208 lines
8.2 KiB
YAML
208 lines
8.2 KiB
YAML
name: pulumi sdk containers build
|
|
on:
|
|
repository_dispatch:
|
|
types:
|
|
- docker-build
|
|
env:
|
|
VERSION: ${{ github.event.client_payload.ref }}
|
|
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
|
|
|
|
jobs:
|
|
pulumi:
|
|
name: pulumi image build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- name: Build Pulumi Image
|
|
uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/pulumi/Dockerfile
|
|
additional-tags: v${{ env.VERSION }}
|
|
tag-latest: true
|
|
build-args: PULUMI_VERSION=v${{ env.VERSION }}
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-region: us-east-2
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
role-duration-seconds: 3600
|
|
role-external-id: upload-pulumi-release
|
|
role-session-name: pulumi@githubActions
|
|
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
|
|
- name: Get Public ECR Authorization token
|
|
run: |
|
|
aws --region us-east-1 ecr-public get-authorization-token \
|
|
--query 'authorizationData.authorizationToken' | \
|
|
tr -d '"' | base64 --decode | cut -d: -f2 | \
|
|
docker login -u AWS --password-stdin https://public.ecr.aws
|
|
- name: Publish pulumi/pulumi image to AWS Public ECR
|
|
run: |
|
|
docker tag pulumi/pulumi:v${{ env.VERSION }} public.ecr.aws/pulumi/pulumi:v${{ env.VERSION }}
|
|
docker tag pulumi/pulumi:latest public.ecr.aws/pulumi/pulumi:latest
|
|
docker push public.ecr.aws/pulumi/pulumi:v${{ env.VERSION }}
|
|
docker push public.ecr.aws/pulumi/pulumi:latest
|
|
base:
|
|
name: base sdk image build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build base image
|
|
uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-base
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/base/Dockerfile
|
|
additional-tags: ${{ env.VERSION }}
|
|
tag-latest: true
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
- uses: meeDamian/sync-readme@v1.0.6
|
|
name: Sync readme to Docker Hub
|
|
with:
|
|
user: "pulumibot"
|
|
pass: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
slug: pulumi/pulumi-base
|
|
readme: docker/README.md
|
|
description: Pulumi CLI container - bring your own SDK
|
|
base_os:
|
|
name: os base sdk image build
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: ["ubi", "debian"]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build base image
|
|
uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-base
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/base/Dockerfile.${{ matrix.os }}
|
|
additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
|
|
tag-latest: false
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
sdk:
|
|
name: language sdk image
|
|
runs-on: ubuntu-latest
|
|
needs: base
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
sdk: ["nodejs", "python", "dotnet", "go"]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build image
|
|
uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-${{matrix.sdk}}
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/${{ matrix.sdk }}/Dockerfile
|
|
additional-tags: ${{ env.VERSION }}
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
tag-latest: true
|
|
- uses: meeDamian/sync-readme@v1.0.6
|
|
name: Sync readme to Docker Hub
|
|
with:
|
|
user: "pulumibot"
|
|
pass: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
slug: pulumi/pulumi-${{matrix.sdk}}
|
|
readme: docker/README.md
|
|
description: Pulumi CLI container for ${{ matrix.sdk }}
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-region: us-east-2
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
role-duration-seconds: 3600
|
|
role-external-id: upload-pulumi-release
|
|
role-session-name: pulumi@githubActions
|
|
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
|
|
- name: Get Public ECR Authorization token
|
|
run: |
|
|
aws --region us-east-1 ecr-public get-authorization-token \
|
|
--query 'authorizationData.authorizationToken' | \
|
|
tr -d '"' | base64 --decode | cut -d: -f2 | \
|
|
docker login -u AWS --password-stdin https://public.ecr.aws
|
|
- name: Publish pulumi/pulumi-${{matrix.sdk}} image to AWS Public ECR
|
|
run: |
|
|
docker tag pulumi/pulumi-${{matrix.sdk}}:latest public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:latest
|
|
docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:latest
|
|
|
|
docker tag pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }} public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}
|
|
docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}
|
|
os_sdk:
|
|
name: os language sdk image
|
|
runs-on: ubuntu-latest
|
|
needs: base_os
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
sdk: ["nodejs", "python", "dotnet", "go"]
|
|
os: ["ubi", "debian"]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Build image
|
|
uses: pulumi/action-docker-build@e98e474ca0312b1a0300cdbf9357dd2df3c62c22
|
|
with:
|
|
repository: pulumi/pulumi-${{matrix.sdk}}
|
|
buildkit: true
|
|
username: "pulumibot"
|
|
password: ${{ secrets.DOCKER_HUB_TOKEN }}
|
|
dockerfile: docker/${{ matrix.sdk }}/Dockerfile.${{ matrix.os }}
|
|
additional-tags: ${{ env.VERSION }}-${{ matrix.os }}
|
|
build-args: PULUMI_VERSION=${{ env.VERSION }}
|
|
tag-latest: false
|
|
- name: Configure AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-region: us-east-2
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
role-duration-seconds: 3600
|
|
role-external-id: upload-pulumi-release
|
|
role-session-name: pulumi@githubActions
|
|
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
|
|
- name: Get Public ECR Authorization token
|
|
run: |
|
|
aws --region us-east-1 ecr-public get-authorization-token \
|
|
--query 'authorizationData.authorizationToken' | \
|
|
tr -d '"' | base64 --decode | cut -d: -f2 | \
|
|
docker login -u AWS --password-stdin https://public.ecr.aws
|
|
- name: Publish pulumi/pulumi-${{matrix.sdk}} image to AWS Public ECR
|
|
run: |
|
|
docker tag pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }} public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }}
|
|
docker push public.ecr.aws/pulumi/pulumi-${{matrix.sdk}}:${{ env.VERSION }}-${{ matrix.os }}
|
|
image-scan:
|
|
name: scan container images
|
|
runs-on: ubuntu-latest
|
|
needs: os_sdk
|
|
continue-on-error: true
|
|
strategy:
|
|
matrix:
|
|
image: ["base", "nodejs", "python", "go"]
|
|
os: ["ubi"]
|
|
steps:
|
|
- uses: actions/checkout@master
|
|
- name: Run Snyk to check Docker images for vulnerabilities
|
|
uses: snyk/actions/docker@master
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
with:
|
|
image: pulumi/pulumi-${{matrix.image}}:${{ env.VERSION }}-${{ matrix.os }}
|
|
args: --severity-threshold=high --file=docker/${{matrix.image}}/Dockerfile.${{ matrix.os }}
|