diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 2edb895..59184ab 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -32,9 +32,26 @@ on: description: Runner type default: ubuntu-latest type: string + baseImageRegistry: + required: false + description: The registry to pull base images from + type: string version: required: true type: string + secrets: + npmGithubReadToken: + required: true + description: The Github token with permissions to read NPM private packages + AWS_ROLE_TO_ASSUME: + required: true + description: AWS OIDC role for GitHub to assume + baseImageRegistryUsername: + required: false + description: The username for the base image registry + baseImageRegistryPassword: + required: false + description: The password for the base image registry env: IMAGE_SCAN_SEVERITY: LOW @@ -66,6 +83,20 @@ jobs: with: name: ${{ inputs.artifactName }} path: ${{ inputs.artifactPath }} + - name: Validate base image registry secrets + if: ${{ inputs.baseImageRegistry }} + run: | + if [ -z "${{ secrets.baseImageRegistryUsername }}" ] || [ -z "${{ secrets.baseImageRegistryPassword }}" ]; then + echo "baseImageRegistry is set but baseImageRegistryUsername or baseImageRegistryPassword secrets are missing." + exit 1 + fi + - name: Login to base image registry + if: ${{ inputs.baseImageRegistry }} + uses: docker/login-action@v3 + with: + registry: ${{ inputs.baseImageRegistry }} + username: ${{ secrets.baseImageRegistryUsername }} + password: ${{ secrets.baseImageRegistryPassword }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Configure AWS credentials @@ -153,6 +184,20 @@ jobs: with: name: ${{ inputs.artifactName }} path: ${{ inputs.artifactPath }} + - name: Validate base image registry secrets + if: ${{ inputs.baseImageRegistry }} + run: | + if [ -z "${{ secrets.baseImageRegistryUsername }}" ] || [ -z "${{ secrets.baseImageRegistryPassword }}" ]; then + echo "baseImageRegistry is set but baseImageRegistryUsername or baseImageRegistryPassword secrets are missing." + exit 1 + fi + - name: Login to base image registry + if: ${{ inputs.baseImageRegistry }} + uses: docker/login-action@v3 + with: + registry: ${{ inputs.baseImageRegistry }} + username: ${{ secrets.baseImageRegistryUsername }} + password: ${{ secrets.baseImageRegistryPassword }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Configure AWS credentials diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 6aa6cae..82b4cff 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -97,6 +97,10 @@ on: description: The relative file path to the folder that holds the application Kubernetes values default: values.yaml type: string + baseImageRegistry: + required: false + description: Additional registry to log into for pulling base images + type: string secrets: npmGithubReadToken: required: true @@ -110,8 +114,14 @@ on: sentryAuthToken: required: false description: Authentication token for Sentry + baseImageRegistryUsername: + required: false + description: The username for the base image registry + baseImageRegistryPassword: + required: false + description: The password for the base image registry AWS_ROLE_TO_ASSUME: - required: true + required: false description: AWS OIDC role for GitHub to assume jobs: @@ -162,15 +172,15 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@v8.2.5 + uses: parcelLab/ci/.github/workflows/build-image.yaml@chore--allow-additional-base-image-registry-for-dh.io with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} imageTargets: ${{ inputs.imageTargets }} preScript: ${{ inputs.preScript }} - registryUsername: ${{ inputs.registryUsername }} enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} + baseImageRegistry: ${{ inputs.baseImageRegistry }} version: ${{ needs.initialize.outputs.version }} secrets: inherit