diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index f6f898c..bec8cda 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -41,63 +41,119 @@ jobs: subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a" steps: - - uses: actions/checkout@v4 - if: matrix.target.ref == github.ref - - - uses: azure/login@v2 - if: matrix.target.ref == github.ref - with: - client-id: ${{matrix.target.client-id}} - tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" - subscription-id: ${{matrix.target.subscription-id}} - - - name: Get GitHub Public IP - if: matrix.target.ref == github.ref - id: github_public_ip - run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT - - - name: Add GitHub IP to ACR - if: matrix.target.ref == github.ref - id: update_firewall - run: az acr network-rule add - --name ${{matrix.target.acr-name}} - --subscription ${{matrix.target.subscription-id}} - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} - - - name: Generate image tag - if: matrix.target.ref == github.ref - id: tag - run: | - sha=${GITHUB_SHA::8} - ts=$(date +%s) - echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT - - - name: Build image - if: matrix.target.ref == github.ref - env: - AZURE_SUBSCRIPTION_ID: ${{matrix.target.subscription-id}} - ACR_NAME: ${{matrix.target.acr-name}} - IMAGE_NAME: radix-cost-allocation - TAG: ${{steps.tag.outputs.tag}} - run: | - az acr task run \ - --subscription ${AZURE_SUBSCRIPTION_ID} \ - --name radix-image-builder-internal \ - --registry ${ACR_NAME} \ - --context ${GITHUB_WORKSPACE} \ - --file ${GITHUB_WORKSPACE}/Dockerfile \ - --set DOCKER_REGISTRY=${ACR_NAME} \ - --set BRANCH=${GITHUB_REF_NAME} \ - --set TAGS="--tag ${ACR_NAME}.azurecr.io/${IMAGE_NAME}:${TAG}" \ - --set DOCKER_FILE_NAME=Dockerfile \ - --set PUSH="--push" \ - --set REPOSITORY_NAME=${IMAGE_NAME} \ - --set CACHE="" \ - --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max" - - - name: Revoke GitHub IP on ACR - if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed - run: az acr network-rule remove - --name ${{matrix.target.acr-name}} - --subscription ${{matrix.target.subscription-id}} - --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} + - uses: actions/checkout@v4 + if: matrix.target.ref == github.ref + + - uses: azure/login@v2 + if: matrix.target.ref == github.ref + with: + client-id: ${{matrix.target.client-id}} + tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + subscription-id: ${{matrix.target.subscription-id}} + + - name: Get GitHub Public IP + if: matrix.target.ref == github.ref + id: github_public_ip + run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT + + - name: Add GitHub IP to ACR + if: matrix.target.ref == github.ref + id: update_firewall + run: az acr network-rule add + --name ${{matrix.target.acr-name}} + --subscription ${{matrix.target.subscription-id}} + --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} + + - name: Wait for 2 minutes while the network rule to take effect + if: matrix.target.ref == github.ref + run: | + sleep 120 + + - name: Wait for Specific IP in ACR Network Rules + if: matrix.target.ref == github.ref + run: | + MAX_ATTEMPTS=10 + ATTEMPT=0 + TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}" + echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..." + while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do + NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }} --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]" --output tsv) + if [ -n "$NETWORK_RULES" ]; then + echo "IP $TARGET_IP is allowed." + break + fi + echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..." + ATTEMPT=$((ATTEMPT+1)) + sleep 10 + done + if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then + echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting." + exit 1 + fi + + - name: Get ACR Login Server + if: matrix.target.ref == github.ref + id: get-acr-login-server + run: | + echo "login_server=$(az acr show --name ${{ matrix.target.acr-name }} --query loginServer --output tsv)" >> $GITHUB_OUTPUT + + - name: Get ACR Access Token + if: matrix.target.ref == github.ref + id: get-acr-token + run: | + echo "Getting ACR access token" + access_token=$(az acr login --name ${{ matrix.target.acr-name }} --expose-token --output tsv --query accessToken) + echo "::add-mask::$access_token" + echo "access_token=$access_token" >> $GITHUB_OUTPUT + + - name: Log in to ACR + if: matrix.target.ref == github.ref + uses: docker/login-action@v3 + with: + registry: ${{ steps.get-acr-login-server.outputs.login_server }} + username: "00000000-0000-0000-0000-000000000000" + password: ${{ steps.get-acr-token.outputs.access_token }} + + - name: Set up Docker Buildx + if: matrix.target.ref == github.ref + uses: docker/setup-buildx-action@v3 + + - name: Build an image name + if: matrix.target.ref == github.ref + id: build-image-name + run: | + echo "image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-cost-allocation" >> $GITHUB_OUTPUT + + - name: Build an image tag + if: matrix.target.ref == github.ref + id: build-tag + run: | + sha=${GITHUB_SHA::8} + ts=$(date +%s) + echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT + + - name: Extract labels from metadata for Docker + if: matrix.target.ref == github.ref + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ steps.build-image-name.outputs.image-name }} + + - name: Build and push Docker image + if: matrix.target.ref == github.ref + uses: docker/build-push-action@v5 + with: + context: . + push: true + platforms: | + linux/amd64 + linux/arm64 + tags: "${{ steps.build-image-name.outputs.image-name }}:${{ steps.build-tag.outputs.tag }}" + labels: ${{ steps.meta.outputs.labels }} + + - name: Revoke GitHub IP on ACR + if: ${{ matrix.target.ref == github.ref && steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed + run: az acr network-rule remove + --name ${{matrix.target.acr-name}} + --subscription ${{matrix.target.subscription-id}} + --ip-address ${{ steps.github_public_ip.outputs.ipv4 }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 5743fae..b05221e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -9,8 +9,17 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Build docker image - run: docker build . + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: false + platforms: | + linux/amd64 + linux/arm64 + test: name: Unit Test diff --git a/Dockerfile b/Dockerfile index 2d1548c..a5fc902 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM docker.io/golang:1.22-alpine3.20 as builder +FROM docker.io/golang:1.22-alpine3.20 AS builder + ENV CGO_ENABLED=0 \ GOOS=linux