcr.yml ghcr.io/geonet/base-images | |
if: github.ref_name == 'main' | |
- name: copy to ecr | |
run: | | |
podman run --secret=skopeo-auth -v "${PWD}:/src" -w /src ghcr.io/geonet/base-images/stable:v1.17 sync --retry-times 1 --authfile /run/secrets/skopeo-auth --preserve-digests --src yaml --dest docker sync-ecr.yml 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com | |
if: github.ref_name == 'main' |