From 8982937a4db28836b4fbd34947ae9203f66672f5 Mon Sep 17 00:00:00 2001
From: Harold Sun <sunhua@amazon.com>
Date: Tue, 29 Mar 2022 17:01:42 +0800
Subject: [PATCH] update pipeline to publish OCI images to ECR public repo

---
 .github/workflows/pipeline.yaml | 82 +++++++++++++++++++++++++--------
 Makefile                        | 20 +++++---
 2 files changed, 76 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 28089492..b34288de 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -23,6 +23,11 @@ env:
   BETA_ARTIFACTS_BUCKET: aws-sam-cli-managed-beta-pipeline-artifactsbucket-889nlo0z1nt0
   BETA_IMAGE_REPOSITORY: 477159140107.dkr.ecr.ap-northeast-1.amazonaws.com/aws-sam-cli-managed-beta-pipeline-resources-imagerepository-0hbn3hxi9pcm
   BETA_REGION: ap-northeast-1
+  PROD_ECR_PIPELINE_EXECUTION_ROLE: arn:aws:iam::373534280245:role/aws-sam-cli-managed-prod-ecr-PipelineExecutionRole-12FE9QIHNFYOI
+  PROD_ECR_CLOUDFORMATION_EXECUTION_ROLE: arn:aws:iam::373534280245:role/aws-sam-cli-managed-prod-CloudFormationExecutionR-RDUT9EAJJ1ZN
+  PROD_ARTIFACTS_BUCKET: aws-sam-cli-managed-prod-ecr-pipe-artifactsbucket-1mjporc66dkgn
+  PROD_IMAGE_REPOSITORY: 373534280245.dkr.ecr.us-east-1.amazonaws.com/aws-sam-cli-managed-prod-ecr-pipeline-resources-imagerepository-fhpoty0tapro
+  PROD_ECR_REGION: us-east-1
 
 jobs:
   test:
@@ -34,30 +39,14 @@ jobs:
           toolchain: stable
           components: clippy
       - name: linting
-        run: cargo fmt -- --check && cargo clippy -- -Dwarnings
+        run: |
+          cargo fmt -- --check
+          cargo clippy -- -Dwarnings
       - run: cargo test
 
-  load-gamma-matrix:
-    needs: [ test ]
-    runs-on: ubuntu-latest
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@v2
-      - id: set-matrix
-        run: echo "::set-output name=matrix::{\"include\":$(jq -r tostring .github/workflows/gamma.json)}"
-
-  load-prod-matrix:
-    needs: [ test ]
-    runs-on: ubuntu-latest
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-    steps:
-      - uses: actions/checkout@v2
-      - id: set-matrix
-        run: echo "::set-output name=matrix::{\"include\":$(jq -r tostring .github/workflows/prod.json)}"
 
   build:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
     needs: [test]
     runs-on: ubuntu-latest
     steps:
@@ -81,8 +70,30 @@ jobs:
           name: aws-sam-build-arm64
           path: build-arm64
 
+  load-gamma-matrix:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
+    needs: [ test ]
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v2
+      - id: set-matrix
+        run: echo "::set-output name=matrix::{\"include\":$(jq -r tostring .github/workflows/gamma.json)}"
+
+  load-prod-matrix:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
+    needs: [ test ]
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v2
+      - id: set-matrix
+        run: echo "::set-output name=matrix::{\"include\":$(jq -r tostring .github/workflows/prod.json)}"
 
   package-beta:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
     needs: [ build ]
     runs-on: ubuntu-latest
     steps:
@@ -141,6 +152,7 @@ jobs:
 
 
   package-gamma:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
     needs: [ build, load-gamma-matrix ]
     runs-on: ubuntu-latest
     strategy:
@@ -200,6 +212,7 @@ jobs:
           path: packaged-gamma-arm64-${{ matrix.region }}.yaml
 
   package-prod:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
     needs: [ build, load-prod-matrix ]
     runs-on: ubuntu-latest
     strategy:
@@ -259,6 +272,7 @@ jobs:
           path: packaged-prod-arm64-${{ matrix.region }}.yaml
 
   deploy-beta:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
     needs: [package-beta, package-gamma, package-prod]
     runs-on: ubuntu-latest
     steps:
@@ -308,6 +322,7 @@ jobs:
             --role-arn ${BETA_CLOUDFORMATION_EXECUTION_ROLE}
 
   integration-test:
+    if:  ${{ github.ref == 'refs/heads/main' || github.event_name == 'release' }}
     needs: [deploy-beta]
     runs-on: ubuntu-latest
     steps:
@@ -443,3 +458,30 @@ jobs:
             --image-repository ${{ matrix.image_repository }} \
             --no-fail-on-empty-changeset \
             --role-arn ${{ matrix.cloudformation_execution_role }}
+
+  publish-to-public-ecr:
+    if: ${{ github.event_name == 'release' }}
+    needs: [deploy-prod]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Assume the prod pipeline user role
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.PROD_ECR_REGION }}
+          role-to-assume: ${{ env.PROD_ECR_PIPELINE_EXECUTION_ROLE }}
+          role-session-name: prod-deployment
+          role-duration-seconds: 3600
+          role-skip-session-tagging: true
+
+      - name: build OCI images for x86_64 and aarch64
+        run: |
+          make build-x86
+          make build-arm
+
+      - name: publish OCI images to ECR public repository
+        run: |
+          make publish
diff --git a/Makefile b/Makefile
index af37ea1d..e5c5702e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,20 +1,28 @@
+CARGO_PKG_VERSION := $(shell cargo metadata --no-deps --format-version=1 | jq -r '.packages[0].version')
+
 clean:
 	rm -rf target
 
 build-x86:
-	aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
-	DOCKER_BUILDKIT=1 docker build --build-arg ARCH=x86_64 -t aws-lambda-adapter:latest-x86_64 .
+	DOCKER_BUILDKIT=1 docker build --build-arg ARCH=x86_64 -t public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-x86_64 .
 
 build-arm:
-	aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
-	DOCKER_BUILDKIT=1 docker build --build-arg ARCH=aarch64 -t aws-lambda-adapter:latest-aarch64 .
+	DOCKER_BUILDKIT=1 docker build --build-arg ARCH=aarch64 -t public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-aarch64 .
 
 build: build-x86 build-arm
-	docker tag aws-lambda-adapter:latest-x86_64 aws-lambda-adapter:latest
+	docker push public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-x86_64
+	docker push public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-aarch64
+	docker manifest create public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION) \
+				public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-x86_64 \
+				public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-aarch64
+	docker manifest annotate --arch arm64 public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION) \
+				public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)-aarch64
+
+publish: build
+	docker manifest push public.ecr.aws/awsguru/aws-lambda-adapter:$(CARGO_PKG_VERSION)
 
 build-mac:
 	CC=x86_64-unknown-linux-musl-gcc cargo build --release --target=x86_64-unknown-linux-musl
-	aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile.mac --build-arg ARCH=x86_64 -t aws-lambda-adapter:latest .
 
 build-LambdaAdapterLayerX86: