From c5c76acf0dcc4680292efb5cc1360fe64e2fdab3 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 09:31:24 +0200 Subject: [PATCH 01/10] Download private git repositories using Github App --- .github/workflows/build-base.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index 86c1668..03f6fa1 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -14,6 +14,14 @@ on: description: 'The Dockerfile to use for the build' required: true type: string + private_module_repos: + description: >- + Space/comma-separated private repos (same owner) the build needs to + fetch, e.g. private Go modules. When set, a scoped GitHub App token is + minted and passed to the build as the "gh_token" BuildKit secret. + required: false + type: string + default: '' jobs: build: @@ -75,6 +83,16 @@ jobs: with: cache-source: go-build-cache + - name: Mint token for private module repos + id: module-token + if: ${{ inputs.private_module_repos != '' }} + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.SIGNER_APP_ID }} + private-key: ${{ secrets.SIGNER_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ inputs.private_module_repos }} + - name: Build and push uses: depot/build-push-action@v1 with: @@ -84,6 +102,8 @@ jobs: labels: ${{ steps.meta.outputs.labels }} project: "06dnhndwwg" push: true + secrets: | + gh_token=${{ steps.module-token.outputs.token }} - name: Extract Docker version from tags id: extract From d10faa2ccd273a0dfef8107e5b6080d367d3a59f Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 09:56:10 +0200 Subject: [PATCH 02/10] Update --- .github/workflows/build-base.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index 03f6fa1..ea3f73e 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -16,9 +16,17 @@ on: type: string private_module_repos: description: >- - Space/comma-separated private repos (same owner) the build needs to - fetch, e.g. private Go modules. When set, a scoped GitHub App token is - minted and passed to the build as the "gh_token" BuildKit secret. + Space/comma-separated private repos the build needs to fetch, e.g. + private Go modules. When set, a scoped GitHub App token is minted and + passed to the build as the "gh_token" BuildKit secret. + required: false + type: string + default: '' + private_module_owner: + description: >- + Org that owns private_module_repos. Defaults to this repo's owner; set + it when the private module lives in a different org (e.g. cosmos). The + GitHub App (SIGNER_APP_ID) must be installed on this org. required: false type: string default: '' @@ -90,7 +98,7 @@ jobs: with: app-id: ${{ secrets.SIGNER_APP_ID }} private-key: ${{ secrets.SIGNER_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} + owner: ${{ inputs.private_module_owner != '' && inputs.private_module_owner || github.repository_owner }} repositories: ${{ inputs.private_module_repos }} - name: Build and push From c2e79592650449e81a9814084c8473732e1a8211 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 10:26:27 +0200 Subject: [PATCH 03/10] Update --- .github/workflows/build-base.yml | 208 +++++++++++++++++++++++-------- 1 file changed, 158 insertions(+), 50 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index ea3f73e..14d4682 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -30,24 +30,43 @@ on: required: false type: string default: '' + platforms: + description: >- + Comma/space-separated target platforms, e.g. "linux/amd64,linux/arm64". + Each is built natively on its own runner (amd64 -> ubuntu-24.04, + arm64 -> ubuntu-24.04-arm) and merged into one manifest. No QEMU. + required: false + type: string + default: linux/amd64 jobs: - build: - runs-on: depot-ubuntu-22.04 + # Turn the platforms string into a {platform, runner} matrix and make sure the + # ECR repo exists before the parallel per-arch builds push to it. + prepare: + runs-on: ubuntu-latest + timeout-minutes: 5 permissions: id-token: write contents: read - + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - name: Show inputs + - name: Compute build matrix from platforms + id: set-matrix + shell: bash run: | - echo "Inputs:" - echo " image_name: ${{ inputs.image_name }}" - echo " matrix_key: ${{ inputs.matrix_key }}" - echo " docker_file_path: ${{ inputs.docker_file_path }}" - - - name: Check out the repo - uses: actions/checkout@v3 + include='[]' + IFS=', ' read -ra PLATFORMS <<< "${{ inputs.platforms }}" + for p in "${PLATFORMS[@]}"; do + [ -z "$p" ] && continue + case "$p" in + linux/amd64) runner="ubuntu-24.04" ;; + linux/arm64) runner="ubuntu-24.04-arm" ;; + *) echo "::error::Unsupported platform '$p' (expected linux/amd64 or linux/arm64)"; exit 1 ;; + esac + include=$(jq -cn --argjson acc "$include" --arg p "$p" --arg r "$runner" '$acc + [{platform: $p, runner: $r}]') + done + echo "matrix={\"include\":$include}" >> "$GITHUB_OUTPUT" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 @@ -57,36 +76,56 @@ jobs: role-to-assume: arn:aws:iam::494494944992:role/GithubImagePusher - name: Login to Amazon ECR - id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - name: Create ECR repository if it does not exist run: | - aws ecr describe-repositories --region us-east-2 --repository-names ${{ inputs.image_name }} || aws ecr create-repository --repository-name ${{ inputs.image_name }} --region us-east-2 + aws ecr describe-repositories --region us-east-2 --repository-names ${{ inputs.image_name }} \ + || aws ecr create-repository --repository-name ${{ inputs.image_name }} --region us-east-2 - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - env: - DOCKER_METADATA_PR_HEAD_SHA: true + # Build each platform natively (no emulation) and push it by digest. + build: + needs: prepare + timeout-minutes: 60 + permissions: + id-token: write + contents: read + strategy: + fail-fast: false + matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }} + runs-on: ${{ matrix.runner }} + name: build (${{ matrix.platform }}) + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Prepare platform pair + run: | + platform="${{ matrix.platform }}" + echo "PLATFORM_PAIR=${platform//\//-}" >> "$GITHUB_ENV" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 with: - images: | - ${{ secrets.ecr_url_prefix}}/${{ inputs.image_name }} - tags: | - type=sha,priority=900,prefix= - type=semver,priority=1000,pattern={{version}} - type=semver,pattern={{major}}.{{minor}}.{{patch}} - type=semver,pattern={{major}} - type=ref,event=branch - type=ref,event=pr + aws-region: us-east-2 + role-session-name: ${{ github.run_id }} + role-to-assume: arn:aws:iam::494494944992:role/GithubImagePusher - - name: Go Build Cache for Docker - uses: actions/cache@v3 + - name: Login to Amazon ECR + uses: aws-actions/amazon-ecr-login@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + # Persist the in-Dockerfile Go build cache mount across runs, per arch + # (each platform builds on its own runner, so caches never mix). + - name: Restore Go build cache + uses: actions/cache@v4 with: path: go-build-cache - key: ${{ runner.os }}-${{ inputs.matrix_key }}-go-build-cache-${{ hashFiles('**/go.sum') }} + key: ${{ runner.os }}-${{ inputs.matrix_key }}-${{ env.PLATFORM_PAIR }}-go-build-${{ hashFiles('**/go.sum') }} - - name: inject go-build-cache into docker + - name: Inject Go build cache into buildkit uses: reproducible-containers/buildkit-cache-dance@v2.1.2 with: cache-source: go-build-cache @@ -101,36 +140,105 @@ jobs: owner: ${{ inputs.private_module_owner != '' && inputs.private_module_owner || github.repository_owner }} repositories: ${{ inputs.private_module_repos }} - - name: Build and push - uses: depot/build-push-action@v1 + - name: Build and push by digest + id: build + uses: docker/build-push-action@v6 with: context: . file: ${{ inputs.docker_file_path }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - project: "06dnhndwwg" - push: true + platforms: ${{ matrix.platform }} + outputs: type=image,name=${{ secrets.ecr_url_prefix }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true + # Layer cache scoped per image + platform so nothing clobbers anything. + cache-from: type=gha,scope=${{ inputs.matrix_key }}-${{ env.PLATFORM_PAIR }} + cache-to: type=gha,mode=max,scope=${{ inputs.matrix_key }}-${{ env.PLATFORM_PAIR }} secrets: | gh_token=${{ steps.module-token.outputs.token }} + - name: Export digest + run: | + mkdir -p "${{ runner.temp }}/digests" + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.matrix_key }}-digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + + # Combine the per-arch digests into a single tagged multi-arch manifest. + merge: + needs: [prepare, build] + timeout-minutes: 10 + permissions: + id-token: write + contents: read + runs-on: ubuntu-latest + outputs: + version: ${{ steps.extract.outputs.version }} + tag: ${{ steps.meta.outputs.version }} + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-2 + role-session-name: ${{ github.run_id }} + role-to-assume: arn:aws:iam::494494944992:role/GithubImagePusher + + - name: Login to Amazon ECR + uses: aws-actions/amazon-ecr-login@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: ${{ inputs.matrix_key }}-digests-* + merge-multiple: true + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + env: + DOCKER_METADATA_PR_HEAD_SHA: true + with: + images: | + ${{ secrets.ecr_url_prefix }}/${{ inputs.image_name }} + tags: | + type=sha,priority=900,prefix= + type=semver,priority=1000,pattern={{version}} + type=semver,pattern={{major}}.{{minor}}.