s3 workflow with gcp

2025-11-27 15:57:13 +05:30 · 2025-11-27 15:57:13 +05:30 · 2aee68df73
commit 2aee68df73
parent 2490ff12db
2 changed files with 157 additions and 0 deletions
--- a/.github/workflows/base-build-image-gcp.yml
+++ b/.github/workflows/base-build-image-gcp.yml
@ -0,0 +1,71 @@
+name: Build base images (Generally from basin repo)
+
+on:
+  workflow_call:
+    inputs:
+      image_tag:
+        required: true
+        type: string
+      fail_on_scan:
+        default: true
+        type: boolean
+
+jobs:
+  docker-build-and-push:
+
+    runs-on: ubuntu-22.04 #ubuntu-latest
+
+    steps:
+    - id: get-id
+      name: Get a unique tag for this build
+      run: |
+        echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
+
+    - name: Print image name
+      run: |
+        echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";
+
+    - uses: actions/checkout@v4
+
+    # ✅ 1) Auth to GCP (this is where your SA key is used)
+    - name: Auth to GCP
+      uses: google-github-actions/auth@v2
+      with:
+        # using your existing secret that contains the SA JSON
+        credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      # ✅ 2) Install gcloud (no creds here)
+    - name: Set up gcloud
+      uses: google-github-actions/setup-gcloud@v2
+      with:
+        project_id: ${{ vars.GCP_PROJECT_ID }}
+        export_default_credentials: true
+
+    - name: Configure Docker for GAR
+      run: |
+        gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
+
+    - name: Build and push the Docker image
+      run: |
+        docker build \
+          --file context/Dockerfile \
+          --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
+          ./context;
+
+    - name: Container details
+      run: |
+        IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
+        echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
+
+#    - name: Scan Docker Image for vulnerabilities with Grype
+#      uses: anchore/scan-action@v6
+#      with:
+#        image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
+#        cache-db: true #Cache Grype DB in Github Actions
+#        output-format: table
+#        only-fixed: true
+#        severity-cutoff: critical
+#        fail-build: ${{ inputs.fail_on_scan }}
+
+    - name: Push the container image
+      run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}
--- a/.github/workflows/push-s3-gcp.yml
+++ b/.github/workflows/push-s3-gcp.yml
@ -0,0 +1,86 @@
+name: Docker Image CI
+
+on:
+  workflow_call:
+
+# Org Secrets are available on push event. Not pull_request event.
+
+env:
+  REPO: ${{ github.repository }}
+  REPO_SHORT_NAME: ${{ github.event.repository.name }}
+
+jobs:
+
+  push-s3:
+    runs-on: ubuntu-22.04
+    steps:
+    - id: get-id
+      name: Get a unique tag for this build
+      run: |
+        SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
+        BUILD_ID=$BRANCH_NAME-${SHA:0:8};
+        DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/$REPO:$BUILD_ID;
+        echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
+        echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
+
+    - name: Print build id and image name
+      run: |
+        echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; 
+        echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
+
+    - uses: actions/checkout@v4
+
+    # ✅ 1) Auth to GCP (this is where your SA key is used)
+    - name: Auth to GCP
+      uses: google-github-actions/auth@v2
+      with:
+        # using your existing secret that contains the SA JSON
+        credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      # ✅ 2) Install gcloud (no creds here)
+    - name: Set up gcloud
+      uses: google-github-actions/setup-gcloud@v2
+      with:
+        project_id: ${{ vars.GCP_PROJECT_ID }}
+        export_default_credentials: true
+
+    - name: Configure Docker for GAR
+      run: |
+        gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
+
+
+    - name: Build the container image for bundle step
+      run: |
+        docker build \
+          --build-arg BUILD_STEP=bundle \
+          --build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \
+          --file fab/d/actions-build.Dockerfile \
+          --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
+          .;
+    
+    - name: Extract cloud files
+      run: |
+        image=${{ steps.get-id.outputs.DOCKER_IMAGE }}
+        source_path=/cloud
+        destination_path=cloud
+
+        container_id=$(docker create "$image")
+        docker cp "$container_id:$source_path" "$destination_path"
+        docker rm "$container_id"
+
+        echo "Running: ls $destination_path"
+        ls $destination_path
+
+    - name: Upload cloud files
+      uses: https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0
+      env:
+        AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
+        AWS_DEFAULT_REGION: ${{ vars.aws_default_region }}
+      with:
+        args: >
+          s3 cp \
+          --recursive \
+          --cache-control max-age=31536000\
+          --storage-class 'STANDARD_IA' \
+          cloud/ s3://${{ vars.aws_upload_bucket }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}