docker/build-push-action
1
0
Fork 0
mirror of https://github.com/docker/build-push-action.git synced 2026-05-31 01:34:27 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
df9c7450bf8dd309a16d534672b97936bdc81874
build-push-action/.github/workflows/e2e.yml
Michael Zampani df9c7450bf feat(e2e): replace AWS_ACCESS_KEY_ID secrets with OIDC role assumption 
Adds aws-role-to-assume input to .e2e-run.yml. Adds configure-aws-credentials
step (pinned SHA, with role-session-name) before the Login to Registry step,
conditioned on ECR registry detection. Updates e2e.yml to pass the OIDC role
ARN and remove AWS secrets from the matrix credential expressions.

Role: arn:aws:iam::175142243308:role/official_gha_cicd
Action: aws-actions/configure-aws-credentials@7474bc4690

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
2026-05-29 23:16:53 -07:00

129 lines
3.9 KiB
YAML
Raw Blame History

name: e2e
permissions:
contents: read
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
workflow_dispatch:
schedule:
- cron: '0 10 * * *'
push:
branches:
- 'master'
tags:
- 'v*'
jobs:
build:
uses: ./.github/workflows/.e2e-run.yml
strategy:
fail-fast: false
matrix:
include:
-
name: Distribution
id: distribution
auth: none
type: local
-
name: Docker Hub
registry: ''
slug: ghactionstest/ghactionstest
auth: dockerhub
type: remote
-
name: GitHub
registry: ghcr.io
slug: ghcr.io/docker-ghactiontest/test
auth: ghcr
type: remote
-
name: GitLab
registry: registry.gitlab.com
slug: registry.gitlab.com/test1716/test
auth: gitlab
type: remote
-
name: AWS ECR
registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
slug: 175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
auth: aws
type: remote
-
name: AWS ECR Public
registry: public.ecr.aws
slug: public.ecr.aws/q3b5f1u4/test-docker-action
auth: aws
type: remote
-
name: Google Artifact Registry
registry: us-east4-docker.pkg.dev
slug: us-east4-docker.pkg.dev/sandbox-298914/docker-official-github-actions/test-docker-action
auth: gar
type: remote
-
name: Azure Container Registry
registry: officialgithubactions.azurecr.io
slug: officialgithubactions.azurecr.io/test-docker-action
auth: acr
type: remote
-
name: Quay
registry: quay.io
slug: quay.io/docker_build_team/ghactiontest
auth: quay
type: remote
-
name: Artifactory
registry: infradock.jfrog.io
slug: infradock.jfrog.io/test-ghaction/build-push-action
auth: artifactory
type: remote
-
name: Harbor
id: harbor
auth: none
type: local
-
name: Nexus
id: nexus
auth: none
type: local
with:
id: ${{ matrix.id }}
type: ${{ matrix.type }}
name: ${{ matrix.name }}
registry: ${{ matrix.registry }}
slug: ${{ matrix.slug }}
aws-role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
secrets:
# Pass only the two secrets needed by each matrix entry.
# AWS ECR entries use OIDC via aws-role-to-assume instead of static keys.
registry_username: >-
${{
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
matrix.auth == 'gar' && secrets.GAR_USERNAME ||
matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
matrix.auth == 'artifactory' && secrets.ARTIFACTORY_USERNAME ||
''
}}
registry_password: >-
${{
matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
matrix.auth == 'quay' && secrets.QUAY_TOKEN ||
matrix.auth == 'artifactory' && secrets.ARTIFACTORY_TOKEN ||
''
}}
Reference in New Issue View Git Blame Copy Permalink