v0.3.58 #73
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Strelka Docker Images | |
| on: | |
| release: | |
| types: [published] | |
| jobs: | |
| push_to_registry: | |
| name: Build & Push to Registries | |
| strategy: | |
| matrix: | |
| # GitHub doesn't have ARM runners so we must use BuildJet. QEMU emulation is too slow and will fail on the base | |
| # build at least. We'll use BuildJet for AMD too because we can use a slightly faster runner for cheap, but | |
| # this could be switched to ubuntu-latest if needed. | |
| arch: [arm64, amd64] | |
| include: | |
| - arch: arm64 | |
| runner: buildjet-4vcpu-ubuntu-2204-arm | |
| - arch: amd64 | |
| runner: buildjet-4vcpu-ubuntu-2204 | |
| runs-on: ${{ matrix.runner }} | |
| environment: production | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/[email protected] | |
| id: login-aws | |
| continue-on-error: true | |
| with: | |
| output-credentials: true | |
| role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-east-1 | |
| - name: 2nd Attempt Configure AWS credentials | |
| uses: aws-actions/[email protected] | |
| if: ${{ steps.login-aws.outputs.aws-access-key-id == '' }} | |
| with: | |
| role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Configure AWS credentials (Gov Cloud) | |
| uses: aws-actions/[email protected] | |
| continue-on-error: true | |
| id: login-aws-gov-cloud | |
| with: | |
| output-credentials: true | |
| unset-current-credentials: true | |
| role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-gov-east-1 | |
| - name: 2nd Attempt Configure AWS credentials (Gov Cloud) | |
| uses: aws-actions/[email protected] | |
| if: ${{ steps.login-aws-gov-cloud.outputs.aws-access-key-id == '' }} | |
| with: | |
| unset-current-credentials: true | |
| role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-gov-east-1 | |
| - name: Login to Amazon ECR (GovCloud) | |
| id: login-ecr-gov-cloud | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Validate ECR Repos | |
| run: | | |
| # If something is wrong with the GovCloud login the GovCloud ECR login will succeed using the standard creds | |
| # Make sure we have two different ECR repos to make this clear. | |
| if [[ ${{ steps.login-ecr.outputs.registry }} = ${{ steps.login-ecr-gov-cloud.outputs.registry }} ]]; then | |
| exit 1 | |
| fi | |
| - name: Determine the version from the tag | |
| id: get_ver | |
| run: | | |
| SEM_VER=$(echo "${{ github.ref }}" | grep -E -o "[0-9]+\.[0-9]+\.[0-9]*") | |
| test -n "$SEM_VER" | |
| echo "::set-output name=SEM_VER::$SEM_VER" | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v1 | |
| with: | |
| driver: docker | |
| - name: Build FrontEnd | |
| uses: docker/build-push-action@v2 | |
| with: | |
| file: build/go/frontend/Dockerfile | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| load: true | |
| tags: | | |
| sublimesec/strelka-frontend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| ${{ steps.login-ecr.outputs.registry }}/strelka-frontend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| ${{ steps.login-ecr-gov-cloud.outputs.registry }}/strelka-frontend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| - name: Build BackEnd | |
| uses: docker/build-push-action@v2 | |
| with: | |
| file: build/python/backend/Dockerfile | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| load: true | |
| tags: | | |
| sublimesec/strelka-backend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| ${{ steps.login-ecr.outputs.registry }}/strelka-backend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| ${{ steps.login-ecr-gov-cloud.outputs.registry }}/strelka-backend:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| - name: Build Manager | |
| uses: docker/build-push-action@v2 | |
| with: | |
| file: build/go/manager/Dockerfile | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| load: true | |
| tags: | | |
| sublimesec/strelka-manager:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| ${{ steps.login-ecr.outputs.registry }}/strelka-manager:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| ${{ steps.login-ecr-gov-cloud.outputs.registry }}/strelka-manager:${{ matrix.arch }}-${{ steps.get_ver.outputs.SEM_VER }} | |
| - name: Push FrontEnd | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
| run: | | |
| docker push --all-tags $ECR_REGISTRY/strelka-frontend | |
| docker push --all-tags $ECR_GC_REGISTRY/strelka-backend | |
| docker push --all-tags sublimesec/strelka-frontend | |
| - name: Push BackEnd | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
| run: | | |
| docker push --all-tags $ECR_REGISTRY/strelka-backend | |
| docker push --all-tags $ECR_GC_REGISTRY/strelka-backend | |
| docker push --all-tags sublimesec/strelka-backend | |
| - name: Push Manager | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
| run: | | |
| docker push --all-tags $ECR_REGISTRY/strelka-manager | |
| docker push --all-tags $ECR_GC_REGISTRY/strelka-manager | |
| docker push --all-tags sublimesec/strelka-manager | |
| manifest_image: | |
| name: Build Manifest Image and Push | |
| needs: push_to_registry | |
| runs-on: ubuntu-20.04 | |
