Open ACR firewall before running ACR task (#125)

* Open ACR firewall before running ACR task * TEST * Revert TEST
equinor · Apr 15, 2024 · 54a39a6 · 54a39a6
1 parent 51f578b
commit 54a39a6
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -4,6 +4,7 @@ on:
     branches:
       - master
       - release
+  workflow_dispatch:
 permissions:
   id-token: write
   contents: read
@@ -50,6 +51,19 @@ jobs:
           tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
           subscription-id: ${{matrix.target.subscription-id}}
 
+      - name: Get GitHub Public IP
+        if: matrix.target.ref == github.ref
+        id: github_public_ip
+        run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
+      - name: Add GitHub IP to ACR
+        if: matrix.target.ref == github.ref
+        id: update_firewall
+        run: az acr network-rule add
+          --name ${{matrix.target.acr-name}}
+          --subscription ${{matrix.target.subscription-id}}
+          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+
       - name: Generate image tag
         if: matrix.target.ref == github.ref
         id: tag
@@ -80,4 +94,10 @@ jobs:
              --set REPOSITORY_NAME=${IMAGE_NAME} \
              --set CACHE="" \
              --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max"
-          
+
+      - name: Revoke GitHub IP on ACR
+        if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+        run: az acr network-rule remove
+          --name ${{matrix.target.acr-name}}
+          --subscription ${{matrix.target.subscription-id}}
+          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}