-
Notifications
You must be signed in to change notification settings - Fork 8
55 lines (48 loc) · 1.67 KB
/
ecr-login.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: ECR Login Token Refresh
on:
workflow_dispatch:
# Every 6 hours, the password validity is 12 hours
schedule:
- cron: '0 */6 * * *'
permissions:
id-token: write
contents: read
jobs:
login:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS Credentials
id: acquire-credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-gov-west-1
role-to-assume: ${{ secrets.AWS_ROLE }}
output-credentials: true
- name: retrieve ecr password and store as secret
if: steps.acquire-credentials.outcome == 'success'
run: |
sudo apt install python3-venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r .github/workflows/requirements.txt
python .github/workflows/ecr_password_updater.py
env:
AWS_ACCESS_KEY_ID: ${{ steps.acquire-credentials.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.acquire-credentials.outputs.aws-secret-access-key }}
AWS_DEFAULT_REGION: us-gov-west-1
GH_API_ACCESS_TOKEN: ${{ secrets.GH_API_ACCESS_TOKEN }}
# This 'test' job is useful for fast debugging
test:
needs: login
runs-on: ubuntu-latest
timeout-minutes: 1
container:
image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
credentials:
username: AWS
# Here is the password retrieved as a secret that is set by the `login` job
password: ${{ secrets.VAEC_ECR_PASSWORD }}
steps:
- run: echo "Inside a container pulled from ECR!!"