Github actions

Workflow to promote latest -rc image to release

# It's expected that when the new release candidate tag x.y.z is added by this workflow 
# to the latest x.y.z-rc image, a deployment is triggered to PRO environment
name: Promote Latest RC Images to Release. Deploy to prod.

on:
  workflow_dispatch:

permissions:
  contents: read
  id-token: write

jobs:
  promote-images:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        repository: 
          - atoss-identity-secrets-setup
          - atoss-identity-svc

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::XXXXXXXXXX:role/github/atoss-identity-deploy-role
          aws-region: eu-central-1

      - name: Promote rc image to release
        uses: ./.github/workflows/actions/promote-latest-rc-img-to-release
        with:
          repository: ${{ matrix.repository }}
          region: eu-central-1

      - name: Output the promoted tags
        run: |
          echo "Promoted rc tag: ${{ steps.promote-image.outputs.rc_tag }}"
          echo "Release tag: ${{ steps.promote-image.outputs.release_tag }}"

And the reusable action in folder /.github/workflows/actions/promote-latest-rc-img-to-release

# /Dockerfile
FROM amazonlinux:2
RUN yum install -y jq aws-cli docker
COPY action.sh /action.sh
RUN chmod +x /action.sh

ENTRYPOINT ["/action.sh"]

# action.yaml
name: Promote ECR RC Image to Release
description: Adds x.y.z tag to the latest x.y.z-rc image in an AWS ECR repository.
inputs:
  repository:
    description: 'ECR repository name'
    required: true
  region:
    description: 'AWS region'
    required: true
outputs:
  rc_tag:
    description: 'The RC tag that was promoted'
  release_tag:
    description: 'The release tag'
runs:
  using: 'docker'
  image: 'Dockerfile'
  args:
    - ${{ inputs.repository }}
    - ${{ inputs.region }}

# action.sh

#!/bin/bash

set -e

ECR_REPOSITORY=$1
REGION=$2

aws ecr get-login-password --region "$REGION" | docker login --username AWS --password-stdin "$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com"

# List all images in the repository into images.json file
aws ecr describe-images --repository-name "$ECR_REPOSITORY" --region "$REGION" --query 'imageDetails[*].imageTags' --output json > images.json

LATEST_RC_TAG=$(jq -r '.[] | select(.[0] | test("^[0-9]+\\.[0-9]+\\.[0-9]+-rc$")) | .[0]' images.json | sort -Vr | head -n 1)

echo "Latest RC image found "$LATEST_RC_TAG

# Remove `-rc` to get release version
RELEASE_VERSION=$(echo "$LATEST_RC_TAG" | sed 's/-rc//')

RELEASE_VERSION_EXISTS=$(jq -e '.[] | any(.[] == "'"$RELEASE_VERSION"'")' images.json > /dev/null && echo "true" || echo "false")

if [ "$RELEASE_VERSION_EXISTS" = "true" ]; then
  echo "Release tag $RELEASE_VERSION already exists. Skipping retagging."
  echo "::set-output name=rc_tag::$LATEST_RC_TAG"
  echo "::set-output name=release_tag::$RELEASE_VERSION"
  exit 0
fi

# Pull the latest rc image
docker pull "$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$ECR_REPOSITORY:$LATEST_RC_TAG"

# Tag the rc image with the release version
docker tag "$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$ECR_REPOSITORY:$LATEST_RC_TAG" \
  "$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$ECR_REPOSITORY:$RELEASE_VERSION"

# Push the new release image
docker push "$AWS_ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$ECR_REPOSITORY:$RELEASE_VERSION"

# Set outputs
echo "::set-output name=rc_tag::$LATEST_RC_TAG"
echo "::set-output name=release_tag::$RELEASE_VERSION"