From e6f34291e47da2545efc013b817b9f7cbefd9b61 Mon Sep 17 00:00:00 2001 From: Douglas Odida Date: Fri, 29 Aug 2025 11:09:00 +0300 Subject: [PATCH 1/6] INF-496 Update the runner configuration --- .github/workflows/01-build-then-test.yml | 102 +++++++++++------------ .github/workflows/02-deploy-env.yml | 4 +- 2 files changed, 53 insertions(+), 53 deletions(-) diff --git a/.github/workflows/01-build-then-test.yml b/.github/workflows/01-build-then-test.yml index e2b578fa..c9a18b1d 100644 --- a/.github/workflows/01-build-then-test.yml +++ b/.github/workflows/01-build-then-test.yml @@ -29,11 +29,11 @@ env: jobs: lint: - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] container: "python:3.11" steps: - - uses: "actions/checkout@v3" + - uses: "actions/checkout@v4" with: ssh-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # use ssh-key for updating submodules, will be removed in post-job @@ -51,26 +51,26 @@ jobs: start-runner-test_branch: if: ${{ !(startsWith(github.ref, 'refs/tags/')) && !(github.ref == 'refs/heads/main') }} needs: lint - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] outputs: label: ${{ steps.start-ec2-runner.outputs.label }} ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Start EC2 runner test_branch id: start-ec2-runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: start github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - ec2-image-id: ami-0da7ed013d60d14dc - ec2-instance-type: m5.xlarge - subnet-id: subnet-02bc23bcdd0792516 - security-group-id: sg-0e11a9c9e18cfb74b - iam-role-name: github_runner_role # optional, requires additional permissions + ec2-image-id: ami-092d88ab9dba1ddc0 + ec2-instance-type: m5.large + subnet-id: subnet-0f50e5fa11397a87b + security-group-id: sg-0c844cef0ffc13cde + iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, @@ -105,29 +105,29 @@ jobs: start-runner-test_keepdb: needs: lint - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] outputs: label: ${{ steps.start-ec2-runner.outputs.label }} ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Start EC2 runner test_keepdb id: start-ec2-runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: start github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - ec2-image-id: ami-0da7ed013d60d14dc - ec2-instance-type: m5.xlarge - subnet-id: subnet-02bc23bcdd0792516 - security-group-id: sg-0e11a9c9e18cfb74b - iam-role-name: github_runner_role # optional, requires additional permissions + ec2-image-id: ami-092d88ab9dba1ddc0 + ec2-instance-type: m5.large + subnet-id: subnet-0f50e5fa11397a87b + security-group-id: sg-0c844cef0ffc13cde + iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ - {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, + {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] ecr_login-test_keepdb: @@ -160,26 +160,26 @@ jobs: start-runner-test_main: if: github.ref == 'refs/heads/main' needs: lint - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] outputs: label: ${{ steps.start-ec2-runner.outputs.label }} ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Start EC2 runner test_main id: start-ec2-runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: start github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - ec2-image-id: ami-0da7ed013d60d14dc - ec2-instance-type: m5.xlarge - subnet-id: subnet-02bc23bcdd0792516 - security-group-id: sg-0e11a9c9e18cfb74b - iam-role-name: github_runner_role # optional, requires additional permissions + ec2-image-id: ami-092d88ab9dba1ddc0 + ec2-instance-type: m5.large + subnet-id: subnet-0f50e5fa11397a87b + security-group-id: sg-0c844cef0ffc13cde + iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, @@ -215,26 +215,26 @@ jobs: start-runner-test_tag: if: startsWith(github.ref, 'refs/tags/') needs: lint - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] outputs: label: ${{ steps.start-ec2-runner.outputs.label }} ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Start EC2 runner test_tag id: start-ec2-runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: start github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - ec2-image-id: ami-0da7ed013d60d14dc - ec2-instance-type: m5.xlarge - subnet-id: subnet-02bc23bcdd0792516 - security-group-id: sg-0e11a9c9e18cfb74b - iam-role-name: github_runner_role # optional, requires additional permissions + ec2-image-id: ami-092d88ab9dba1ddc0 + ec2-instance-type: m5.large + subnet-id: subnet-0f50e5fa11397a87b + security-group-id: sg-0c844cef0ffc13cde + iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, @@ -320,7 +320,7 @@ jobs: run: | for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:edge | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:latest | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done - - uses: "actions/checkout@v3" + - uses: "actions/checkout@v4" with: ssh-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # use ssh-key for updating submodules, will be removed in post-job @@ -470,7 +470,7 @@ jobs: run: | for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:edge | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:latest | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done - - uses: "actions/checkout@v3" + - uses: "actions/checkout@v4" with: ssh-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # use ssh-key for updating submodules, will be removed in post-job @@ -603,7 +603,7 @@ jobs: echo Using registry image ${CI_REGISTRY_IMAGE} for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:edge | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:latest | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done - - uses: "actions/checkout@v3" + - uses: "actions/checkout@v4" with: ssh-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # use ssh-key for updating submodules, will be removed in post-job @@ -729,7 +729,7 @@ jobs: run: | # log in to Docker hub echo ${{ secrets.DOCKER_HUB_PASSWORD }} | docker login --username=${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin - - uses: "actions/checkout@v3" + - uses: "actions/checkout@v4" with: ssh-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} # use ssh-key for updating submodules, will be removed in post-job @@ -824,15 +824,15 @@ jobs: needs: - start-runner-test_branch # required to get output from the start-runner-test_branch job - test_branch # required to wait until the main jobs are done - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Stop EC2 runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: stop github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} @@ -844,15 +844,15 @@ jobs: needs: - start-runner-test_keepdb # required to get output from the start-runner-test_keepdb job - test_keepdb - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Stop EC2 runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: stop github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} @@ -864,15 +864,15 @@ jobs: needs: - start-runner-test_main # required to get output from the start-runner-test_main job - test_main - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Stop EC2 runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: stop github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} @@ -884,15 +884,15 @@ jobs: needs: - start-runner-test_tag # required to get output from the start-runner-test_tag job - test_tag - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - name: Stop EC2 runner - uses: FEWS-NET/ec2-github-runner@076da0ed4e015d7c5bc6c8e1ad0ccef7106cb433 + uses: FEWS-NET/ec2-github-runner@1f687d4b786b21bed4ad6f420daddc7665bff857 with: mode: stop github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/02-deploy-env.yml b/.github/workflows/02-deploy-env.yml index cd98d297..53c464ac 100644 --- a/.github/workflows/02-deploy-env.yml +++ b/.github/workflows/02-deploy-env.yml @@ -17,14 +17,14 @@ env: ENV: ${{ inputs.environment }} # AWS Variables - ECS_CLUSTER: "fnt_ecs" + ECS_CLUSTER: "data-prod-ecs-cluster" AWS_REGION: "us-east-1" jobs: deploy_env: # this will allow us to access secrets defined for this environment environment: ${{ inputs.environment }} - runs-on: [self-hosted, ec2-runner] + runs-on: [ data ] container: image: alpine:3.17 defaults: From a0c84eb194b81962ea5d1dfd37e5f24513a21786 Mon Sep 17 00:00:00 2001 From: Douglas Odida Date: Fri, 29 Aug 2025 11:19:07 +0300 Subject: [PATCH 2/6] INF-496 Update the runner name --- .github/workflows/01-build-then-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/01-build-then-test.yml b/.github/workflows/01-build-then-test.yml index c9a18b1d..58fc5b87 100644 --- a/.github/workflows/01-build-then-test.yml +++ b/.github/workflows/01-build-then-test.yml @@ -73,7 +73,7 @@ jobs: iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ - {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, + {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] ecr_login-test_branch: @@ -182,7 +182,7 @@ jobs: iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ - {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, + {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] ecr_login-test_main: @@ -237,7 +237,7 @@ jobs: iam-role-name: data-prod-github-runner-role # optional, requires additional permissions aws-resource-tags: > # optional, requires additional permissions [ - {"Key": "Name", "Value": "ec2-github-autoscale-runner"}, + {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] ecr_login-test_tag: From 73098dc332654ae2a8a00a2ffb2496524014dd3e Mon Sep 17 00:00:00 2001 From: Douglas Odida Date: Fri, 29 Aug 2025 11:28:56 +0300 Subject: [PATCH 3/6] INF-496 Remove the erroring docker login steps --- .github/workflows/01-build-then-test.yml | 208 +++++------------------ 1 file changed, 40 insertions(+), 168 deletions(-) diff --git a/.github/workflows/01-build-then-test.yml b/.github/workflows/01-build-then-test.yml index 58fc5b87..ecd5ef5b 100644 --- a/.github/workflows/01-build-then-test.yml +++ b/.github/workflows/01-build-then-test.yml @@ -76,32 +76,6 @@ jobs: {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] - ecr_login-test_branch: - outputs: - aws_access_key_id: ${{ steps.docker_login.outputs.aws_access_key_id }} - aws_secret_access_key: ${{ steps.docker_login.outputs.aws_secret_access_key }} - aws_session_token: ${{ steps.docker_login.outputs.aws_session_token }} - aws_credential_expiration: ${{ steps.docker_login.outputs.aws_credential_expiration }} - needs: - - start-runner-test_branch # required to start the main job when the runner is ready - runs-on: ${{ needs.start-runner-test_branch.outputs.label }} # run the job on the newly created runner - steps: - - name: Generate the ECR credentials - id: docker_login - run: | - # authenticate to pull image that runs test jobs - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # @TODO: "aws configure get" didn't work, replace package with awscli v2 - # and use "aws configure export-credentials" - python3 -m pip install --user aws-export-credentials==0.18.0 - # set AWS vars to local environment - eval $(~/.local/bin/aws-export-credentials --env-export) - - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> $GITHUB_OUTPUT - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_OUTPUT - echo "aws_session_token=$AWS_SESSION_TOKEN" >> $GITHUB_OUTPUT - echo "aws_credential_expiration=$AWS_CREDENTIAL_EXPIRATION" >> $GITHUB_OUTPUT start-runner-test_keepdb: needs: lint @@ -130,32 +104,6 @@ jobs: {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] - ecr_login-test_keepdb: - outputs: - aws_access_key_id: ${{ steps.docker_login.outputs.aws_access_key_id }} - aws_secret_access_key: ${{ steps.docker_login.outputs.aws_secret_access_key }} - aws_session_token: ${{ steps.docker_login.outputs.aws_session_token }} - aws_credential_expiration: ${{ steps.docker_login.outputs.aws_credential_expiration }} - needs: - - start-runner-test_keepdb # required to start the main job when the runner is ready - runs-on: ${{ needs.start-runner-test_keepdb.outputs.label }} # run the job on the newly created runner - steps: - - name: Generate the ECR credentials - id: docker_login - run: | - # authenticate to pull image that runs test jobs - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # @TODO: "aws configure get" didn't work, replace package with awscli v2 - # and use "aws configure export-credentials" - python3 -m pip install --user aws-export-credentials==0.18.0 - # set AWS vars to local environment - eval $(~/.local/bin/aws-export-credentials --env-export) - - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> $GITHUB_OUTPUT - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_OUTPUT - echo "aws_session_token=$AWS_SESSION_TOKEN" >> $GITHUB_OUTPUT - echo "aws_credential_expiration=$AWS_CREDENTIAL_EXPIRATION" >> $GITHUB_OUTPUT start-runner-test_main: if: github.ref == 'refs/heads/main' @@ -185,32 +133,6 @@ jobs: {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] - ecr_login-test_main: - outputs: - aws_access_key_id: ${{ steps.docker_login.outputs.aws_access_key_id }} - aws_secret_access_key: ${{ steps.docker_login.outputs.aws_secret_access_key }} - aws_session_token: ${{ steps.docker_login.outputs.aws_session_token }} - aws_credential_expiration: ${{ steps.docker_login.outputs.aws_credential_expiration }} - needs: - - start-runner-test_main # required to start the main job when the runner is ready - runs-on: ${{ needs.start-runner-test_main.outputs.label }} # run the job on the newly created runner - steps: - - name: Generate the ECR credentials - id: docker_login - run: | - # authenticate to pull image that runs test jobs - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # @TODO: "aws configure get" didn't work, replace package with awscli v2 - # and use "aws configure export-credentials" - python3 -m pip install --user aws-export-credentials==0.18.0 - # set AWS vars to local environment - eval $(~/.local/bin/aws-export-credentials --env-export) - - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> $GITHUB_OUTPUT - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_OUTPUT - echo "aws_session_token=$AWS_SESSION_TOKEN" >> $GITHUB_OUTPUT - echo "aws_credential_expiration=$AWS_CREDENTIAL_EXPIRATION" >> $GITHUB_OUTPUT start-runner-test_tag: if: startsWith(github.ref, 'refs/tags/') @@ -240,32 +162,6 @@ jobs: {"Key": "Name", "Value": "HEA-github-autoscale-runner"}, {"Key": "GitHubRepository", "Value": "${{ github.repository }}"} ] - ecr_login-test_tag: - outputs: - aws_access_key_id: ${{ steps.docker_login.outputs.aws_access_key_id }} - aws_secret_access_key: ${{ steps.docker_login.outputs.aws_secret_access_key }} - aws_session_token: ${{ steps.docker_login.outputs.aws_session_token }} - aws_credential_expiration: ${{ steps.docker_login.outputs.aws_credential_expiration }} - needs: - - start-runner-test_tag # required to start the main job when the runner is ready - runs-on: ${{ needs.start-runner-test_tag.outputs.label }} # run the job on the newly created runner - steps: - - name: Generate the ECR credentials - id: docker_login - run: | - # authenticate to pull image that runs test jobs - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # @TODO: "aws configure get" didn't work, replace package with awscli v2 - # and use "aws configure export-credentials" - python3 -m pip install --user aws-export-credentials==0.18.0 - # set AWS vars to local environment - eval $(~/.local/bin/aws-export-credentials --env-export) - - echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> $GITHUB_OUTPUT - echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_OUTPUT - echo "aws_session_token=$AWS_SESSION_TOKEN" >> $GITHUB_OUTPUT - echo "aws_credential_expiration=$AWS_CREDENTIAL_EXPIRATION" >> $GITHUB_OUTPUT test_branch: if: ${{ !(startsWith(github.ref, 'refs/tags/')) && !(github.ref == 'refs/heads/main') }} @@ -276,7 +172,6 @@ jobs: runs-on: ${{ needs.start-runner-test_branch.outputs.label }} # run the job on the newly created runner needs: - start-runner-test_branch - - ecr_login-test_branch container: image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest defaults: @@ -296,26 +191,20 @@ jobs: COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml:docker-compose.utils.yml CI_REGISTRY_IMAGE: "888016039450.dkr.ecr.us-east-1.amazonaws.com/hea" BUILD_IMAGES: "app db" - AWS_ACCESS_KEY_ID: ${{ needs.ecr_login-test_branch.outputs.aws_access_key_id }} - AWS_SECRET_ACCESS_KEY: ${{ needs.ecr_login-test_branch.outputs.aws_secret_access_key }} - AWS_SESSION_TOKEN: ${{ needs.ecr_login-test_branch.outputs.aws_session_token }} - AWS_CREDENTIAL_EXPIRATION: ${{ needs.ecr_login-test_branch.outputs.aws_credential_expiration }} steps: - - name: "Authenticate with ECR" - run: | - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + with: + mask-password: 'true' # Docker hub is rate-limiting unauthenticated users, so we have to # authenticate: https://www.docker.com/increase-rate-limits - - name: "Log in to Docker hub" - run: | - echo Using registry image ${CI_REGISTRY_IMAGE} - # log in to ECR - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # log in to Docker hub - echo ${{ secrets.DOCKER_HUB_PASSWORD }} | docker login --username=${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin + - name: Login to the DockerHub Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: "Pull previous images to speed up builds" run: | for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:edge | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done @@ -426,7 +315,6 @@ jobs: runs-on: ${{ needs.start-runner-test_keepdb.outputs.label }} # run the job on the newly created runner needs: - start-runner-test_keepdb - - ecr_login-test_keepdb container: image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest defaults: @@ -446,26 +334,20 @@ jobs: COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml:docker-compose.utils.yml CI_REGISTRY_IMAGE: "888016039450.dkr.ecr.us-east-1.amazonaws.com/hea" BUILD_IMAGES: "app db" - AWS_ACCESS_KEY_ID: ${{ needs.ecr_login-test_keepdb.outputs.aws_access_key_id }} - AWS_SECRET_ACCESS_KEY: ${{ needs.ecr_login-test_keepdb.outputs.aws_secret_access_key }} - AWS_SESSION_TOKEN: ${{ needs.ecr_login-test_keepdb.outputs.aws_session_token }} - AWS_CREDENTIAL_EXPIRATION: ${{ needs.ecr_login-test_keepdb.outputs.aws_credential_expiration }} steps: - - name: "Authenticate with ECR" - run: | - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + with: + mask-password: 'true' # Docker hub is rate-limiting unauthenticated users, so we have to # authenticate: https://www.docker.com/increase-rate-limits - - name: "Log in to Docker hub" - run: | - echo Using registry image ${CI_REGISTRY_IMAGE} - # log in to ECR - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # log in to Docker hub - echo ${{ secrets.DOCKER_HUB_PASSWORD }} | docker login --username=${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin + - name: Login to the DockerHub Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: "Pull previous images to speed up builds" run: | for SERVICE in ${BUILD_IMAGES}; do (docker pull ${CI_REGISTRY_IMAGE}/${SERVICE}:edge | grep -i -e 'Pulling from' -e Digest -e Status -e Error) || true; done @@ -558,7 +440,6 @@ jobs: runs-on: ${{ needs.start-runner-test_main.outputs.label }} # run the job on the newly created runner needs: - start-runner-test_main - - ecr_login-test_main container: image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest defaults: @@ -578,26 +459,20 @@ jobs: COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml:docker-compose.utils.yml CI_REGISTRY_IMAGE: "888016039450.dkr.ecr.us-east-1.amazonaws.com/hea" BUILD_IMAGES: "app db" - AWS_ACCESS_KEY_ID: ${{ needs.ecr_login-test_main.outputs.aws_access_key_id }} - AWS_SECRET_ACCESS_KEY: ${{ needs.ecr_login-test_main.outputs.aws_secret_access_key }} - AWS_SESSION_TOKEN: ${{ needs.ecr_login-test_main.outputs.aws_session_token }} - AWS_CREDENTIAL_EXPIRATION: ${{ needs.ecr_login-test_main.outputs.aws_credential_expiration }} steps: - - name: "Authenticate with ECR" - run: | - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + with: + mask-password: 'true' # Docker hub is rate-limiting unauthenticated users, so we have to # authenticate: https://www.docker.com/increase-rate-limits - - name: "Log in to Docker hub" - run: | - echo Using registry image ${CI_REGISTRY_IMAGE} - # log in to ECR - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - - # log in to Docker hub - echo ${{ secrets.DOCKER_HUB_PASSWORD }} | docker login --username=${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin + - name: Login to the DockerHub Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: "Pull previous images to speed up builds" run: | echo Using registry image ${CI_REGISTRY_IMAGE} @@ -693,7 +568,6 @@ jobs: runs-on: ${{ needs.start-runner-test_tag.outputs.label }} # run the job on the newly created runner needs: - start-runner-test_tag - - ecr_login-test_tag container: image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest defaults: @@ -713,22 +587,20 @@ jobs: COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml:docker-compose.utils.yml CI_REGISTRY_IMAGE: "888016039450.dkr.ecr.us-east-1.amazonaws.com/hea" BUILD_IMAGES: "app db" - AWS_ACCESS_KEY_ID: ${{ needs.ecr_login-test_tag.outputs.aws_access_key_id }} - AWS_SECRET_ACCESS_KEY: ${{ needs.ecr_login-test_tag.outputs.aws_secret_access_key }} - AWS_SESSION_TOKEN: ${{ needs.ecr_login-test_tag.outputs.aws_session_token }} - AWS_CREDENTIAL_EXPIRATION: ${{ needs.ecr_login-test_tag.outputs.aws_credential_expiration }} steps: - - name: "Authenticate with ECR" - run: | - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY - + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + with: + mask-password: 'true' # Docker hub is rate-limiting unauthenticated users, so we have to # authenticate: https://www.docker.com/increase-rate-limits - - name: "Log in to Docker hub" - run: | - # log in to Docker hub - echo ${{ secrets.DOCKER_HUB_PASSWORD }} | docker login --username=${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin + - name: Login to the DockerHub Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} - uses: "actions/checkout@v4" with: ssh-key: ${{ secrets.GIT_SSH_PRIVATE_KEY }} From 58ad1cfa3d4457639888ba86d5456bed557fd6bc Mon Sep 17 00:00:00 2001 From: Douglas Odida Date: Fri, 29 Aug 2025 11:33:52 +0300 Subject: [PATCH 4/6] INF-496 Update to actions/upload-artifact@v4 --- .github/workflows/01-build-then-test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/01-build-then-test.yml b/.github/workflows/01-build-then-test.yml index ecd5ef5b..a33b050b 100644 --- a/.github/workflows/01-build-then-test.yml +++ b/.github/workflows/01-build-then-test.yml @@ -273,7 +273,7 @@ jobs: diff pyrseas/schema.yaml schema.yml > schema.diff || true - name: "Upload test artifacts" if: success() || failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: ${{ env.CI_PIPELINE_ID }}-${{ github.job }}-artifacts path: | @@ -399,7 +399,7 @@ jobs: diff pyrseas/schema.yaml schema.yml > schema.diff || true - name: "Upload test artifacts" if: success() || failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: ${{ env.CI_PIPELINE_ID }}-${{ github.job }}-artifacts path: | @@ -526,7 +526,7 @@ jobs: diff pyrseas/schema.yaml schema.yml > schema.diff || true - name: "Upload test artifacts" if: success() || failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: ${{ env.CI_PIPELINE_ID }}-${{ github.job }}-artifacts path: | @@ -656,7 +656,7 @@ jobs: diff pyrseas/schema.yaml schema.yml > schema.diff || true - name: "Upload test artifacts" if: success() || failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: ${{ env.CI_PIPELINE_ID }}-${{ github.job }}-artifacts path: | From 53923dacf2dadbfef081dde9ff9c226b6ca096b2 Mon Sep 17 00:00:00 2001 From: Douglas Odida Date: Fri, 29 Aug 2025 13:26:29 +0300 Subject: [PATCH 5/6] INF-496 Update the runner image --- .github/workflows/01-build-then-test.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/01-build-then-test.yml b/.github/workflows/01-build-then-test.yml index a33b050b..2f3e41c0 100644 --- a/.github/workflows/01-build-then-test.yml +++ b/.github/workflows/01-build-then-test.yml @@ -173,7 +173,10 @@ jobs: needs: - start-runner-test_branch container: - image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest + image: ghcr.io/fews-net/inf/docker:latest + credentials: + username: ${{ github.repository_owner }} + password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands @@ -316,7 +319,10 @@ jobs: needs: - start-runner-test_keepdb container: - image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest + image: ghcr.io/fews-net/inf/docker:latest + credentials: + username: ${{ github.repository_owner }} + password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands @@ -441,7 +447,10 @@ jobs: needs: - start-runner-test_main container: - image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest + image: ghcr.io/fews-net/inf/docker:latest + credentials: + username: ${{ github.repository_owner }} + password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands @@ -569,7 +578,10 @@ jobs: needs: - start-runner-test_tag container: - image: 888016039450.dkr.ecr.us-east-1.amazonaws.com/inf/docker:latest + image: ghcr.io/fews-net/inf/docker:latest + credentials: + username: ${{ github.repository_owner }} + password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands From de15e02de08b5b346e26b2bd6f89ee02c506bdf5 Mon Sep 17 00:00:00 2001 From: Douglas Odida Date: Fri, 29 Aug 2025 13:35:56 +0300 Subject: [PATCH 6/6] INF-496 Add a GHCR_PAT token --- .github/workflows/01-build-then-test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/01-build-then-test.yml b/.github/workflows/01-build-then-test.yml index 2f3e41c0..d275ee98 100644 --- a/.github/workflows/01-build-then-test.yml +++ b/.github/workflows/01-build-then-test.yml @@ -176,7 +176,7 @@ jobs: image: ghcr.io/fews-net/inf/docker:latest credentials: username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + password: ${{ secrets.GHCR_PAT }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands @@ -322,7 +322,7 @@ jobs: image: ghcr.io/fews-net/inf/docker:latest credentials: username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + password: ${{ secrets.GHCR_PAT }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands @@ -450,7 +450,7 @@ jobs: image: ghcr.io/fews-net/inf/docker:latest credentials: username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + password: ${{ secrets.GHCR_PAT }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands @@ -581,7 +581,7 @@ jobs: image: ghcr.io/fews-net/inf/docker:latest credentials: username: ${{ github.repository_owner }} - password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + password: ${{ secrets.GHCR_PAT }} defaults: run: shell: ash --noprofile --norc -eo pipefail {0} # Fail on any non-zero exit code, even in piped commands