From e9188cc5f8db61606a9a17a4182d4aa0879721c1 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 10:53:43 +1300 Subject: [PATCH 01/11] ecr oidc test --- .github/workflows/build.yml | 61 ++++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 51651ed..5426d40 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,15 +23,20 @@ jobs: if: startsWith(github.ref, 'refs/heads/deploy/') outputs: skip_build: ${{ steps.retag.outputs.skip_build }} + permissions: + id-token: write + contents: read container: docker:stable-git runs-on: ubuntu-latest steps: + - name: Configure AWS credentials for ECR + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.ECR_IAM_ROLE }} + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Retag images with Skopeo id: retag run: | @@ -56,7 +61,6 @@ jobs: echo "skip_build=false" >> $GITHUB_OUTPUT fi - # This job heavily relies on Docker layer caching to make it as fast as possible # It builds the app-test stage first, and tests it, # and only after that builds the rest of the stuff and pushes it to ECR @@ -65,7 +69,10 @@ jobs: # builds the image if the previous job didn't fail and didn't indicate # that this one should be skipped if: ${{ !failure() && (needs.retag-images.outputs.skip_build!='true')}} - needs: [ retag-images ] + needs: [retag-images] + permissions: + id-token: write + contents: read container: docker:stable-git runs-on: ubuntu-latest steps: @@ -76,6 +83,12 @@ jobs: with: version: v0.6.3 driver-opts: image=moby/buildkit:v0.11.5 + # Configure S3 cache role for Docker layer caching + - name: Configure AWS credentials for S3 cache + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.REGISTRY_IAM_ROLE }} + aws-region: ${{ env.AWS_REGION }} - name: Set dynamic env vars run: | docker version @@ -86,7 +99,7 @@ jobs: - name: Build test containers uses: docker/bake-action@v5.11.0 env: - CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }},access_key_id=${{ secrets.REGISTRY_AWS_ACCESS_KEY_ID }},secret_access_key=${{ secrets.REGISTRY_AWS_SECRET_ACCESS_KEY }} + CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }} with: files: docker-bake.hcl targets: app-test @@ -124,18 +137,29 @@ jobs: ${{ env.PROJECT }}/app-test:${{ env.VERSION }} \ ./manage.py makemigrations --check --dry-run + # Configure ECR role and login (token stored in Docker config) + - name: Configure AWS credentials for ECR + if: startsWith(github.ref, 'refs/heads/deploy/') + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.ECR_IAM_ROLE }} + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR if: startsWith(github.ref, 'refs/heads/deploy/') id: login-ecr uses: aws-actions/amazon-ecr-login@v1 - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + # Reconfigure S3 cache role for Docker build (ECR push uses token from login step) + - name: Configure AWS credentials for S3 cache + if: startsWith(github.ref, 'refs/heads/deploy/') + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.REGISTRY_IAM_ROLE }} + aws-region: ${{ env.AWS_REGION }} - name: Build all other app parts and push to ECR if: startsWith(github.ref, 'refs/heads/deploy/') env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} - CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }},access_key_id=${{ secrets.REGISTRY_AWS_ACCESS_KEY_ID }},secret_access_key=${{ secrets.REGISTRY_AWS_SECRET_ACCESS_KEY }} + CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }} uses: docker/bake-action@v5.11.0 with: files: docker-bake.hcl @@ -144,21 +168,30 @@ jobs: push: true deploy: - needs: [ build-and-test, retag-images ] + needs: [build-and-test, retag-images] if: startsWith(github.ref, 'refs/heads/deploy/') && !failure() + permissions: + id-token: write + contents: read container: docker:stable-git runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 + # TODO: Update deploy-user module to support OIDC role creation + # For now, using access keys (created by deploy-user module) + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} - name: Download ecs-tool run: | - wget -O ecs-tool.tar.gz https://github.com/springload/ecs-tool/releases/download/v1.9.9-beta/ecs-tool_1.9.9-beta_linux_amd64.tar.gz && tar -C /usr/bin -xvf ecs-tool.tar.gz ecs-tool + wget -O ecs-tool.tar.gz https://github.com/springload/ecs-tool/releases/download/v1.9.9-beta/ecs-tool_1.9.9-beta_linux_amd64.tar.gz && tar -C /usr/bin -xvf ecs-tool.tar.gz ecs-tool - name: Deploy app env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} EJSON_PRIVATE: ${{ secrets.EJSON_PRIVATE }} run: |- set -eu From 98d2940a0e7887322af7e04947af2457041eb5d8 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 11:34:34 +1300 Subject: [PATCH 02/11] fix docker cahce --- .github/workflows/build.yml | 4 ++-- docker-bake.hcl | 22 ++++++++++++---------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5426d40..c4be9a8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@v2 - name: Retag images with Skopeo id: retag run: | @@ -147,7 +147,7 @@ jobs: - name: Login to Amazon ECR if: startsWith(github.ref, 'refs/heads/deploy/') id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@v2 # Reconfigure S3 cache role for Docker build (ECR push uses token from login step) - name: Configure AWS credentials for S3 cache if: startsWith(github.ref, 'refs/heads/deploy/') diff --git a/docker-bake.hcl b/docker-bake.hcl index 7507717..038a135 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,7 @@ // this is registry used for caching purposes only variable "CACHE_REGISTRY" { default = "" } +// this is cache definition used for caching purposes only +variable "CACHE" { default = "" } // this is remote registry to push to variable "REGISTRY" { default = "" } variable "ENVIRONMENT" { default = "preview" } @@ -14,15 +16,15 @@ group "default" { target "base" { dockerfile = "docker/application/Dockerfile" target = "base" - cache-from = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/base:${VERSION}", "type=registry,ref=${CACHE_REGISTRY}/base:cache"] : [] - cache-to = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/base:cache,mode=max"] : [] + cache-from = notequal("", CACHE) ? ["${CACHE},name=base"] : [] + cache-to = notequal("", CACHE) ? ["${CACHE},mode=max,name=base"] : [] } target "app" { dockerfile = "docker/application/Dockerfile" target = "app" - cache-from = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/app:${VERSION}", "type=registry,ref=${CACHE_REGISTRY}/app:cache"] : [] - cache-to = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/app:cache,mode=max"] : [] + cache-from = notequal("", CACHE) ? ["${CACHE},name=app"] : [] + cache-to = notequal("", CACHE) ? ["${CACHE},mode=max,name=app"] : [] args = { VERSION : VERSION, @@ -38,8 +40,8 @@ target "app" { target "app-test" { dockerfile = "docker/application/Dockerfile" target = "app-test" - cache-from = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/app-test:${VERSION}", "type=registry,ref=${CACHE_REGISTRY}/app-test:cache"] : [] - cache-to = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/app-test:cache,mode=max"] : [] + cache-from = notequal("", CACHE) ? ["${CACHE},name=app-test", "${CACHE},name=base"] : [] + cache-to = notequal("", CACHE) ? ["${CACHE},mode=max,name=app-test"] : [] args = { VERSION : VERSION, @@ -52,8 +54,8 @@ target "app-test" { target "tasks" { dockerfile = "docker/application/Dockerfile" target = "tasks" - cache-from = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/tasks:${VERSION}", "type=registry,ref=${CACHE_REGISTRY}/tasks:cache"] : [] - cache-to = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/tasks:cache,mode=max"] : [] + cache-from = notequal("", CACHE) ? ["${CACHE},name=tasks"] : [] + cache-to = notequal("", CACHE) ? ["${CACHE},mode=max,name=tasks"] : [] args = { VERSION : VERSION, @@ -69,8 +71,8 @@ target "tasks" { target "httpd" { context = "docker/httpd" - cache-from = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/httpd:${ENVIRONMENT}-${VERSION}", "type=registry,ref=${CACHE_REGISTRY}/httpd:cache"] : [] - cache-to = notequal("", CACHE_REGISTRY) ? ["type=registry,ref=${CACHE_REGISTRY}/httpd:cache,mode=max"] : [] + cache-from = notequal("", CACHE) ? ["${CACHE},name=httpd"] : [] + cache-to = notequal("", CACHE) ? ["${CACHE},mode=max,name=httpd"] : [] args = { VERSION : VERSION, From 8dc884d558f473c85d602ee275dddb3fa29246c9 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 11:52:56 +1300 Subject: [PATCH 03/11] fix docker cahce --- .github/workflows/build.