Skip to content

sync

sync #534

Workflow file for this run

# NOTE refs
# - https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions
# - https://stackoverflow.com/questions/59977364/github-actions-how-use-strategy-matrix-with-script
name: sync
on:
pull_request: {}
push:
branches:
- main
schedule:
- cron: "0 8 * * *"
workflow_dispatch: {}
permissions:
contents: read
id-token: write
packages: write
security-events: write
concurrency:
group: ${{ github.run_id }}
cancel-in-progress: false
jobs:
sync:
env:
ECR: 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v2.0.0
with:
aws-region: ap-southeast-2
role-to-assume: arn:aws:iam::862640294325:role/github-actions-geonet-ecr-push
role-duration-seconds: 3600
role-session-name: github-actions-GeoNet--base-images
if: github.ref_name == 'main'
- name: prepare auth podman
env:
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
DOCKER_USER: geonetci
RUN_ECR: ${{ github.ref_name == 'main' || 'FALSE' }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
auth_tmp=$(mktemp)
echo '{}' > $auth_tmp # JSON formating is required
podman login --authfile=$auth_tmp -u ${{ github.actor }} --password $GH_TOKEN ghcr.io
echo -n $DOCKER_TOKEN | podman login --authfile=$auth_tmp -u $DOCKER_USER --password-stdin docker.io
if [ "$RUN_ECR" != "FALSE" ]; then
aws ecr get-login-password --region ap-southeast-2 | podman login "$ECR" -u AWS --password-stdin
fi
podman secret create skopeo-auth $auth_tmp
rm $auth_tmp
- name: dry run copy to ghcr.io
run: |
podman run --secret=skopeo-auth -v "${PWD}:/src" -w /src ghcr.io/geonet/base-images/stable:v1.17 sync --retry-times 1 --authfile /run/secrets/skopeo-auth --dry-run --preserve-digests --src yaml --dest docker sync-ghcr.yml ghcr.io/geonet/base-images
- name: copy to ghcr.io
run: |
podman run --secret=skopeo-auth -v "${PWD}:/src" -w /src ghcr.io/geonet/base-images/stable:v1.17 sync --retry-times 1 --authfile /run/secrets/skopeo-auth --preserve-digests --keep-going --src yaml --dest docker sync-ghcr.yml ghcr.io/geonet/base-images
if: github.ref_name == 'main'
- name: copy to ecr
run: |
podman run --secret=skopeo-auth -v "${PWD}:/src" -w /src ghcr.io/geonet/base-images/stable:v1.17 sync --retry-times 1 --authfile /run/secrets/skopeo-auth --preserve-digests --src yaml --dest docker sync-ecr.yml 862640294325.dkr.ecr.ap-southeast-2.amazonaws.com
if: github.ref_name == 'main'