Fe 1441 advanced docker build push ecr

.github/workflows/_test-docker.yaml

@@ -6,6 +6,7 @@ on:
       - ".github/workflows/_test-docker.yaml"
       - ".github/workflows/docker-*.yaml"
       - "tests/docker/**"
+      - "docker/metadata-action/**"
 
 jobs:
   test_docker_build_push_ecr:
@@ -72,3 +73,41 @@ jobs:
       docker_context: tests/docker
       docker_push: false
       artifact_name: docker-artifacts
+
+  prep_test_docker_build_push_ecr_advanced:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build meta and tags
+        id: docker_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: 488017668515.dkr.ecr.eu-central-1.amazonaws.com/sam
+          tags: |
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,${{ steps.current-time.outputs.formattedTime }}.${{ github.run_number }}
+            type=raw,{{branch}}.${{ github.run_number }}
+          labels: |
+            org.opencontainers.image.title=Feed Sam Service
+            org.opencontainers.image.description=Feed image rendering service
+            org.opencontainers.image.vendor=tx.group
+            org.opencontainers.image.authors=Christian Jürges
+    outputs:
+      tags: ${{ steps.docker_meta.outputs.tags }}
+      labels: ${{ steps.docker_meta.outputs.labels }}
+      docker_build_args: |
+        GO_VERSION=${{ env.GO_VERSION }}
+        ALPINE_VERSION=${{ env.ALPINE_VERSION }}
+
+  test_docker_build_push_ecr_advanced:
+    needs: prep_test_docker_build_push_ecr_advanced
+    uses: ./.github/workflows/docker-build-push-ecr-advanced.yaml
+    with:
+      aws_account_id: ${{ vars.aws_account_id }}
+      aws_region: ${{ vars.aws_region }}
+      aws_role_name: ${{ vars.aws_role_name }}
+      dockerfile_path: tests/docker/alpine/build/Dockerfile
+      image_tags: ${{ toJSON(needs.prep_test_docker_build_push_ecr_advanced.outputs.tags) }}
+      image_labels: ${{ toJSON(needs.prep_test_docker_build_push_ecr_advanced.outputs.labels) }}
+      docker_build_args: ${{ needs.prep_test_docker_build_push_ecr_advanced.outputs.docker_build_args }}

