reusable-action-workflows/.github/workflows/s3_image_upload.yaml at main · Nerdware-LLC/reusable-action-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: S3 ZIP Image Upload

# This Action builds a Docker image, saves it as a ZIP archive, and then uploads the ZIP to an S3 bucket.

on:
  workflow_call:
    inputs:
      image-name:
        description: |
          The name of the Docker image; this is also used as the ZIP file name.
        type: string
        required: true
      version-tag:
        description: |
          The version tag to use for the Docker image. If this input is not
          provided, the "version" specified in the package.json will be used.
        type: string
        required: false
    secrets:
      OIDC_GITHUB_ROLE_ARN:
        description: |
          The ARN of the AWS IAM Role for the GitHub OpenID Connect provider.
        required: true
      S3_BUCKET_DEST:
        description: |
          The S3 bucket destination for the image (e.g., 's3://foo-bucket/lambda-edge-images').
        required: true
      S3_BUCKET_REGION:
        description: "The AWS region in which the S3 bucket is located."
        required: true

defaults:
  run:
    shell: bash

jobs:
  upload_to_s3:
    name: Upload to S3
    runs-on: ubuntu-latest

    # permissions required to use aws-actions/configure-aws-credentials
    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.OIDC_GITHUB_ROLE_ARN }}
          aws-region: ${{ secrets.S3_BUCKET_REGION }}

      - name: Build and Upload zip'd Images to S3
        env:
          IMAGE_NAME: ${{ inputs.image-name }}
        run: |
          IMAGE_TAGS=('latest')

          REF="${GITHUB_REF#refs/*/}" && REF_TAG="${REF%/merge}"
          [ "$REF_TAG" == 'main' ] && REF_TAG='prod';
          [ "$REF_TAG" == 'next' ] && REF_TAG='staging';
          IMAGE_TAGS+=("$REF_TAG")

          if [ -n "${{ inputs.version-tag }}" ]; then
            VERSION_TAG="${{ inputs.version-tag }}"
          elif [ -f ./package.json ]; then
            VERSION_TAG="v$( jq '.version' < ./package.json | tr -d '"' )"
          fi

          [ -n "$VERSION_TAG" ] && IMAGE_TAGS+=("$VERSION_TAG")

          # shellcheck disable=SC2068 # <-- Word splitting intended.
          docker build ${IMAGE_TAGS[@]/#/-t $IMAGE_NAME:} .

          # Ensure 'zip' is installed
          apt install zip

          # Convert images to zip archives and upload to S3
          for image_tag in "${IMAGE_TAGS[@]}"; do
            zip_file_name="$IMAGE_NAME-${image_tag}.tar.zip"

            docker save "$IMAGE_NAME:$image_tag" | zip > "$zip_file_name"

            aws s3 cp \
              "$zip_file_name" \
              "${{ secrets.S3_BUCKET_DEST }}" \
              --acl bucket-owner-full-control \
              --sse AES256
          done