Skip to content

Docker image build and publish for AGENT #2

Docker image build and publish for AGENT

Docker image build and publish for AGENT #2

Workflow file for this run

name: Docker image build and publish for AGENT
on:
workflow_dispatch:
inputs:
path_to_dockerfile:
description: Path to the dockerfile (default = 'Dockerfile')
default: "infra/docker/Dockerfile.agent"
type: string
docker_build_dir:
description: Docker build directory (default = '.')
default: "."
type: string
image_tag:
description: Tag to apply to images.
type: string
default: sahil-agent
lifecycle_policy_file:
description: Path to the lifecycle policy JSON file (default = 'policy.json')
default: "policy.json"
type: string
backend_s3_bucket:
description: Name of the S3bucket for Terraform backend
default: "sahil-terraform-state-bucket"
type: string
backend_iam_role:
description: Name of the Terraform backend assumable IAM Role
default: "workload-assumable-role"
type: string
github_iam_role:
description: Name of the IAM Role for adding access to ECR repo
default: "github-actions-role"
type: string
aws_account_id:
description: AWS Account ID
default: "060795911441"
type: string
aws_region:
description: Target AWS Region
default: "eu-west-1"
type: string
backend_dynamodb_table:
description: DynamoDB table for State lock
default: "sahil-terraform-table-locks"
type: string
# concurrency required to avoid terraform lock contention during ECR provisioning
concurrency: ci-${{ github.repository }}-agent-docker-pipeline
jobs:
docker:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
outputs:
image_tag: ${{ steps.build-publish.outputs.image_tag }}
version_tag: ${{ steps.build-publish.outputs.version_tag }}
full_image: ${{ steps.build-publish.outputs.full_image }}
steps:
- uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/sahil-deployment-role
aws-region: ${{ inputs.aws_region }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
- name: prepare ECR repo name based on the Github repository
shell: bash
run: |
set -eux
# lowercase the name
repo="${GITHUB_REPOSITORY,,}"
# replace / with _
echo "ECR_REPO_NAME=${repo//\//_}" >> $GITHUB_ENV
- name: TF init
shell: bash
run: |
set -eux
terraform init -upgrade -reconfigure \
-backend-config='skip_metadata_api_check=true' \
-backend-config='skip_region_validation=true' \
-backend-config='skip_credentials_validation=true' \
-backend-config='region=${{ inputs.aws_region }}' \
-backend-config='bucket=${{ inputs.backend_s3_bucket }}' \
-backend-config='key=docker-ecr/terraform-${{ env.ECR_REPO_NAME }}.tfstate' \
-backend-config='dynamodb_table=${{ inputs.backend_dynamodb_table }}' \
-backend-config='assume_role={ role_arn = "arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ inputs.backend_iam_role }}" }'
working-directory: infra/terraform
- name: Create ECR repo [TF apply]
shell: bash
run: |
set -eux
terraform apply \
-var 'repository_name=${{ env.ECR_REPO_NAME }}' \
-var 'lifecycle_policy=${{ inputs.lifecycle_policy_file }}' \
-var 'iam_role=arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ inputs.github_iam_role }}' \
-var 'aws_account_id=${{ inputs.aws_account_id }}' \
-auto-approve
working-directory: infra/terraform
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
registries: ${{ inputs.aws_account_id }}
- name: Build, tag, and push image to Amazon ECR
id: build-publish
shell: bash
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ env.ECR_REPO_NAME }}
IMAGE_TAG: ${{ inputs.image_tag }}
run: |
# Get the current latest image digest (if it exists)
PREVIOUS_IMAGE_MANIFEST=$(aws ecr batch-get-image \
--repository-name $ECR_REPOSITORY \
--image-ids imageTag=$IMAGE_TAG \
--output text \
--query 'images[].imageManifest' || echo "")
# Build the new image
docker build "${{ inputs.docker_build_dir }}" -f "${{ inputs.path_to_dockerfile }}" -t "$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
# Push the new image as latest
docker push "$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
# If there was a previous image, tag it as v1, v2, etc.
if [ ! -z "$PREVIOUS_IMAGE_MANIFEST" ]; then
# Get the current highest version number
CURRENT_VERSION=$(aws ecr describe-images \
--repository-name $ECR_REPOSITORY \
--query 'imageDetails[].imageTags[?starts_with(@, `v`)]' \
--output text | grep -o 'v[0-9]*' | sed 's/v//' | sort -n | tail -1)
# Calculate next version number
if [ -z "$CURRENT_VERSION" ]; then
NEW_VERSION="v1"
else
NEW_VERSION="v$((CURRENT_VERSION + 1))"
fi
# Tag the previous image with the new version
aws ecr put-image \
--repository-name $ECR_REPOSITORY \
--image-tag $NEW_VERSION \
--image-manifest "$PREVIOUS_IMAGE_MANIFEST"
echo "Previous image tagged as $NEW_VERSION"
echo "version_tag=$NEW_VERSION" >> $GITHUB_OUTPUT
fi
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
echo "full_image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT