harden valid group info check #476
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Build Stream Metadata Docker Image' | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- 'packages/stream-metadata/**' | |
- 'packages/**' | |
workflow_dispatch: | |
inputs: | |
is_latest: # This is a boolean input | |
description: 'Add docker:latest tag' | |
required: true | |
default: false | |
type: boolean | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CD_WORKFLOW_WEBHOOK_URL }} | |
jobs: | |
build: | |
name: Build docker image | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-east-1 | |
- name: Login to Amazon ECR | |
id: login-aws-ecr | |
uses: aws-actions/amazon-ecr-login@v2 | |
with: | |
registry-type: 'public' | |
- name: Build and push docker image to Amazon ECR | |
env: | |
ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }} | |
#This can be custom alias once requested to aws and approved for public repo | |
REGISTRY_ALIAS: h5v6m2x1 | |
ECR_REPOSITORY: river-stream-metadata | |
IS_LATEST_OR_PUSH: ${{ github.event_name == 'push' || github.event.inputs.is_latest }} | |
run: | | |
docker build \ | |
--build-arg GIT_SHA=${{ github.sha }} \ | |
-f ./packages/stream-metadata/Dockerfile \ | |
-t $ECR_REGISTRY/$REGISTRY_ALIAS/$ECR_REPOSITORY:latest \ | |
-t $ECR_REGISTRY/$REGISTRY_ALIAS/$ECR_REPOSITORY:${{ github.sha }} \ | |
. | |
if [ $IS_LATEST_OR_PUSH == true ]; then | |
echo "Pushing docker image with latest tag" | |
docker push $ECR_REGISTRY/$REGISTRY_ALIAS/$ECR_REPOSITORY:latest | |
else | |
echo "Not pushing docker image with latest tag" | |
fi | |
docker push $ECR_REGISTRY/$REGISTRY_ALIAS/$ECR_REPOSITORY:${{ github.sha }} | |
# If action failed, we send a slack notification | |
- name: Slack notification | |
if: failure() | |
uses: slackapi/[email protected] | |
with: | |
payload: | | |
{ | |
"step": "Build Stream Metadata Docker Image", | |
"environment": "N/", | |
"branch": "${{ github.ref }}", | |
"url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}", | |
"commit": "${{ github.sha }}", | |
"actor": "${{ github.actor }}" | |
} |