feat: push-docker-artifact workflow

puehringer · puehringer · commit 13ae9b94d430 · 2025-02-18T12:09:16.000+01:00
diff --git a/.github/workflows/build-docker-artifacts-config.schema.json b/.github/workflows/build-docker-artifacts-config.schema.json
@@ -35,6 +35,7 @@
                 },
                 "skip_image_scan": {
                   "type": "boolean",
+                  "default": false,
                   "description": "Skip scanning the image for vulnerabilities"
                 }
               },
@@ -44,6 +45,52 @@
         },
         "required": ["directory", "components"]
       }
+    },
+    "customers": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "patternProperties": {
+          "^[a-zA-Z0-9_-]+$": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "type": {
+                "type": "string",
+                "enum": ["aws"],
+                "description": "Type of customer configuration"
+              },
+              "secret_key": {
+                "type": "string",
+                "description": "Secret key for AWS secrets"
+              },
+              "registry": {
+                "type": "string",
+                "description": "Registry URL at customer"
+              },
+              "repositories": {
+                "type": "array",
+                "items": {
+                  "type": "object",
+                  "additionalProperties": false,
+                  "properties": {
+                    "source_repository": {
+                      "type": "string",
+                      "description": "Internal ECR repository name"
+                    },
+                    "target_repository": {
+                      "type": "string",
+                      "description": "Repository name at customer"
+                    }
+                  },
+                  "required": ["source_repository", "target_repository"]
+                }
+              }
+            },
+            "required": ["type", "secret_key", "registry", "repositories"]
+          }
+        }
+      }
     }
   },
   "required": ["flavors"]
diff --git a/.github/workflows/build-docker-artifacts-push-to-customer.yml b/.github/workflows/build-docker-artifacts-push-to-customer.yml
@@ -0,0 +1,103 @@
+name: Push docker artifacts to customer (must be infrastructure-k8s)
+run-name: Push ${{ inputs.repository }}:${{ inputs.image_tag }} docker artifacts to ${{ inputs.customer }}
+
+on:
+  workflow_call:
+    inputs:
+      repository:
+        type: string
+        required: true
+      customer:
+        type: string
+        required: true
+      customer_json:
+        type: string
+        required: true
+      image_tag:
+        type: string
+        required: true
+      runs_on:
+        type: string
+        required: false
+        default: "ubuntu-22.04"
+    secrets:
+      DATAVISYN_BOT_REPO_TOKEN:
+        required: false
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref || github.head_ref }}-${{ github.event.inputs.repository }}-${{ github.event.inputs.customer }}-${{ github.event.inputs.image_tag }}"
+  cancel-in-progress: true
+
+env:
+  WORKFLOW_BRANCH: "mp/push_docker"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  post-build:
+    name: Push docker artifacts to ${{ inputs.customer }}
+    runs-on: ${{ inputs.runs_on || 'ubuntu-22.04' }}
+
+    steps:
+      - name: Checkout repository (must be infrastructure-k8s)
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.CHECKOUT_TOKEN || github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token }}
+  
+      - name: Checkout github-workflows repository
+        uses: actions/checkout@v4
+        with:
+          repository: datavisyn/github-workflows
+          ref: ${{ env.WORKFLOW_BRANCH }}
+          path: ./tmp/github-workflows
+
+      - name: Extract customer from payload
+        uses: actions/github-script@v7
+        id: get-customer
+        with:
+          script: |
+            const customer = JSON.parse(process.env.CUSTOMER_JSON);
+
+            // Comma separated list of source images, incl. registry, repository and tag
+            const sourceImages = customer.repositories.map(repo => `${process.env.SOURCE_ECR_REGISTRY}/${repo.source_repository}:${repo.image_tag || process.env.IMAGE_TAG}`).join(',');
+            const destinationImages = customer.repositories.map(repo => `${customer.registry}/${repo.target_repository}:${repo.image_tag || process.env.IMAGE_TAG}`).join(',');
+
+            const result = {
+              customer,
+              source_images: sourceImages,
+              destination_images: destinationImages
+            };
+            console.log(result);
+            return result;
+        env:
+          SOURCE_ECR_REGISTRY: ${{ vars.DV_AWS_ECR_REGISTRY }}
+          CUSTOMER_JSON: ${{ inputs.customer_json }}
+          CUSTOMER: ${{ inputs.customer }}
+          IMAGE_TAG: ${{ inputs.image_tag }}
+
+      - name: Get dv image aws config
+        id: get-dv-aws-image-config
+        uses: ./.github/actions/get-aws-config
+        with:
+          aws_config: ${{ secrets.DV_AWS_ECR_SECRETS }}
+
+      - name: Get image aws config
+        id: get-aws-image-config
+        uses: ./.github/actions/get-aws-config
+        with:
+          aws_config: ${{ secrets[fromJson(steps.get-customer.outputs.result).customer.secret_key] }}
+
+      - name: Push images
+        id: pull-push-image
+        uses: ./.github/actions/pull-push-image
+        with:
+          source_aws_role: ${{ steps.get-dv-aws-image-config.outputs.aws_role }}
+          source_aws_region: ${{ steps.get-dv-aws-image-config.outputs.aws_region }}
+          source_images: ${{ fromJson(steps.get-customer.outputs.result).source_images }}
+          destination_aws_role: ${{ steps.get-aws-image-config.outputs.aws_role }}
+          destination_aws_region: ${{ steps.get-aws-image-config.outputs.aws_region }}
+          destination_aws_access_key_id: ${{ steps.get-aws-image-config.outputs.aws_access_key_id }}
+          destination_aws_secret_access_key: ${{ steps.get-aws-image-config.outputs.aws_secret_access_key }}
+          destination_images: ${{ fromJson(steps.get-customer.outputs.result).destination_images }}
diff --git a/.github/workflows/build-docker-artifacts-trigger-push-to-customer.yml b/.github/workflows/build-docker-artifacts-trigger-push-to-customer.yml
@@ -0,0 +1,104 @@
+name: Trigger push docker artifacts to customer
+
+on:
+  workflow_call:
+    inputs:
+      customers:
+        type: string
+        required: true
+        description: Comma separated list of customers
+      branch:
+        type: string
+        required: false
+        # When using github.ref || github.head_ref, it would contain the full path, including /, which breaks the postgres hostname
+        default: ${{ github.sha }}
+      runs_on:
+        type: string
+        required: false
+        default: "ubuntu-22.04"
+    secrets:
+      DATAVISYN_BOT_REPO_TOKEN:
+        required: false
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref || github.head_ref }}-${{ github.event.inputs.app }}-${{ github.event.inputs.customer }}-${{ github.event.inputs.image_tag }}"
+  cancel-in-progress: true
+
+env:
+  WORKFLOW_BRANCH: "mp/push_docker"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  get-customers:
+    name: Trigger push docker artifacts to ${{ inputs.customers }}
+    runs-on: ${{ inputs.runs_on || 'ubuntu-22.04' }}
+    outputs:
+      result: ${{ steps.get-customers.outputs.result }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.branch }}
+          token: ${{ secrets.CHECKOUT_TOKEN || github.event.repository.private == true && secrets.DATAVISYN_BOT_REPO_TOKEN || github.token }}
+  
+      - name: Checkout github-workflows repository
+        uses: actions/checkout@v4
+        with:
+          repository: datavisyn/github-workflows
+          ref: ${{ env.WORKFLOW_BRANCH }}
+          path: ./tmp/github-workflows
+  
+      - name: Validate ./deploy/build/config.json
+        shell: bash
+        run: |
+          # Validate the config with the schema
+          python -m venv .venv
+          source .venv/bin/activate
+          pip install jsonschema
+          jsonschema -i ./deploy/build/config.json ./tmp/github-workflows/.github/workflows/build-docker-artifacts-config.schema.json
+          deactivate
+          rm -rf .venv
+
+      - name: Get customers from ./deploy/build/config.json
+        uses: actions/github-script@v7
+        id: get-customers
+        with:
+          script: |
+            const config = require('./deploy/build/config.json');
+            const customers = process.env.CUSTOMERS.split(',');
+            const imageTagBranchName = "${{ github.ref }}".replace('refs/heads/', '').replace('refs/tags/', '').replace(/[^a-zA-Z0-9._-]/g, '-');
+
+            const result = customers.map((c) => ({
+              repository: process.env.REPOSITORY,
+              customer: c,
+              customer_json: JSON.stringify(config.customers[c]),
+              image_tag: imageTagBranchName,
+            }));
+            console.log(result);
+            return result;
+        env:
+          CUSTOMERS: ${{ inputs.customers }}
+          REPOSITORY: ${{ github.repository }}
+
+  trigger-push:
+    needs: get-customers
+    strategy:
+      fail-fast: true
+      matrix:
+        customer: ${{ fromJson(needs.get-customers.outputs.result) }}
+    runs-on: ${{ inputs.runs_on }}
+    steps:
+      - name: Trigger push docker artifacts to ${{ matrix.customer.customer }}
+        uses: datavisyn/github-action-trigger-workflow@v1
+        with:
+          owner: "datavisyn"
+          repo:  "infrastructure-k8s"
+          github_token: ${{ secrets.DATAVISYN_BOT_REPO_TOKEN }}
+          workflow_file_name: "push-docker-artifact-to-customer.yml"
+          ref: "main"
+          github_user: ${{ secrets.DV_BOT_USER }}
+          client_payload: ${{ toJson(matrix.customer) }}
diff --git a/.github/workflows/build-docker-artifacts.yml b/.github/workflows/build-docker-artifacts.yml
@@ -24,7 +24,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  WORKFLOW_BRANCH: "main"
+  WORKFLOW_BRANCH: "mp/push_docker"
   PYTHON_BASE_IMAGE: "python:3.10.8-slim-bullseye"
   DATAVISYN_PYTHON_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/python:main"
   NODE_BASE_IMAGE: "node:20.9-bullseye"