| environment: production | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/[email protected] | |
| continue-on-error: true | |
| id: login-aws | |
| with: | |
| output-credentials: true | |
| role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-east-1 | |
| - name: 2nd Attempt Configure AWS credentials | |
| uses: aws-actions/[email protected] | |
| if: ${{ steps.login-aws.outputs.aws-access-key-id == '' }} | |
| with: | |
| role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Configure AWS credentials (Gov Cloud) | |
| uses: aws-actions/[email protected] | |
| continue-on-error: true | |
| id: login-aws-gov-cloud | |
| with: | |
| output-credentials: true | |
| unset-current-credentials: true | |
| role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-gov-east-1 | |
| - name: 2nd Attempt Configure AWS credentials (Gov Cloud) | |
| uses: aws-actions/[email protected] | |
| if: ${{ steps.login-aws-gov-cloud.outputs.aws-access-key-id == '' }} | |
| with: | |
| unset-current-credentials: true | |
| role-to-assume: ${{ secrets.ECR_GOV_CLOUD_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-gov-east-1 | |
| - name: Login to Amazon ECR (GovCloud) | |
| id: login-ecr-gov-cloud | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Validate ECR Repos | |
| run: | | |
| # If something is wrong with the GovCloud login the GovCloud ECR login will succeed using the standard creds | |
| # Make sure we have two different ECR repos to make this clear. | |
| if [[ ${{ steps.login-ecr.outputs.registry }} = ${{ steps.login-ecr-gov-cloud.outputs.registry }} ]]; then | |
| exit 1 | |
| fi | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Determine the version from the tag | |
| id: get_ver | |
| run: | | |
| SEM_VER=$(echo "${{ github.ref }}" | grep -E -o "[0-9]+\.[0-9]+\.[0-9]*") | |
| test -n "$SEM_VER" | |
| echo "::set-output name=SEM_VER::$SEM_VER" | |
| - name: Build and Push Final Manifests to ECR & DockerHub | |
| env: | |
| SEM_VER: ${{ steps.get_ver.outputs.SEM_VER }} | |
| MINOR_VERSION: ${{ steps.get_ver.outputs.MINOR_VERSION }} | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_GC_REGISTRY: ${{ steps.login-ecr-gov-cloud.outputs.registry }} | |
| run: | | |
| amd_tag=amd64-$SEM_VER | |
| arm_tag=arm64-$SEM_VER | |
| # Backend | |
| docker_hub=sublimesec/strelka-backend | |
| ecr=$ECR_REGISTRY/strelka-backend | |
| ecr_gc=$ECR_GC_REGISTRY/strelka-backend | |
| docker manifest create $docker_hub:$SEM_VER \ | |
| $docker_hub:$amd_tag \ | |
| $docker_hub:$arm_tag | |
| docker manifest create $ecr:$SEM_VER \ | |
| $ecr:$amd_tag \ | |
| $ecr:$arm_tag | |
| docker manifest create $ecr_gc:$SEM_VER \ | |
| $ecr_gc:$amd_tag \ | |
| $ecr_gc:$arm_tag | |
| docker manifest push $docker_hub:$SEM_VER | |
| docker manifest push $ecr:$SEM_VER | |
| docker manifest push $ecr_gc:$SEM_VER | |
| # Frontend | |
| docker_hub=sublimesec/strelka-frontend | |
| ecr=$ECR_REGISTRY/strelka-frontend | |
| ecr_gc=$ECR_GC_REGISTRY/strelka-frontend | |
| docker manifest create $docker_hub:$SEM_VER \ | |
| $docker_hub:$amd_tag \ | |
| $docker_hub:$arm_tag | |
| docker manifest create $ecr:$SEM_VER \ | |
| $ecr:$amd_tag \ | |
| $ecr:$arm_tag | |
| docker manifest create $ecr_gc:$SEM_VER \ | |
| $ecr_gc:$amd_tag \ | |
| $ecr_gc:$arm_tag | |
| docker manifest push $docker_hub:$SEM_VER | |
| docker manifest push $ecr:$SEM_VER | |
| docker manifest push $ecr_gc:$SEM_VER | |
| # Manager | |
| docker_hub=sublimesec/strelka-manager | |
| ecr=$ECR_REGISTRY/strelka-manager | |
| ecr_gc=$ECR_GC_REGISTRY/strelka-manager | |
| docker manifest create $docker_hub:$SEM_VER \ | |
| $docker_hub:$amd_tag \ | |
| $docker_hub:$arm_tag | |
| docker manifest create $ecr:$SEM_VER \ | |
| $ecr:$amd_tag \ | |
| $ecr:$arm_tag | |
| docker manifest create $ecr_gc:$SEM_VER \ | |
| $ecr_gc:$amd_tag \ | |
| $ecr_gc:$arm_tag | |
| docker manifest push $docker_hub:$SEM_VER | |
| docker manifest push $ecr:$SEM_VER | |
| docker manifest push $ecr_gc:$SEM_VER | |
| validate_x_region_replication: | |
| name: Validate that ECR Images Have Propagated to All Regions | |
| runs-on: ubuntu-latest | |
| environment: production | |
| permissions: | |
| id-token: write | |
| contents: read | |
| needs: manifest_image | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/[email protected] | |
| continue-on-error: true | |
| id: login-aws | |
| with: | |
| output-credentials: true | |
| role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-east-1 | |
| - name: 2nd Attempt Configure AWS credentials | |
| uses: aws-actions/[email protected] | |
| if: ${{ steps.login-aws.outputs.aws-access-key-id == '' }} | |
| with: | |
| role-to-assume: ${{ secrets.ECR_REPO_ROLE }} | |
| role-duration-seconds: 7200 # 2 hours | |
| aws-region: us-east-1 | |
| - name: Validate All X-Region Replication | |
| run: | | |
| SEM_VER=$(echo "${{ github.ref }}" | grep -E -o "[0-9]+\.[0-9]+.[0-9]*") | |
| .github/workflows/check_images_x_region.sh $SEM_VER | |
| if [ $? != 0 ]; then | |
| exit 1 | |
| fi | |
| - name: Slack Notification | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_Z_LOG_DOCKER_BUILDS }} | |
| SLACK_TITLE: Strelka Images Updated |