Merge tag 'v0.9.0' into amazonlinux

.codebuild/buildspec.yml

@@ -4,6 +4,7 @@ phases:
   install:
     commands:
       - chmod +x -R scripts
+      - ./scripts/container_init.sh
       - ./scripts/hack/codepipeline-git-commit.sh
       - ./scripts/hack/symlink-gopath-codebuild.sh
       - cd /go/src/github.com/awslabs/amazon-ecr-credential-helper

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: true

.github/ISSUE_TEMPLATE/third_party_license_usage_request.yml

@@ -0,0 +1,30 @@
+name: 3rd Party License Request
+description: File a request for usage of a 3rd party license in the Amazon ECR credential helpers project.
+title: "[3rd Party License Request]: "
+labels: "license-request"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this request!
+
+  - type: textarea
+    id: license-request
+    attributes:
+      label: License request
+      value: |
+        License: <link to license>
+
+  - type: textarea
+    id: use-case
+    attributes:
+      label: Use case
+      description: |
+        Briefly describe the use case the dependency would resolve.
+    validations:
+      required: true
+
+  - type: textarea
+    id: other-solutions
+    attributes:
+      label: Other solutions considered

.github/dependabot.yml

@@ -1,6 +1,24 @@
 version: 2
 updates:
-  - package-ecosystem: gomod
-    directory: /ecr-login
+  # Dependencies listed in ecr-login/go.mod
+  - package-ecosystem: "gomod"
+    directory: "/ecr-login"
     schedule:
-      interval: daily
+      interval: "daily"
+    groups:
+      # Group updates from github.com/aws/aws-sdk-go-v2 dependencies
+      aws-sdk-go-v2:
+        patterns:
+          - "github.com/aws/aws-sdk-go-v2/*"
+
+  # Dependencies listed in .github/workflows/*.yml
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  # Base image in Dockerfile
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/dependency-review-config.yml

@@ -0,0 +1,8 @@
+# Fail third party dependency usage if not covered by the curated set of pre-approved licenses.
+#
+# List was generated from guidance set forth by Amazon open source usage policies.
+allow-licenses:
+  - 'Apache-2.0'
+  - 'BSD-3-Clause'
+  - 'ISC'
+  - 'MIT'

.github/new-pull-request-labels.yml

@@ -0,0 +1,23 @@
+aws_partition_change:
+  - changed-files:
+      - any-glob-to-any-file: ['ecr-login/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.*']
+
+dependencies:
+  - changed-files:
+      - any-glob-to-any-file: ['**/go.mod', '**/go.sum']
+
+documentation:
+  - changed-files:
+      - all-globs-to-all-files: ['**/*.md']
+
+github_actions:
+  - changed-files:
+      - any-glob-to-any-file: ['.github/**', 'scripts/**']
+
+go:
+  - changed-files:
+      - any-glob-to-any-file: ['**/*.go']
+
+testing:
+  - changed-files:
+      - any-glob-to-any-file: ['integration/**', '**/*_test.go']

.github/workflows/build.yaml

@@ -7,35 +7,49 @@ on:
     branches: [ main, amazonlinux ]
 
 jobs:
-  build:
+  git-secrets:
+    runs-on: 'ubuntu-22.04'
+    steps:
+      - name: Pull latest awslabs/git-secrets repo
+        uses: actions/checkout@v4
+        with:
+          repository: awslabs/git-secrets
+          ref: 1.3.0
+          fetch-tags: true
+          path: git-secrets
+      - name: Install git secrets from source
+        run: sudo make install
+        working-directory: git-secrets
+      - uses: actions/checkout@v4
+      - name: Scan repository for git secrets
+        run: |
+          git secrets --register-aws
+          git secrets --scan-history
+
+  cross-compile:
+    runs-on: 'ubuntu-22.04'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Cross-compile all variants
+        run: make all-variants-in-docker
+
+  unit-test:
     strategy:
       matrix:
-        go: ['1.15', '1.16', '1.17', '1.18']
+        go: ['1.21', '1.22']
 
         # Intentionally use specific versions instead of "latest" to
         # make this build reproducible.
-        os: ['ubuntu-22.04', 'macos-12']
+        os: ['ubuntu-22.04', 'macos-12', 'windows-2022']
 
       # Build all variants regardless of failures
       fail-fast: false
-    name: ${{ matrix.os }} / Go ${{ matrix.go }}
+    name: unit-test (${{ matrix.os }} / Go ${{ matrix.go }})
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
-      - run: make get-deps
-        if: ${{ matrix.go >= '1.17' }}
-
-      # Apple Silicon is not supported by Go < 1.16.
-      # https://go.dev/blog/go1.16
-      - name: Cross-compile all variants
-        run: make all-variants
-        if: ${{ matrix.go >= '1.16' }}
-      - name: Cross-compile all variants except for Apple Silicon
-        run: make linux-amd64 linux-arm64 darwin-amd64 windows-amd64
-        if: ${{ matrix.go < '1.16' }}
-
       - run: make test

.github/workflows/check-links.yml

@@ -0,0 +1,24 @@
+name: Check Links
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * 3" # Every Wednesday at 00:00 UTC
+  pull_request:
+    paths:
+      - ".github/workflows/check-links.yml"
+
+jobs:
+  check:
+    runs-on: ubuntu-22.04
+    if: github.repository == 'awslabs/amazon-ecr-credential-helper'
+    name: lychee
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      - uses: lycheeverse/[email protected]
+        with:
+          fail: true
+          args: --exclude-path ecr-login/vendor --timeout 30 --no-progress './**/*.md'
+          format: markdown
+          jobSummary: true

.github/workflows/codeql.yml

@@ -24,19 +24,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
 
     - name: Build
       run: make build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
 

.github/workflows/new-pull-requests.yml

@@ -0,0 +1,27 @@
+name: "New Pull Requests"
+
+on:
+  # It is safe to use pull_request_target here because we are not checking out
+  # code from the pull request branch.
+  #
+  # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  label:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-22.04
+
+    permissions:
+      pull-requests: write
+
+    steps:
+      # Use label configuration from main instead of from the pull request branch
+      # to mitigate running untrusted workflows with write permissions.
+      - uses: actions/labeler@v5
+        with:
+          configuration-path: '.github/new-pull-request-labels.yml'
+          sync-labels: true

.github/workflows/review-dependencies.yml

@@ -0,0 +1,24 @@
+name: Review dependencies
+
+on:
+  pull_request:
+    branches: ['main', 'release/**']
+    paths:
+      - 'ecr-login/go.*'
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      # Write permissions needed to comment review results on PR.
+      # Pwn request risk mitigated by using pull_request workflow trigger
+      # and external contributor workflow runs require maintainer approval.
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/dependency-review-action@v4
+        with:
+          config-file: './.github/dependency-review-config.yml'
+          comment-summary-in-pr: always

CHANGELOG.md

@@ -1,3 +1,12 @@
+# 0.9.0
+* Enhancement - Added support for environment variable `AWS_ECR_IGNORE_CREDS_STORAGE=true` to ignore ADD and DELETE requests. This makes tools that try to `docker login` work with registries managed the amazon-ecr-credential-helper. ([#102](https://github.com/awslabs/amazon-ecr-credential-helper/issues/102) and [#847](https://github.com/awslabs/amazon-ecr-credential-helper/pull/847))
+* Enhancement - Updated ECR pattern for new isolated regions. ([#850](https://github.com/awslabs/amazon-ecr-credential-helper/pull/850))
+* Upgraded dependencies.
+
+# 0.8.0
+* Enhancement - Updated ECR pattern to match C2S environments. ([#433](https://github.com/awslabs/amazon-ecr-credential-helper/issues/433))
+* Feature (Experimental) - Added support for building Windows ARM credential helper binaries. ([#795](https://github.com/awslabs/amazon-ecr-credential-helper/issues/795))
+
 # 0.7.1
 
 **Note: v0.7.1 is functionally equivalent to v0.7.0. We have decided to create a duplicate release to reflect a more accurate changelog, since our v0.7.0 release did not contain

Dockerfile

@@ -1,20 +1,21 @@
-# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"). You
 # may not use this file except in compliance with the License. A copy of
 # the License is located at
 #
-#       http://aws.amazon.com/apache2.0/
+# 	http://aws.amazon.com/apache2.0/
 #
 # or in the "license" file accompanying this file. This file is
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 
-FROM golang:1.15
+FROM public.ecr.aws/docker/library/golang:1.23-alpine
 
 WORKDIR /go/src/github.com/awslabs/amazon-ecr-credential-helper
 
-COPY . .
+COPY ./scripts/container_init.sh /setup/container_init.sh
+
+RUN /setup/container_init.sh
 
-CMD make