refactor: add ecr actions

metju-ac · metju-ac · commit a780baf4643e · 2025-10-16T11:26:49.000+02:00
Usually we use those from github-actions repository, but that is impossible here since this is a public repository.

JIRA: INFRA-3992
diff --git a/.github/actions/container-build-push/action.yaml b/.github/actions/container-build-push/action.yaml
@@ -0,0 +1,132 @@
+# yamllint disable rule:line-length
+---
+name: "ecr-container-build-push"
+description: "Build a container image and upload it to ECR"
+inputs:
+  aws-creds-vault-path:
+    default: secret/data/v2/data-special/infra1-user-ecr-rw
+    description: "Vault path to AWS credentials used for helm push"
+  aws-creds-vault-role:
+    default: ecr-push
+    description: "Vault auth role for reading AWS credentials"
+  aws-region:
+    default: "us-east-1"
+    description: "AWS region to use for ECR"
+  ecr-repos:
+    description: "Repository (as defined in gooddata/terraform-ecr/repositories)"
+    required: true
+  ecr-url:
+    description: "ECR registry default URL (without prefix/suffix)"
+    required: true
+  vault-url:
+    description: "Vault API URL (default okay in almost all cases)"
+    required: true
+  build-args:
+    description: "Arguments for container build file (ARG in Dockerfile)."
+    required: false
+    default: ""
+  build-context:
+    description: "Context (working directory) where the build should be executed"
+    default: "."
+  build-tags:
+    description: "Tags (newline delimited)"
+    required: true
+  container-file:
+    description: "File (with a path) to use for build"
+    default: "Dockerfile"
+  push-image:
+    description: "Whether to really push to registry"
+    default: "true"
+  debug:
+    description: "Turn on debug messages"
+    default: "false"
+  platforms:
+    description: "List of target platforms for build"
+    default: "linux/amd64"
+  labels:
+    description: "List of labels for image"
+    default: ""
+  secrets:
+    description: "List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)"
+    default: ""
+  secret-envs:
+    description: "List of secret env vars to expose to the build (e.g., key=envname, MY_SECRET=MY_ENV_VAR)"
+    default: ""
+  provenance:
+    description: "Generate provenance attestation for the build"
+    default: "true"
+outputs:
+  digest:
+    description: "Image digest"
+    value: ${{ steps.build_push.outputs.digest }}
+  imageid:
+    description: "Image ID"
+    value: ${{ steps.build_push.outputs.imageid }}
+  metadata:
+    description: "Image metadata"
+    value: ${{ steps.build_push.outputs.metadata }}
+runs:
+  using: "composite"
+  steps:
+    - name: Check container file
+      env:
+        CONTAINERFILE: ${{ inputs.container-file }}
+      shell: bash
+      run: |
+        test -f $CONTAINERFILE
+    - name: Get required Vault secrets
+      id: secrets
+      uses: hashicorp/vault-action@v3
+      with:
+        url: ${{ inputs.vault-url }}
+        method: jwt
+        path: jwt/github
+        role: ${{ inputs.aws-creds-vault-role }}
+        secrets: |
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_access_key | AWS_ACCESS_KEY ;
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_secret_key | AWS_SECRET_KEY ;
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}
+        aws-region: ${{ inputs.aws-region }}
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+      with:
+        platforms: ${{ inputs.platforms }}
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Expand tags with ECR url and ECR repo
+      id: expand_tags
+      env:
+        ECR_URL: ${{ inputs.ecr-url }}
+        ECR_REPOS: ${{ inputs.ecr-repos }}
+        BUILD_TAGS: ${{ inputs.build-tags }}
+      shell: bash
+      run: |
+        eval REPO=$ECR_REPOS
+        {
+          echo "EXPANDED_TAGS<<EOF"
+          for BTAG in $BUILD_TAGS; do
+            echo $ECR_URL/$REPO:$BTAG
+          done
+          echo EOF
+        } >> "$GITHUB_ENV"
+        echo "REPO=$REPO" >> "$GITHUB_ENV"
+    - name: Build and push Docker images
+      uses: docker/build-push-action@v6
+      id: build_push
+      with:
+        file: ${{ inputs.container-file }}
+        context: ${{ inputs.build-context }}
+        push: ${{ inputs.push-image }}
+        tags: ${{ env.EXPANDED_TAGS }}
+        build-args: ${{ inputs.build-args }}
+        platforms: ${{ inputs.platforms }}
+        cache-from: type=registry,ref=${{ inputs.ecr-url }}/${{ env.REPO }}:buildcache
+        cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ inputs.ecr-url }}/${{ env.REPO }}:buildcache
+        labels: ${{ inputs.labels }}
+        secrets: ${{ inputs.secrets }}
+        secret-envs: ${{ inputs.secret-envs }}
+        provenance: ${{ inputs.provenance }}
diff --git a/.github/actions/helm-push/action.yaml b/.github/actions/helm-push/action.yaml
@@ -0,0 +1,106 @@
+---
+# yamllint disable rule:line-length
+name: "ecr-helm-push"
+description: "Package a Helm chart and upload to ECR"
+inputs:
+  aws-creds-vault-path:
+    default: secret/data/v2/data-special/infra1-user-ecr-rw
+    description: "Vault path to AWS credentials used for helm push"
+    type: string
+  aws-creds-vault-role:
+    description: "Vault auth role for reading AWS credentials"
+    type: string
+    required: true
+  aws-region:
+    default: "us-east-1"
+    description: "AWS region to use for ECR"
+    type: string
+  ecr-repo-prefix:
+    description: "Repository prefix (without Chart name)"
+    type: string
+    required: true
+  ecr-url:
+    description: "ECR registry default URL (without prefix/suffix)"
+    type: string
+    required: true
+  path:
+    description: "Path to directory containing Chart.yaml"
+    required: true
+    type: string
+  package-destination:
+    default: "."
+    description: "Where to put helm-built package"
+    type: string
+  package-app-version:
+    default: ""
+    description: "Application version"
+    type: string
+  package-version:
+    default: ""
+    description: "Helm chart version - used by `helm package`"
+    type: string
+  vault-url:
+    description: "Vault API URL (default okay in almost all cases)"
+    required: true
+  checkout-code:
+    default: "true"
+    description: "Checkout fresh code from repository"
+    type: string
+  dependency-update:
+    default: "true"
+    description: "Run helm dependency update before packaging"
+    type: string
+  dry-run:
+    default: "false"
+    type: string
+    description: "Dry-run (do not upload to ECR)"
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout code
+      if: ${{ inputs.checkout-code == 'true' }}
+      uses: actions/checkout@v5
+    - name: Install helm binary
+      uses: azure/setup-helm@v4
+      with:
+        version: 'v3.12.1'
+    - name: Get required Vault secrets
+      if: ${{ inputs.dry-run == 'false' }}
+      id: secrets
+      uses: hashicorp/vault-action@v3
+      with:
+        url: ${{ inputs.vault-url }}
+        method: jwt
+        path: jwt/github
+        role: ${{ inputs.aws-creds-vault-role }}
+        secrets: |
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_access_key | AWS_ACCESS_KEY ;
+          ${{ inputs.aws-creds-vault-path }} aws_ecr_secret_key | AWS_SECRET_KEY ;
+    - name: Configure AWS credentials
+      if: ${{ inputs.dry-run == 'false' }}
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}
+        aws-region: ${{ inputs.aws-region }}
+    - name: Login to Amazon ECR
+      if: ${{ inputs.dry-run == 'false' }}
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+    - name: Package chart
+      id: package-chart
+      env:
+        DESTINATION: ${{ inputs.package-destination }}
+        APP_VERSION: ${{ inputs.package-app-version }}
+        VERSION: ${{ inputs.package-version }}
+      run: |
+        # helm package doesn't allow custom target name, so we have to parse it this way
+        pkgfile=$(helm package ${DESTINATION:+--destination $DESTINATION} ${APP_VERSION:+--app-version $APP_VERSION} ${VERSION:+--version $VERSION} ${{ inputs.dependency-update == 'true' && '--dependency-update' || '' }} ${{ inputs.path }} | tee | awk '{print $NF}')
+        echo "pkgfile=$pkgfile" >> $GITHUB_OUTPUT
+      shell: bash
+    - name: Push chart to ECR
+      if: ${{ inputs.dry-run == 'false' }}
+      run: |
+        helm push ${{ steps.package-chart.outputs.pkgfile }} oci://${{ inputs.ecr-url }}/${{ inputs.ecr-repo-prefix }}
+        echo "Pushed ${{ steps.package-chart.outputs.pkgfile }} to oci://${{ inputs.ecr-url }}/${{ inputs.ecr-repo-prefix }}" >> $GITHUB_STEP_SUMMARY
+      shell: bash