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c4be9a8..a1a7adc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,6 +100,10 @@ jobs: uses: docker/bake-action@v5.11.0 env: CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }} + # Pass OIDC-provided temporary credentials to BuildKit + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} with: files: docker-bake.hcl targets: app-test @@ -160,6 +164,10 @@ jobs: env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }} + # Pass OIDC-provided temporary credentials to BuildKit + AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} + AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} uses: docker/bake-action@v5.11.0 with: files: docker-bake.hcl From cea42cd46234453393fd505852557201a3acad5e Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 12:06:49 +1300 Subject: [PATCH 04/11] fix docker cahce --- .github/workflows/build.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1a7adc..75786c5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -83,12 +83,14 @@ jobs: with: version: v0.6.3 driver-opts: image=moby/buildkit:v0.11.5 - # Configure S3 cache role for Docker layer caching - - name: Configure AWS credentials for S3 cache + - name: configure AWS for s3 Docker cache + id: s3creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.REGISTRY_IAM_ROLE }} + role-session-name: s3 aws-region: ${{ env.AWS_REGION }} + output-credentials: true - name: Set dynamic env vars run: | docker version @@ -96,14 +98,11 @@ jobs: echo "VERSION=${SHORT_COMMIT}" >> $GITHUB_ENV echo "DATABASE_PASSWORD=$( head -c 24 /dev/urandom | xxd -p | tr -d '\n ')" >> $GITHUB_ENV echo "ENVIRONMENT=$(basename $GITHUB_REF)" >> $GITHUB_ENV + echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }},access_key_id=${{ steps.s3creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.s3creds.outputs.aws-secret-access-key }},session_token=${{ steps.s3creds.outputs.aws-session-token }}" >> $GITHUB_ENV - name: Build test containers uses: docker/bake-action@v5.11.0 env: - CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }} - # Pass OIDC-provided temporary credentials to BuildKit - AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} + CACHE: ${{ env.CACHE }} with: files: docker-bake.hcl targets: app-test @@ -153,21 +152,24 @@ jobs: id: login-ecr uses: aws-actions/amazon-ecr-login@v2 # Reconfigure S3 cache role for Docker build (ECR push uses token from login step) - - name: Configure AWS credentials for S3 cache + - name: configure AWS for s3 Docker cache if: startsWith(github.ref, 'refs/heads/deploy/') + id: s3creds-deploy uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.REGISTRY_IAM_ROLE }} + role-session-name: s3 aws-region: ${{ env.AWS_REGION }} + output-credentials: true + - name: Update CACHE env var for deploy build + if: startsWith(github.ref, 'refs/heads/deploy/') + run: | + echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }},access_key_id=${{ steps.s3creds-deploy.outputs.aws-access-key-id }},secret_access_key=${{ steps.s3creds-deploy.outputs.aws-secret-access-key }},session_token=${{ steps.s3creds-deploy.outputs.aws-session-token }}" >> $GITHUB_ENV - name: Build all other app parts and push to ECR if: startsWith(github.ref, 'refs/heads/deploy/') env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} - CACHE: type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }} - # Pass OIDC-provided temporary credentials to BuildKit - AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} - AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} + CACHE: ${{ env.CACHE }} uses: docker/bake-action@v5.11.0 with: files: docker-bake.hcl From 1a6ec7d0d34a21390aeb32d58d297dee0894bb45 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 13:02:04 +1300 Subject: [PATCH 05/11] fix docker cahce --- .github/workflows/build.