Skip to content

chore(merge-back): 1.92.0 #7892

chore(merge-back): 1.92.0

chore(merge-back): 1.92.0 #7892

Workflow file for this run

# Workflows pertaining to the jsii/superchain Docker image
name: Docker Images
on:
merge_group: {}
pull_request:
branches: [main, release]
push:
branches: [main, release]
env:
DOCKER_BUILDKIT: 1
jobs:
superchain:
name: jsii/superchain
permissions:
contents: read
id-token: write # Necessary for OIDC federation
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
debian:
- 'buster' # 10
- 'bullseye' # 11
node: ['18', '20']
include:
- debian: 'bookworm' #12
node: '20'
env:
# Node version whose images will be aliased without the -nodeXX segment
DEFAULT_NODE_MAJOR_VERSION: 18
steps:
- name: Check out
uses: actions/checkout@v4
# Determine if we should run the validation or not
- name: Should this run?
id: should-run
run: |-
if [ "${{ github.event_name }}" = "push" ]; then
echo '⏯ Triggered by "push" event'
echo "result=true" >> $GITHUB_OUTPUT
elif [ "${{ github.base_ref }}" = "release" ]; then
echo '⏯ Triggered by "pull_request" event against "release"'
echo "result=true" >> $GITHUB_OUTPUT
else
# Fetch the base and head refs from origin so we can safely diff 'em
git fetch --depth=1 --quiet origin ${{ github.base_ref }}
# Otherwise, only run if the Dockerfile changed
changed=$(git diff --name-only origin/${{ github.base_ref }}..HEAD)
if grep Dockerfile <<< "${changed}" ; then
echo '⏯ Dockerfile changed'
echo "result=true" >> $GITHUB_OUTPUT
else
if grep '.github/workflows/docker-images.yml' <<< "${changed}" ; then
echo '⏯ docker-images workflow changed'
echo "result=true" >> $GITHUB_OUTPUT
else
echo '⏭ Dockerfile not changed'
echo "result=false" >> $GITHUB_OUTPUT
fi
fi
fi
# Check if federation into AWS is configured. This is necessary because
# GitHub does not interpret ${{ secret.FOO }} within `if:` conditions...
# See: https://github.com/actions/runner/issues/520
- name: Check AWS federation configuration
id: federate_to_aws
if: steps.should-run.outputs.result == 'true'
run: |-
if [[ "${{ secrets.AWS_ROLE_TO_ASSUME }}" != "" ]]; then
echo "🔑 Federation into AWS is possible (AWS_ROLE_TO_ASSUME is available)"
echo "enabled=true" >> $GITHUB_OUTPUT
else
echo "❌ Federation into AWS is disabled (no AWS_ROLE_TO_ASSUME secret found)"
echo "enabled=false" >> $GITHUB_OUTPUT
fi
# Federate into the PR Validation AWS Account
- name: Federate into AWS
if: steps.should-run.outputs.result == 'true' && steps.federate_to_aws.outputs.enabled == 'true'
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GHA_aws-jsii_docker-images
# Login to ECR Public registry, so we don't get throttled at 1 TPS
- name: Login to ECR Public
if: steps.should-run.outputs.result == 'true' && steps.federate_to_aws.outputs.enabled == 'true'
run: |-
aws ecr-public get-login-password --region=us-east-1 \
| docker login --username AWS --password-stdin public.ecr.aws
# We only authenticate to Docker on the 'aws/jsii' repo, as forks will not have the secret
- name: Login to Docker Hub
if: steps.should-run.outputs.result == 'true' && github.repository == 'aws/jsii'
# The DOCKER_CREDENTIALS secret is expected to contain a username:token pair
run: |-
docker login \
--username=$(cut -d: -f1 <<< '${{ secrets.DOCKER_CREDENTIALS }}') \
--password=$(cut -d: -f2 <<< '${{ secrets.DOCKER_CREDENTIALS }}')
# Ensure we run with bash, because that's the syntax we're using here...
shell: bash
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- name: Set up docker buildx
id: buildx
if: steps.should-run.outputs.result == 'true'
uses: docker/setup-buildx-action@v3
with:
# Disable parallelism because IO contention makes it too slow on GitHub
# workers...
config-inline: |-
[worker.oci]
max-parallelism = 1
# 1 pull per second from ECR Public
- name: Jitter the start time to avoid ECR Public throttling
id: sleep-start
if: steps.should-run.outputs.result == 'true' && steps.federate_to_aws.outputs.enabled != true
run: |-
sleep $((RANDOM % 60))
- name: Determine build time
id: build-time
if: steps.should-run.outputs.result == 'true'
run: |-
echo "value=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
- name: Build Image
if: steps.should-run.outputs.result == 'true'
run: |-
docker buildx build \
--builder ${{ steps.buildx.outputs.name }} \
--platform linux/amd64,linux/arm64 \
--target superchain \
--pull \
--build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