.github/workflows/docker-build-push-ecr-advanced.yaml

@@ -0,0 +1,134 @@
+name: Docker Build and Push to ECR
+run-name: Docker Build and Push to ECR run by ${{ github.actor }}
+
+on:
+  workflow_call:
+    secrets:
+      docker_secrets:
+        description: "Comma-delimited list of Github secrets to pass to docker build workflow"
+        required: false
+    inputs:
+      environment:
+        description: "Environment to run the build in"
+        type: string
+      aws_account_id:
+        description: "AWS Account ID"
+        type: string
+      aws_region:
+        description: "AWS Region"
+        type: string
+      aws_role_name:
+        description: "AWS Role Name"
+        type: string
+      aws_oidc_role_arn:
+        description: "AWS OIDC IAM role to assume"
+        type: string
+      image_tags:
+        description: "toJSON() string with full repo/image:tag list"
+        type: string
+        required: true
+      image_labels:
+        description: "toJSON() JSON string with image labels"
+        type: string
+        default: "{}"
+      docker_build_args:
+        description: "array string with build args"
+        type: string
+        default: "[]"
+      docker_context:
+        description: "Path to the build context"
+        type: string
+      dockerfile_path:
+        description: "Path to the Dockerfile. If not defined, will default to {docker_context}/Dockerfile"
+        type: string
+      docker_push:
+        description: "Push Image to ECR"
+        type: boolean
+        default: true
+      docker_target:
+        description: "Build target"
+        type: string
+      artifact_name:
+        description: "Artifact name to be downloaded before building"
+        type: string
+      artifact_path:
+        description: "Artifact target path"
+        type: string
+      runner_labels:
+        description: "Runner that the main job should run on as JSON encoded list."
+        type: string
+        default: " ['ubuntu-latest'] "
+
+
+jobs:
+  prereq: # this job is required to pass the runner_labels to the build job!
+    runs-on: ubuntu-latest
+    steps:
+      - id: prereq
+        name: Provision step # at least one step is required in a job
+        run: |
+          echo "image tags: ${{ inputs.image_tags }}"
+          echo "image labels: ${{ inputs.image_labels }}"
+          echo "build args: ${{ inputs.docker_build_args }}"
+    outputs:
+      runner_labels: ${{ inputs.runner_labels }}
+      image_tags: ${{ inputs.image_tags }}
+      image_labels: ${{ inputs.image_labels }}
+      build_args: ${{ inputs.docker_build_args }}
+
+  build:
+    needs: prereq
+    runs-on: ${{ fromJSON(needs.prereq.outputs.runner_labels) }}
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+
+      - name: Download artifacts to pass to docker build
+        if: ${{ inputs.artifact_name || inputs.artifact_path }} # avoid downloading artifacts if not needed
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+        env:
+          ARTIFACT_NAME: ${{ inputs.artifact_name || vars.artifact_name }}
+          ARTIFACT_PATH: ${{ inputs.artifact_path || vars.artifact_path }}
+        with:
+          name: ${{ env.ARTIFACT_NAME }}
+          path: ${{ env.ARTIFACT_PATH }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
+        env:
+          ROLE_TO_ASSUME: ${{ inputs.aws_oidc_role_arn || vars.aws_oidc_role_arn || format('arn:aws:iam::{0}:role/{1}', inputs.aws_account_id, inputs.aws_role_name) }}
+          AWS_REGION: ${{ inputs.aws_region || vars.aws_region || 'eu-central-1' }}
+        with:
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
+
+      - name: Build and export
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
+        env:
+          DOCKER_CTX: ${{ inputs.docker_context || vars.docker_context || '.' }}
+          DOCKERFILE_PATH: ${{ inputs.dockerfile_path || vars.dockerfile_path }} # upstream defaults to {DOCKER_CTX}/Dockerfile
+          DOCKER_TARGET: ${{ inputs.docker_target || vars.docker_target }}
+        with:
+          context: ${{ env.DOCKER_CTX }}
+          file: ${{ env.DOCKERFILE_PATH }}
+          secrets: ${{ secrets.docker_secrets }}
+          # platforms: linux/amd64,linux/arm64 # TODO add support for multi-arch builds
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          push: ${{ inputs.docker_push }}
+          target: ${{ env.DOCKER_TARGET }}
+          tags: ${{ fromJSON(needs.prereq.outputs.image_tags) }}
+          labels: ${{ fromJSON(needs.prereq.outputs.image_labels) }}
+          build-args: ${{ needs.prereq.outputs.build_args }}

.github/workflows/docker-build-push-ecr.yaml

@@ -60,6 +60,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

.github/workflows/docker-build.yaml

@@ -26,6 +26,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

.github/workflows/docker-push-ecr.yaml

@@ -33,6 +33,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: write
     steps:
       - name: Download artifact
         env:

docs/workflows/docker-build-push-ecr-advanced.md

@@ -0,0 +1,154 @@
+---
+title: Docker Build and Push to ECR
+---
+
+<!-- action-docs-header source=".github/workflows/docker-build-push-ecr-advanced.yaml" -->
+# Docker Build and Push to ECR
+<!-- action-docs-header source=".github/workflows/docker-build-push-ecr-advanced.yaml" -->
+
+## Description
+
+<!-- action-docs-inputs source=".github/workflows/docker-build-push-ecr-advanced.yaml" -->
+## Inputs
+
+| name | description | type | required | default |
+| --- | --- | --- | --- | --- |
+| `environment` | <p>Environment to run the build in</p> | `string` | `false` | `""` |
+| `aws_account_id` | <p>AWS Account ID</p> | `string` | `false` | `""` |
+| `aws_region` | <p>AWS Region</p> | `string` | `false` | `""` |
+| `aws_role_name` | <p>AWS Role Name</p> | `string` | `false` | `""` |
+| `aws_oidc_role_arn` | <p>AWS OIDC IAM role to assume</p> | `string` | `false` | `""` |
+| `image_tags` | <p>toJSON() string with full repo/image:tag list</p> | `string` | `true` | `""` |
+| `image_labels` | <p>toJSON() JSON string with image labels</p> | `string` | `false` | `{}` |
+| `docker_build_args` | <p>array string with build args</p> | `string` | `false` | `[]` |
+| `docker_context` | <p>Path to the build context</p> | `string` | `false` | `""` |
+| `dockerfile_path` | <p>Path to the Dockerfile. If not defined, will default to {docker_context}/Dockerfile</p> | `string` | `false` | `""` |
+| `docker_push` | <p>Push Image to ECR</p> | `boolean` | `false` | `true` |
+| `docker_target` | <p>Build target</p> | `string` | `false` | `""` |
+| `artifact_name` | <p>Artifact name to be downloaded before building</p> | `string` | `false` | `""` |
+| `artifact_path` | <p>Artifact target path</p> | `string` | `false` | `""` |
+| `runner_labels` | <p>Runner that the main job should run on as JSON encoded list.</p> | `string` | `false` | ` ['ubuntu-latest'] ` |
+<!-- action-docs-inputs source=".github/workflows/docker-build-push-ecr-advanced.yaml" -->
+
+<!-- action-docs-outputs source=".github/workflows/docker-build-push-ecr-advanced.yaml" -->
+
+<!-- action-docs-outputs source=".github/workflows/docker-build-push-ecr-advanced.yaml" -->
+
+<!-- action-docs-usage source=".github/workflows/docker-build-push-ecr-advanced.yaml" project="tx-pts-dai/github-workflows/.github/workflows/docker-build-push-ecr-advanced.yaml" version="v1" -->
+## Usage
+
+```yaml
+jobs:
+  job1:
+    uses: tx-pts-dai/github-workflows/.github/workflows/docker-build-push-ecr-advanced.yaml@v1
+    with:
+      environment:
+      # Environment to run the build in
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      aws_account_id:
+      # AWS Account ID
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      aws_region:
+      # AWS Region
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      aws_role_name:
+      # AWS Role Name
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      aws_oidc_role_arn:
+      # AWS OIDC IAM role to assume
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      image_tags:
+      # toJSON() string with full repo/image:tag list
+      #
+      # Type: string
+      # Required: true
+      # Default: ""
+
+      image_labels:
+      # toJSON() JSON string with image labels
+      #
+      # Type: string
+      # Required: false
+      # Default: {}
+
+      docker_build_args:
+      # array string with build args
+      #
+      # Type: string
+      # Required: false
+      # Default: []
+
+      docker_context:
+      # Path to the build context
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      dockerfile_path:
+      # Path to the Dockerfile. If not defined, will default to {docker_context}/Dockerfile
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      docker_push:
+      # Push Image to ECR
+      #
+      # Type: boolean
+      # Required: false
+      # Default: true
+
+      docker_target:
+      # Build target
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      artifact_name:
+      # Artifact name to be downloaded before building
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      artifact_path:
+      # Artifact target path
+      #
+      # Type: string
+      # Required: false
+      # Default: ""
+
+      runner_labels:
+      # Runner that the main job should run on as JSON encoded list.
+      #
+      # Type: string
+      # Required: false
+      # Default:  ['ubuntu-latest'] 
+```
+<!-- action-docs-usage source=".github/workflows/docker-build-push-ecr-advanced.yaml" project="tx-pts-dai/github-workflows/.github/workflows/docker-build-push-ecr-advanced.yaml" version="v1" -->
+
+# Example
+
+# FAQ

tests/docker/alpine/Dockerfile

@@ -0,0 +1,8 @@
+ARG GO_VERSION
+ARG ALPINE_VERSION
+# compile sam
+FROM public.ecr.aws/docker/library/golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder
+
+WORKDIR /app
+RUN echo "Hello, world!"
+RUN echo "Using go version ${GO_VERSION} and alpine version ${ALPINE_VERSION}"