Report AWS operations with service identity #1257
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
concurrency: | |
group: "${{ github.repository }}${{ github.ref }}" | |
cancel-in-progress: true | |
on: | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
push: | |
branches: | |
- main | |
- develop | |
env: | |
REGISTRY: us-central1-docker.pkg.dev/main-383408/otterize | |
jobs: | |
build: | |
if: (github.event_name == 'push' && github.repository == 'otterize/network-mapper') || github.event.pull_request.head.repo.full_name == 'otterize/network-mapper' | |
name: Build | |
runs-on: ubuntu-latest | |
outputs: | |
registry: ${{ steps.registry.outputs.registry }} # workaround since env is not available outside of steps, i.e. in calling external workflows like we later do in e2e-test | |
strategy: | |
matrix: | |
service: | |
- mapper | |
- sniffer | |
- kafka-watcher | |
steps: | |
- id: registry | |
run: echo "registry=${{ env.REGISTRY }}" >> "$GITHUB_OUTPUT" | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
submodules: recursive | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
with: | |
driver-opts: network=host | |
- name: Login to GCR | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: _json_key_base64 | |
password: ${{ secrets.B64_GCLOUD_SERVICE_ACCOUNT_JSON }} | |
- name: Login to DockerHub | |
uses: docker/login-action@v1 | |
with: | |
username: otterize | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Test & Build production image | |
uses: docker/build-push-action@v2 | |
with: | |
context: src/ | |
file: build/${{ matrix.service }}.Dockerfile | |
tags: ${{ env.REGISTRY }}/${{ matrix.service }}:${{ github.sha }} | |
push: true | |
network: host | |
platforms: linux/amd64,linux/arm64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
"VERSION=0.0.${{ github.run_id }}" | |
build-iamlive: | |
name: Build (IAMLive) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout IAMLive fork | |
uses: actions/checkout@v2 | |
with: | |
repository: otterize/iamlive | |
path: iamlive | |
ref: main | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
with: | |
driver-opts: network=host | |
- name: Login to GCR | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: _json_key_base64 | |
password: ${{ secrets.B64_GCLOUD_SERVICE_ACCOUNT_JSON }} | |
- name: Test & Build production image | |
uses: docker/build-push-action@v2 | |
with: | |
context: iamlive/ | |
file: iamlive/Dockerfile | |
tags: ${{ env.REGISTRY }}/iamlive:${{ github.sha }} | |
push: true | |
network: host | |
platforms: linux/amd64,linux/arm64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
"VERSION=0.0.${{ github.run_id }}" | |
e2e-test: | |
uses: ./.github/workflows/e2e-test.yaml | |
name: Trigger e2e tests | |
# Must pass the secrets as the called workflow does not have access to the same context | |
secrets: | |
B64_GCLOUD_SERVICE_ACCOUNT_JSON: ${{ secrets.B64_GCLOUD_SERVICE_ACCOUNT_JSON }} | |
with: | |
registry: ${{ needs.build.outputs.registry }} | |
mapper-tag: ${{ github.sha }} | |
sniffer-tag: ${{ github.sha }} | |
mapper-image: mapper | |
sniffer-image: sniffer | |
needs: | |
- build | |
tag-latest: | |
name: Tag latest | |
if: github.ref == 'refs/heads/main' | |
needs: e2e-test | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: GCP auth | |
uses: 'google-github-actions/auth@v1' | |
with: | |
credentials_json: ${{ secrets.B64_GCLOUD_SERVICE_ACCOUNT_JSON }} | |
- name: Set up Cloud SDK | |
uses: 'google-github-actions/setup-gcloud@v1' | |
# Push the Docker image to AWS ECR | |
- name: Tag Images as latest | |
run: |- | |
retag_image_as_latest() { if [[ $(gcloud container images add-tag "${{ env.REGISTRY }}/$1:${{ github.sha }}" "${{ env.REGISTRY }}/$1:latest" --quiet) ]]; then echo "Failed tagging $1 as latest"; exit 1; fi } # using --quiet to avoid prompt | |
retag_image_as_latest mapper | |
retag_image_as_latest sniffer | |
retag_image_as_latest kafka-watcher |