{{patch}} + type=semver,pattern={{major}} + type=ref,event=branch + type=ref,event=pr + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + env: + DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }} + run: | + docker buildx imagetools create \ + $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ secrets.ecr_url_prefix }}/${{ inputs.image_name }}@sha256:%s ' *) + - name: Extract Docker version from tags id: extract shell: bash run: | - echo "Meta output JSON:" - echo '${{ steps.meta.outputs.json }}' > raw.json - jq '.' raw.json + version=$(jq -r '.tags[0]' <<< '${{ steps.meta.outputs.json }}') + echo "version=$version" >> "$GITHUB_OUTPUT" - version=$(jq -r '.tags[0]' raw.json) - echo "version=$version" >> $GITHUB_OUTPUT - - outputs: - docker_version: ${{ steps.extract.outputs.version }} - docker_tag: ${{ steps.meta.outputs.version }} + - name: Inspect manifest + run: docker buildx imagetools inspect "${{ steps.extract.outputs.version }}" write: runs-on: ubuntu-latest - needs: [build] + timeout-minutes: 10 + needs: [merge] steps: - name: Write matrix outputs uses: cloudposse/github-action-matrix-outputs-write@v1 @@ -139,9 +247,9 @@ jobs: matrix-step-name: build matrix-key: ${{ inputs.matrix_key }} outputs: |- - version: ${{ needs.build.outputs.docker_version }} - tag: ${{ needs.build.outputs.docker_tag }} + version: ${{ needs.merge.outputs.version }} + tag: ${{ needs.merge.outputs.tag }} outputs: version: ${{ fromJson(steps.out.outputs.result).version }} - tag: ${{ fromJson(steps.out.outputs.result).tag }} \ No newline at end of file + tag: ${{ fromJson(steps.out.outputs.result).tag }} From 3258ea623223c2416a97941f034074b81b016e04 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 10:55:18 +0200 Subject: [PATCH 04/10] Update --- .github/workflows/build-base.yml | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index 14d4682..ffeabb5 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -38,6 +38,13 @@ on: required: false type: string default: linux/amd64 + outputs: + tag: + description: 'Primary image tag of the pushed manifest (e.g. the commit sha).' + value: ${{ jobs.merge.outputs.tag }} + version: + description: 'Full primary image reference (registry/name:tag).' + value: ${{ jobs.merge.outputs.version }} jobs: # Turn the platforms string into a {platform, runner} matrix and make sure the @@ -234,22 +241,3 @@ jobs: - name: Inspect manifest run: docker buildx imagetools inspect "${{ steps.extract.outputs.version }}" - - write: - runs-on: ubuntu-latest - timeout-minutes: 10 - needs: [merge] - steps: - - name: Write matrix outputs - uses: cloudposse/github-action-matrix-outputs-write@v1 - id: out - with: - matrix-step-name: build - matrix-key: ${{ inputs.matrix_key }} - outputs: |- - version: ${{ needs.merge.outputs.version }} - tag: ${{ needs.merge.outputs.tag }} - - outputs: - version: ${{ fromJson(steps.out.outputs.result).version }} - tag: ${{ fromJson(steps.out.outputs.result).tag }} From 52ba605292744cd7a0255d4d2ab361ca6aec8bf2 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 11:25:33 +0200 Subject: [PATCH 05/10] Update --- .github/workflows/build-base.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index ffeabb5..647b8f9 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -124,19 +124,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - # Persist the in-Dockerfile Go build cache mount across runs, per arch - # (each platform builds on its own runner, so caches never mix). - - name: Restore Go build cache - uses: actions/cache@v4 - with: - path: go-build-cache - key: ${{ runner.os }}-${{ inputs.matrix_key }}-${{ env.PLATFORM_PAIR }}-go-build-${{ hashFiles('**/go.sum') }} - - - name: Inject Go build cache into buildkit - uses: reproducible-containers/buildkit-cache-dance@v2.1.2 - with: - cache-source: go-build-cache - - name: Mint token for private module repos id: module-token if: ${{ inputs.private_module_repos != '' }} From d7ce0d6fe2287ddcc4459c7447132cb885b37697 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 12:53:26 +0200 Subject: [PATCH 06/10] After code review --- .github/workflows/build-base.