--build-arg COMMIT_ID='${{ github.sha }}' \
--build-arg DEBIAN_VERSION=${{ matrix.debian }} \
--build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
-f superchain/Dockerfile \
.
- name: Test Image
if: steps.should-run.outputs.result == 'true'
run: |-
docker buildx build \
--builder ${{ steps.buildx.outputs.name }} \
--platform linux/amd64,linux/arm64 \
--target superchain \
--build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
--build-arg COMMIT_ID='${{ github.sha }}' \
--build-arg DEBIAN_VERSION=${{ matrix.debian }} \
--build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
-f superchain/Dockerfile \
.
# Re-authenticate to ECR Public, this time with image-push permissions
- name: Federate with AWS role for ECR Public push
if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main')
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_FOR_ECR_PUBLIC_PUSH }}
role-session-name: GHA_aws-jsii_docker-images-PUSH
- name: Authenticate with ECR Public for Push
if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main')
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public
# Only when puhsing to main/release from now on
- name: Publish (nightly)
if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main'
# NOTE BELOW: The `--tag` flags can be provided multiple times... we use that capability...
run: |-
# If the current version is the default version, also tag this with the unqualified ':nightly' label
if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then
docker buildx build \
--builder ${{ steps.buildx.outputs.name }} \
--platform linux/amd64,linux/arm64 \
--target superchain \
--push \
--build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
--build-arg COMMIT_ID='${{ github.sha }}' \
--build-arg DEBIAN_VERSION=${{ matrix.debian }} \
--build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
--tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-nightly" \
--tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \
--tag "jsii/superchain:1-${{ matrix.debian }}-slim-nightly" \
--tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \
-f superchain/Dockerfile \
.
else
docker buildx build \
--builder ${{ steps.buildx.outputs.name }} \
--platform linux/amd64,linux/arm64 \
--target superchain \
--push \
--build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
--build-arg COMMIT_ID='${{ github.sha }}' \
--build-arg DEBIAN_VERSION=${{ matrix.debian }} \
--build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
--tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \
--tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}-nightly" \
-f superchain/Dockerfile \
.
fi
- name: Publish (latest)
if: steps.should-run.outputs.result == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/release'
# NOTE BELOW: The `--tag` flags can be provided multiple times... we use that capability...
run: |-
# If the current version is the default version, also tag this with the unqualified ':1-*' label
if [[ "${{ matrix.node }}" == "$DEFAULT_NODE_MAJOR_VERSION" ]]; then
docker buildx build \
--builder ${{ steps.buildx.outputs.name }} \
--platform linux/amd64,linux/arm64 \
--target superchain \
--push \
--build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
--build-arg COMMIT_ID='${{ github.sha }}' \
--build-arg DEBIAN_VERSION=${{ matrix.debian }} \
--build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
--tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim" \
--tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \
--tag "jsii/superchain:1-${{ matrix.debian }}-slim" \
--tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \
-f superchain/Dockerfile \
.
else
docker buildx build \
--builder ${{ steps.buildx.outputs.name }} \
--platform linux/amd64,linux/arm64 \
--target superchain \
--push \
--build-arg BUILD_TIMESTAMP="${{ steps.build-time.outputs.value }}" \
--build-arg COMMIT_ID='${{ github.sha }}' \
--build-arg DEBIAN_VERSION=${{ matrix.debian }} \
--build-arg NODE_MAJOR_VERSION=${{ matrix.node }} \
--tag "${{ secrets.ECR_PUBLIC_REGISTRY }}:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \
--tag "jsii/superchain:1-${{ matrix.debian }}-slim-node${{ matrix.node }}" \
-f superchain/Dockerfile \
.
fi
done:
name: 'Done'
runs-on: ['ubuntu-latest']
needs: ['superchain']
steps:
# This is just a join target to simplify branch protection settings...
- name: 'All done'
run: |-
echo "All done!"