Skip to content

Commit 2c58334

Browse files
authored
Merge pull request #447 from OperationCode/irving/push-docker
push docker images via CI, just like back-end
2 parents 1e3b86e + 26ada94 commit 2c58334

1 file changed

Lines changed: 83 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,19 +164,102 @@ jobs:
164164
- name: Display Bandit results
165165
run: poetry run bandit -r pybot -x pybot/_vendor --skip B101 -f txt || true
166166

167+
docker-build-push:
168+
name: Build and Push Docker Image
169+
runs-on: ubuntu-24.04-arm
170+
# Run on push to master (build+push) and on PRs (build only)
171+
if: github.event_name == 'push' || github.event_name == 'pull_request'
172+
# Wait for CI checks to pass
173+
needs: [ci-success]
174+
permissions:
175+
id-token: write # Required for OIDC authentication
176+
contents: read # Required to checkout code
177+
steps:
178+
- name: Checkout code
179+
uses: actions/checkout@v4
180+
181+
- name: Determine push eligibility
182+
id: can-push
183+
run: |
184+
if [ "${{ github.event_name }}" == "push" ]; then
185+
echo "push=true" >> "$GITHUB_OUTPUT"
186+
elif [ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]; then
187+
echo "push=true" >> "$GITHUB_OUTPUT"
188+
else
189+
echo "push=false" >> "$GITHUB_OUTPUT"
190+
fi
191+
192+
- name: Determine Docker tags
193+
id: docker-tag
194+
run: |
195+
ECR=633607774026.dkr.ecr.us-east-2.amazonaws.com/pybot
196+
if [ "${{ github.ref }}" == "refs/heads/master" ]; then
197+
echo "images=${ECR}:prod,${ECR}:latest" >> "$GITHUB_OUTPUT"
198+
echo "environment=Production" >> "$GITHUB_OUTPUT"
199+
else
200+
echo "images=${ECR}:staging" >> "$GITHUB_OUTPUT"
201+
echo "environment=Staging" >> "$GITHUB_OUTPUT"
202+
fi
203+
204+
- name: Set up Docker Buildx
205+
uses: docker/setup-buildx-action@v3
206+
with:
207+
platforms: linux/arm64
208+
209+
- name: Configure AWS credentials
210+
if: steps.can-push.outputs.push == 'true'
211+
uses: aws-actions/configure-aws-credentials@v4
212+
with:
213+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
214+
role-session-name: GitHubActions-DockerBuild-${{ steps.docker-tag.outputs.environment }}
215+
aws-region: us-east-2
216+
217+
- name: Login to Amazon ECR
218+
id: login-ecr
219+
if: steps.can-push.outputs.push == 'true'
220+
uses: aws-actions/amazon-ecr-login@v2
221+
222+
- name: Build and push Docker image
223+
uses: docker/build-push-action@v6
224+
with:
225+
context: .
226+
file: docker/Dockerfile
227+
target: prod
228+
platforms: linux/arm64
229+
push: ${{ steps.can-push.outputs.push == 'true' }}
230+
tags: ${{ steps.docker-tag.outputs.images }}
231+
provenance: false
232+
cache-from: type=gha,scope=arm64
233+
cache-to: type=gha,mode=max,scope=arm64
234+
235+
- name: Output image URI
236+
if: steps.can-push.outputs.push == 'true'
237+
run: |
238+
echo "Successfully pushed ${{ steps.docker-tag.outputs.environment }} images:"
239+
echo "${{ steps.docker-tag.outputs.images }}"
240+
167241
# Final status check for branch protection
168242
ci-success:
169243
name: CI Success
170244
needs: [lint, test, security]
171245
runs-on: ubuntu-latest
246+
# Always run to satisfy docker-build-push dependency
172247
if: always()
173248
steps:
174249
- name: Check all jobs passed
175250
run: |
251+
if [[ "${{ needs.lint.result }}" == "skipped" ]]; then
252+
echo "Lint job was skipped"
253+
exit 1
254+
fi
176255
if [[ "${{ needs.lint.result }}" != "success" ]]; then
177256
echo "Lint job failed"
178257
exit 1
179258
fi
259+
if [[ "${{ needs.test.result }}" == "skipped" ]]; then
260+
echo "Test job was skipped"
261+
exit 1
262+
fi
180263
if [[ "${{ needs.test.result }}" != "success" ]]; then
181264
echo "Test job failed"
182265
exit 1

0 commit comments

Comments
 (0)