mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
ci(workflows): push SDK image to Public ECR via OIDC (#11749)
This commit is contained in:
@@ -138,6 +138,7 @@ jobs:
|
|||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
|
id-token: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Harden Runner
|
- name: Harden Runner
|
||||||
@@ -147,6 +148,8 @@ jobs:
|
|||||||
allowed-endpoints: >
|
allowed-endpoints: >
|
||||||
api.ecr-public.us-east-1.amazonaws.com:443
|
api.ecr-public.us-east-1.amazonaws.com:443
|
||||||
public.ecr.aws:443
|
public.ecr.aws:443
|
||||||
|
sts.amazonaws.com:443
|
||||||
|
sts.us-east-1.amazonaws.com:443
|
||||||
registry-1.docker.io:443
|
registry-1.docker.io:443
|
||||||
production.cloudflare.docker.com:443
|
production.cloudflare.docker.com:443
|
||||||
production.cloudfront.docker.com:443
|
production.cloudfront.docker.com:443
|
||||||
@@ -173,14 +176,16 @@ jobs:
|
|||||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Login to Public ECR
|
- name: Configure AWS credentials (OIDC)
|
||||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
|
||||||
with:
|
with:
|
||||||
registry: public.ecr.aws
|
aws-region: us-east-1
|
||||||
username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
|
role-to-assume: ${{ secrets.PUBLIC_ECR_IAM_ROLE_ARN }}
|
||||||
password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
|
|
||||||
env:
|
- name: Login to Public ECR
|
||||||
AWS_REGION: ${{ env.AWS_REGION }}
|
uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2.1.6
|
||||||
|
with:
|
||||||
|
registry-type: public
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
||||||
@@ -206,6 +211,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
|
id-token: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Harden Runner
|
- name: Harden Runner
|
||||||
@@ -221,6 +227,8 @@ jobs:
|
|||||||
github.com:443
|
github.com:443
|
||||||
release-assets.githubusercontent.com:443
|
release-assets.githubusercontent.com:443
|
||||||
api.ecr-public.us-east-1.amazonaws.com:443
|
api.ecr-public.us-east-1.amazonaws.com:443
|
||||||
|
sts.amazonaws.com:443
|
||||||
|
sts.us-east-1.amazonaws.com:443
|
||||||
|
|
||||||
|
|
||||||
- name: Login to DockerHub
|
- name: Login to DockerHub
|
||||||
@@ -229,14 +237,16 @@ jobs:
|
|||||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Login to Public ECR
|
- name: Configure AWS credentials (OIDC)
|
||||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
|
||||||
with:
|
with:
|
||||||
registry: public.ecr.aws
|
aws-region: us-east-1
|
||||||
username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
|
role-to-assume: ${{ secrets.PUBLIC_ECR_IAM_ROLE_ARN }}
|
||||||
password: ${{ secrets.PUBLIC_ECR_AWS_SECRET_ACCESS_KEY }}
|
|
||||||
env:
|
- name: Login to Public ECR
|
||||||
AWS_REGION: ${{ env.AWS_REGION }}
|
uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2.1.6
|
||||||
|
with:
|
||||||
|
registry-type: public
|
||||||
|
|
||||||
- name: Create and push manifests for push event
|
- name: Create and push manifests for push event
|
||||||
if: github.event_name == 'push'
|
if: github.event_name == 'push'
|
||||||
|
|||||||
Reference in New Issue
Block a user