Merge pull request #173 from cipherstash/build/release-aws-marketplace

tobyhede · web-flow · commit 1e93febe4bff · 2025-03-18T19:25:27.000+10:00
build: aws marketplace release
diff --git a/.github/workflows/release-aws-marketplace.yml b/.github/workflows/release-aws-marketplace.yml
@@ -0,0 +1,102 @@
+# Builds and pushes the proxy docker image to the AWS Marketplace ECR
+#
+# here: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
+#
+#
+# ECR is a private registry that is not controlled by us
+# Most of the existing Docker actions are not compatible with ECR, so some of this is quite manual
+#
+# Builds for different images are handled using tags, because I could not get other things workings.
+#
+# The tag formats are:
+#   - proxy-{os}-{arch}-{release-tag}
+#   - proxy-{os}-{arch}-build-{timestamp}
+#
+# ECR is immutable - so test builds need a timestamp or they fail with a conflicts
+
+name: "Proxy — Build & Push Proxy Docker Image for AWS Marketplace"
+
+on:
+  release:
+    types:
+      - published
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/release-aws-marketplace.yml
+
+  workflow_dispatch:
+
+
+env:
+  REGISTRY_IMAGE: cipherstash/cipherstash
+  AWS_REGION: us-east-1
+
+jobs:
+  build:
+    name: 🏗️ Build binaries + Docker images
+    permissions:
+        contents: read
+        packages: write
+        id-token: write # This is required for requesting the JWT
+    strategy:
+      fail-fast: false
+      matrix:
+        build:
+          - { os: linux-arm64-public, arch: linux/arm64, tag: linux-arm64, cache-provider: github }
+    runs-on: ${{matrix.build.os}}
+    steps:
+
+      - name: install-aws-cli
+        uses: unfor19/install-aws-cli-action@v1
+        if: ${{ matrix.build.arch == 'linux/arm64' }}
+        with:
+            version: 2                         # default
+            verbose: false                     # default
+            arch: arm64                        # allowed values: amd64, arm64
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.AWS_MARKETPLACE_IAM_ROLE }}
+          aws-region: us-east-1
+
+      - name: Log in to AWS Marketplace ECR
+        id: ecr-login
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registries: ${{ vars.AWS_MARKETPLACE_ECR_ID }}
+
+      - uses: actions/checkout@v4
+
+      - name: Setup Rust cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          cache-provider: ${{matrix.build.cache-provider}}
+          cache-all-crates: true
+
+      - uses: jdx/mise-action@v2
+        with:
+          version: 2025.1.6 # [default: latest] mise version to install
+          install: true # [default: true] run `mise install`
+          cache: true # [default: true] cache mise using GitHub's cache
+
+      - run: |
+          mise run build --platform ${{matrix.build.arch}}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: cipherstash-proxy-${{matrix.build.tag}}
+          path: cipherstash-proxy
+
+      - if: github.event_name != 'pull_request'
+        name: Release to AWS
+        env:
+          AWS_MARKETPLACE_ECR_REPOSITORY: ${{ vars.AWS_MARKETPLACE_ECR_REPOSITORY }}
+          BUILD_TAG: ${{ matrix.build.tag }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          mise run release:aws-marketplace
+
+
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
           cache-all-crates: true
       - uses: jdx/mise-action@v2
         with:
-          version: 2024.12.0 # [default: latest] mise version to install
+          version: 2025.1.6 # [default: latest] mise version to install
           install: true # [default: true] run `mise install`
           cache: true # [default: true] cache mise using GitHub's cache
       - run: |
diff --git a/mise.toml b/mise.toml
@@ -561,6 +561,27 @@ docker tag cipherstash/proxy:latest cipherstash/proxy:latest
 docker push cipherstash/proxy:latest
 """
 
+[tasks."release:aws-marketplace"]
+description = "Release a Docker image to AWS Marketplace for cipherstash-proxy"
+run = """
+if [ -z "$AWS_MARKETPLACE_ECR_REPOSITORY" ]; then
+  echo "error: no AWS ECR repository provided"
+  echo "error: please set AWS_MARKETPLACE_ECR_REPOSITORY"
+  exit 2
+fi
+
+# If release tag is empty, generate a build timestamp
+# Release tag is set when tagging as an actual version github release.
+if [ -z "$RELEASE_TAG" ]; then
+  RELEASE_TAG=build-$(date +%s)
+fi
+
+echo $AWS_MARKETPLACE_ECR_REPOSITORY:proxy-$BUILD_TAG-$RELEASE_TAG
+
+docker tag cipherstash/proxy:latest $AWS_MARKETPLACE_ECR_REPOSITORY:proxy-$BUILD_TAG-$RELEASE_TAG
+
+docker push $AWS_MARKETPLACE_ECR_REPOSITORY:proxy-$BUILD_TAG-$RELEASE_TAG
+"""
 
 # ====================================================================================================
 
@@ -572,10 +593,3 @@ run = """
   openssl req -new -x509 -days 365 -nodes -out server.cert -keyout server.key -subj "/CN=localhost"
   chmod 600 server.cert server.key
 """
-
-# openssl req -x509 -in server.req -text -key server.key -out server.crt                                                                                                                                                                                                                                                      │
-#  openssl rsa -in privkey.pem -out server.key                                                                                                                                                                                                                                                            │
-#  openssl req -x509 -in server.req -text -key server.key -out server.crt
-# openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
-#   -nodes -keyout example.com.key -out example.com.crt -subj "/CN=example.com" \
-#   -addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1"