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 75786c5..e9394fd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -79,18 +79,15 @@ jobs: - name: Checkout uses: actions/checkout@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: - version: v0.6.3 driver-opts: image=moby/buildkit:v0.11.5 - name: configure AWS for s3 Docker cache - id: s3creds uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.REGISTRY_IAM_ROLE }} role-session-name: s3 aws-region: ${{ env.AWS_REGION }} - output-credentials: true - name: Set dynamic env vars run: | docker version @@ -98,7 +95,7 @@ jobs: echo "VERSION=${SHORT_COMMIT}" >> $GITHUB_ENV echo "DATABASE_PASSWORD=$( head -c 24 /dev/urandom | xxd -p | tr -d '\n ')" >> $GITHUB_ENV echo "ENVIRONMENT=$(basename $GITHUB_REF)" >> $GITHUB_ENV - echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }},access_key_id=${{ steps.s3creds.outputs.aws-access-key-id }},secret_access_key=${{ steps.s3creds.outputs.aws-secret-access-key }},session_token=${{ steps.s3creds.outputs.aws-session-token }}" >> $GITHUB_ENV + echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }}" >> $GITHUB_ENV - name: Build test containers uses: docker/bake-action@v5.11.0 env: @@ -154,17 +151,15 @@ jobs: # Reconfigure S3 cache role for Docker build (ECR push uses token from login step) - name: configure AWS for s3 Docker cache if: startsWith(github.ref, 'refs/heads/deploy/') - id: s3creds-deploy uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.REGISTRY_IAM_ROLE }} role-session-name: s3 aws-region: ${{ env.AWS_REGION }} - output-credentials: true - name: Update CACHE env var for deploy build if: startsWith(github.ref, 'refs/heads/deploy/') run: | - echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }},access_key_id=${{ steps.s3creds-deploy.outputs.aws-access-key-id }},secret_access_key=${{ steps.s3creds-deploy.outputs.aws-secret-access-key }},session_token=${{ steps.s3creds-deploy.outputs.aws-session-token }}" >> $GITHUB_ENV + echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }}" >> $GITHUB_ENV - name: Build all other app parts and push to ECR if: startsWith(github.ref, 'refs/heads/deploy/') env: From 95842d242aac58b479f97d957ae18a67a51d2aff Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 13:11:42 +1300 Subject: [PATCH 06/11] fix docker cahce --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e9394fd..a783f72 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -81,7 +81,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: - driver-opts: image=moby/buildkit:v0.11.5 + driver-opts: image=moby/buildkit:v0.13.0 - name: configure AWS for s3 Docker cache uses: aws-actions/configure-aws-credentials@v4 with: @@ -104,6 +104,7 @@ jobs: files: docker-bake.hcl targets: app-test load: true + provenance: false - name: Test app run: | # there's some limitation on the hostname length @@ -171,6 +172,7 @@ jobs: targets: default # makes it push to the registry push: true + provenance: false deploy: needs: [build-and-test, retag-images] From 9c46b2615e2cb1f51b1d250bf886f1ac919ce95d Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 13:56:38 +1300 Subject: [PATCH 07/11] fix docker cahce --- .github/workflows/build.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a783f72..c1b2fa0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: id-token: write contents: read container: docker:stable-git - runs-on: ubuntu-latest + runs-on: self-hosted steps: - name: Configure AWS credentials for ECR uses: aws-actions/configure-aws-credentials@v4 @@ -74,14 +74,14 @@ jobs: id-token: write contents: read container: docker:stable-git - runs-on: ubuntu-latest + runs-on: self-hosted steps: - name: Checkout uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: - driver-opts: image=moby/buildkit:v0.13.0 + driver-opts: image=moby/buildkit:v0.26.3 - name: configure AWS for s3 Docker cache uses: aws-actions/configure-aws-credentials@v4 with: @@ -97,10 +97,12 @@ jobs: echo "ENVIRONMENT=$(basename $GITHUB_REF)" >> $GITHUB_ENV echo "CACHE=type=s3,region=${{ env.AWS_REGION }},bucket=${{ secrets.REGISTRY_BUCKET_NAME }}" >> $GITHUB_ENV - name: Build test containers - uses: docker/bake-action@v5.11.0 + uses: docker/bake-action@v6 env: CACHE: ${{ env.CACHE }} + DOCKER_BUILD_RECORD_UPLOAD: "false" with: + source: . files: docker-bake.hcl targets: app-test load: true @@ -166,11 +168,12 @@ jobs: env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} CACHE: ${{ env.CACHE }} - uses: docker/bake-action@v5.11.0 + DOCKER_BUILD_RECORD_UPLOAD: "false" + uses: docker/bake-action@v6 with: + source: . files: docker-bake.hcl targets: default - # makes it push to the registry push: true provenance: false @@ -181,7 +184,7 @@ jobs: id-token: write contents: read container: docker:stable-git - runs-on: ubuntu-latest + runs-on: self-hosted steps: - name: Checkout uses: actions/checkout@v3 From b671c31c066ed15368967248495f88dd2e2c74f3 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 14:26:44 +1300 Subject: [PATCH 08/11] fix docker cache --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c1b2fa0..9329c26 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: id-token: write contents: read container: docker:stable-git - runs-on: self-hosted + runs-on: ubuntu-latest steps: - name: Configure AWS credentials for ECR uses: aws-actions/configure-aws-credentials@v4 @@ -74,7 +74,7 @@ jobs: id-token: write contents: read container: docker:stable-git - runs-on: self-hosted + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 @@ -184,7 +184,7 @@ jobs: id-token: write contents: read container: docker:stable-git - runs-on: self-hosted + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 From 33daf600608f0cb0f469630d7842d0361ea95078 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 15:43:08 +1300 Subject: [PATCH 09/11] fix docker cache --- docker/application/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docker/application/Dockerfile b/docker/application/Dockerfile index 237fac8..6900450 100644 --- a/docker/application/Dockerfile +++ b/docker/application/Dockerfile @@ -1,7 +1,7 @@ # Frontend assets FROM node:erbium-alpine AS frontend -ENV APPLICATION madewithwagtail +ENV APPLICATION=madewithwagtail COPY package.json yarn.lock /madewithwagtail/ @@ -24,7 +24,7 @@ CMD ["yarn", "start", "--prefix", "/madewithwagtail"] FROM python:3.10-alpine AS base ARG REQUIREMENTS=production.txt -ENV PYCURL_SSL_LIBRARY openssl +ENV PYCURL_SSL_LIBRARY=openssl RUN apk update && apk add postgresql-libs libevent libjpeg openjpeg tiff zlib freetype tk libcurl su-exec git @@ -60,10 +60,10 @@ RUN adduser -S www -u 1000 && chown -R www /madewithwagtail ARG VERSION=dev ENV APPLICATION_VERSION=${VERSION} -ENV DJANGO_SETTINGS_MODULE madewithwagtail.settings.hosting +ENV DJANGO_SETTINGS_MODULE=madewithwagtail.settings.hosting ENV VERSION=${VERSION} -ENV ENVIRONMENT unknown -ENV PROJECT madewithwagtail +ENV ENVIRONMENT=unknown +ENV PROJECT=madewithwagtail # production stage FROM base AS app @@ -92,7 +92,7 @@ CMD ["/usr/local/bin/gunicorn", "--config", "/madewithwagtail/docker/gunicorn.py FROM base AS app-test ARG REQUIREMENTS=test.txt -ENV DJANGO_SETTINGS_MODULE madewithwagtail.settings.test +ENV DJANGO_SETTINGS_MODULE=madewithwagtail.settings.test RUN cd /madewithwagtail &&\ pip install -r requirements/${REQUIREMENTS} CMD ["/bin/sh", "/madewithwagtail/test.sh"] From f9c0d5741f9959a3a6ccfb2a5d44b8816e23bc79 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 16:03:02 +1300 Subject: [PATCH 10/11] linting --- docker/httpd/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/httpd/Dockerfile b/docker/httpd/Dockerfile index d6903f4..c833f45 100644 --- a/docker/httpd/Dockerfile +++ b/docker/httpd/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:stable-alpine as base +FROM nginx:stable-alpine AS base RUN apk update && apk add --no-cache ca-certificates From d28d8099de686013847cda4ab4666166cceef599 Mon Sep 17 00:00:00 2001 From: Andrei Vsiakikh Date: Mon, 22 Dec 2025 16:16:09 +1300 Subject: [PATCH 11/11] linting --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9329c26..0d52bbf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: @@ -187,7 +187,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 # TODO: Update deploy-user module to support OIDC role creation # For now, using access keys (created by deploy-user module) - name: Configure AWS credentials