From 9a9cbc997be36cecb7d03978ef134b6be020b6a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Arroba?= <19954079+cesararroba@users.noreply.github.com> Date: Tue, 30 Jun 2026 21:17:57 +0200 Subject: [PATCH] ci(workflows): push SDK image to Public ECR via OIDC (#11749) --- .../workflows/sdk-container-build-push.yml | 38 ++++++++++++------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/.github/workflows/sdk-container-build-push.yml b/.github/workflows/sdk-container-build-push.yml index 2dbaeec4a5..ab2e5045af 100644 --- a/.github/workflows/sdk-container-build-push.yml +++ b/.github/workflows/sdk-container-build-push.yml @@ -138,6 +138,7 @@ jobs: permissions: contents: read packages: write + id-token: write steps: - name: Harden Runner @@ -147,6 +148,8 @@ jobs: allowed-endpoints: > api.ecr-public.us-east-1.amazonaws.com:443 public.ecr.aws:443 + sts.amazonaws.com:443 + sts.us-east-1.amazonaws.com:443 registry-1.docker.io:443 production.cloudflare.docker.com:443 production.cloudfront.docker.com:443 @@ -173,14 +176,16 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to Public ECR - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + - name: Configure AWS credentials (OIDC) + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: - registry: public.ecr.aws - username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }} - password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }} - env: - AWS_REGION: ${{ env.AWS_REGION }} + aws-region: us-east-1 + role-to-assume: ${{ secrets.PUBLIC_ECR_IAM_ROLE_ARN }} + + - name: Login to Public ECR + uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2.1.6 + with: + registry-type: public - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 @@ -206,6 +211,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + id-token: write steps: - name: Harden Runner @@ -221,6 +227,8 @@ jobs: github.com:443 release-assets.githubusercontent.com:443 api.ecr-public.us-east-1.amazonaws.com:443 + sts.amazonaws.com:443 + sts.us-east-1.amazonaws.com:443 - name: Login to DockerHub @@ -229,14 +237,16 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to Public ECR - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + - name: Configure AWS credentials (OIDC) + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: - registry: public.ecr.aws - username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }} - password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }} - env: - AWS_REGION: ${{ env.AWS_REGION }} + aws-region: us-east-1 + role-to-assume: ${{ secrets.PUBLIC_ECR_IAM_ROLE_ARN }} + + - name: Login to Public ECR + uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2.1.6 + with: + registry-type: public - name: Create and push manifests for push event if: github.event_name == 'push'