name: pulumi sdk containers build on: repository_dispatch: types: - docker-build env: VERSION: ${{ github.event.client_payload.ref }} GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} jobs: pulumi: name: pulumi image build runs-on: ubuntu-latest strategy: fail-fast: false steps: - uses: actions/checkout@v2 - name: Build Pulumi Image uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22 with: repository: pulumi/pulumi username: "pulumibot" password: ${{ secrets.DOCKER_HUB_TOKEN }} dockerfile: docker/pulumi/Dockerfile additional-tags: v${{ env.VERSION }} tag-latest: true build-args: PULUMI_VERSION=v${{ env.VERSION }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 3600 role-external-id: upload-pulumi-release role-session-name: pulumi@githubActions role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} - name: Get Public ECR Authorization token run: | aws --region us-east-1 ecr-public get-authorization-token \ --query 'authorizationData.authorizationToken' | \ tr -d '"' | base64 --decode | cut -d: -f2 | \ docker login -u AWS --password-stdin https://public.ecr.aws - name: Publish pulumi/pulumi image to AWS Public ECR run: | docker tag pulumi/pulumi:v${{ env.VERSION }} public.ecr.aws/pulumi/pulumi:v${{ env.VERSION }} docker tag pulumi/pulumi:latest public.ecr.aws/pulumi/pulumi:latest docker push public.ecr.aws/pulumi/pulumi:v${{ env.VERSION }} docker push public.ecr.aws/pulumi/pulumi:latest base: name: base sdk image build runs-on: ubuntu-latest strategy: fail-fast: false steps: - uses: actions/checkout@master - name: Build base image uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22 with: repository: pulumi/pulumi-base buildkit: true username: "pulumibot" password: ${{ secrets.DOCKER_HUB_TOKEN }} dockerfile: docker/base/Dockerfile additional-tags: ${{ env.VERSION }} tag-latest: true build-args: PULUMI_VERSION=${{ env.VERSION }} - uses: meeDamian/sync-readme@v1.0.6 name: Sync readme to Docker Hub with: user: "pulumibot" pass: ${{ secrets.DOCKER_HUB_TOKEN }} slug: pulumi/pulumi-base readme: docker/README.md description: Pulumi CLI container - bring your own SDK base_os: name: os base sdk image build runs-on: ubuntu-latest strategy: fail-fast: false matrix: os: ["ubi", "debian"] steps: - uses: actions/checkout@master - name: Build base image uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22 with: repository: pulumi/pulumi-base buildkit: true username: "pulumibot" password: ${{ secrets.DOCKER_HUB_TOKEN }} dockerfile: docker/base/Dockerfile.${{ matrix.os }} additional-tags: ${{ env.VERSION }}-${{ matrix.os }} tag-latest: false build-args: PULUMI_VERSION=${{ env.VERSION }} sdk: name: language sdk image runs-on: ubuntu-latest needs: base strategy: fail-fast: false matrix: sdk: ["nodejs", "python", "dotnet", "go"] steps: - uses: actions/checkout@master - name: Build image uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22 with: repository: pulumi/pulumi-${{matrix.sdk}} buildkit: true username: "pulumibot" password: ${{ secrets.DOCKER_HUB_TOKEN }} dockerfile: docker/${{ matrix.sdk }}/Dockerfile additional-tags: ${{ env.VERSION }} build-args: PULUMI_VERSION=${{ env.VERSION }} tag-latest: true - uses: meeDamian/sync-readme@v1.0.6 name: Sync readme to Docker Hub with: user: "pulumibot" pass: ${{ secrets.DOCKER_HUB_TOKEN }} slug: pulumi/pulumi-${{matrix.sdk}} readme: docker/README.md description: Pulumi CLI container for ${{ matrix.sdk }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 3600 role-external-id: upload-pulumi-release role-session-name: pulumi@githubActions role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} - name: Get Public ECR Authorization token run: | aws --region us-east-1 ecr-public get-authorization-token \ --query 'authorizationData.authorizationToken' | \ tr -d '"' | base64 --decode | cut -d: -f2 | \ docker login -u AWS --password-stdin https://public.ecr.aws - name: Publish pulumi/pulumi-${{matrix.sdk}} image to AWS Public ECR run: | docker tag pulumi/pulumi-${{matrix.sdk}}:latest public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:latest docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:latest docker tag pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }} public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }} docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }} os_sdk: name: os language sdk image runs-on: ubuntu-latest needs: base_os strategy: fail-fast: false matrix: sdk: ["nodejs", "python", "dotnet", "go"] os: ["ubi", "debian"] steps: - uses: actions/checkout@master - name: Build image uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22 with: repository: pulumi/pulumi-${{matrix.sdk}} buildkit: true username: "pulumibot" password: ${{ secrets.DOCKER_HUB_TOKEN }} dockerfile: docker/${{ matrix.sdk }}/Dockerfile.${{ matrix.os }} additional-tags: ${{ env.VERSION }}-${{ matrix.os }} build-args: PULUMI_VERSION=${{ env.VERSION }} tag-latest: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 3600 role-external-id: upload-pulumi-release role-session-name: pulumi@githubActions role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} - name: Get Public ECR Authorization token run: | aws --region us-east-1 ecr-public get-authorization-token \ --query 'authorizationData.authorizationToken' | \ tr -d '"' | base64 --decode | cut -d: -f2 | \ docker login -u AWS --password-stdin https://public.ecr.aws - name: Publish pulumi/pulumi-${{matrix.sdk}} image to AWS Public ECR run: | docker tag pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }} public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }} docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }} image-scan: name: scan container images runs-on: ubuntu-latest needs: os_sdk continue-on-error: true strategy: matrix: image: ["base", "nodejs", "python", "go"] os: ["ubi"] steps: - uses: actions/checkout@master - name: Run Snyk to check Docker images for vulnerabilities uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: pulumi/pulumi-${{matrix.image}}:${{ env.VERSION }}-${{ matrix.os }} args: --severity-threshold=high --file=docker/${{matrix.image}}/Dockerfile.${{ matrix.os }}