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index 647b8f9..e5cae46 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -61,9 +61,11 @@ jobs: - name: Compute build matrix from platforms id: set-matrix shell: bash + env: + PLATFORMS_INPUT: ${{ inputs.platforms }} run: | include='[]' - IFS=', ' read -ra PLATFORMS <<< "${{ inputs.platforms }}" + IFS=', ' read -ra PLATFORMS <<< "$PLATFORMS_INPUT" for p in "${PLATFORMS[@]}"; do [ -z "$p" ] && continue case "$p" in @@ -124,6 +126,19 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # create-github-app-token only accepts comma/newline-separated repos, but + # the documented interface also allows spaces; normalize to commas here so + # callers following the docs don't silently get an empty token scope. + - name: Normalize private module repos + id: module-repos + if: ${{ inputs.private_module_repos != '' }} + shell: bash + env: + PRIVATE_MODULE_REPOS: ${{ inputs.private_module_repos }} + run: | + repos=$(printf '%s' "$PRIVATE_MODULE_REPOS" | tr -s ' \t\n,' ',' | sed 's/^,//; s/,$//') + echo "repos=$repos" >> "$GITHUB_OUTPUT" + - name: Mint token for private module repos id: module-token if: ${{ inputs.private_module_repos != '' }} @@ -132,7 +147,7 @@ jobs: app-id: ${{ secrets.SIGNER_APP_ID }} private-key: ${{ secrets.SIGNER_APP_PRIVATE_KEY }} owner: ${{ inputs.private_module_owner != '' && inputs.private_module_owner || github.repository_owner }} - repositories: ${{ inputs.private_module_repos }} + repositories: ${{ steps.module-repos.outputs.repos }} - name: Build and push by digest id: build @@ -145,8 +160,9 @@ jobs: # Layer cache scoped per image + platform so nothing clobbers anything. cache-from: type=gha,scope=${{ inputs.matrix_key }}-${{ env.PLATFORM_PAIR }} cache-to: type=gha,mode=max,scope=${{ inputs.matrix_key }}-${{ env.PLATFORM_PAIR }} - secrets: | - gh_token=${{ steps.module-token.outputs.token }} + # Only forward the token when one was actually minted; otherwise pass no + # secrets so an empty gh_token isn't mounted into every build. + secrets: ${{ inputs.private_module_repos != '' && format('gh_token={0}', steps.module-token.outputs.token) || '' }} - name: Export digest run: | From 71481a339df5302187c9977c2b282e0332197c82 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 13:00:32 +0200 Subject: [PATCH 07/10] After code review --- .github/workflows/build-base.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index e5cae46..04d04a0 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -238,8 +238,10 @@ jobs: - name: Extract Docker version from tags id: extract shell: bash + env: + DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }} run: | - version=$(jq -r '.tags[0]' <<< '${{ steps.meta.outputs.json }}') + version=$(jq -r '.tags[0]' <<< "$DOCKER_METADATA_OUTPUT_JSON") echo "version=$version" >> "$GITHUB_OUTPUT" - name: Inspect manifest From 39c126e317da6a8531929d96114aa1e5e9a36019 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 13:12:38 +0200 Subject: [PATCH 08/10] After code review --- .github/workflows/build-base.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index 04d04a0..3311c98 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -88,9 +88,11 @@ jobs: uses: aws-actions/amazon-ecr-login@v2 - name: Create ECR repository if it does not exist + env: + IMAGE_NAME: ${{ inputs.image_name }} run: | - aws ecr describe-repositories --region us-east-2 --repository-names ${{ inputs.image_name }} \ - || aws ecr create-repository --repository-name ${{ inputs.image_name }} --region us-east-2 + aws ecr describe-repositories --region us-east-2 --repository-names "$IMAGE_NAME" \ + || aws ecr create-repository --repository-name "$IMAGE_NAME" --region us-east-2 # Build each platform natively (no emulation) and push it by digest. build: @@ -230,10 +232,11 @@ jobs: working-directory: ${{ runner.temp }}/digests env: DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }} + IMAGE_REF: ${{ secrets.ecr_url_prefix }}/${{ inputs.image_name }} run: | docker buildx imagetools create \ $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ secrets.ecr_url_prefix }}/${{ inputs.image_name }}@sha256:%s ' *) + $(for d in *; do printf '%s@sha256:%s ' "$IMAGE_REF" "$d"; done) - name: Extract Docker version from tags id: extract From 64bc64657fc78e9f54e62ed61172d0746073d163 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 13:36:13 +0200 Subject: [PATCH 09/10] After code review --- .github/workflows/build-base.yml | 37 ++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index 3311c98..f3a50df 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -78,14 +78,14 @@ jobs: echo "matrix={\"include\":$include}" >> "$GITHUB_OUTPUT" - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: aws-region: us-east-2 role-session-name: ${{ github.run_id }} role-to-assume: arn:aws:iam::494494944992:role/GithubImagePusher - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2 - name: Create ECR repository if it does not exist env: @@ -108,7 +108,7 @@ jobs: name: build (${{ matrix.platform }}) steps: - name: Check out the repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Prepare platform pair run: | @@ -116,17 +116,17 @@ jobs: echo "PLATFORM_PAIR=${platform//\//-}" >> "$GITHUB_ENV" - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: aws-region: us-east-2 role-session-name: ${{ github.run_id }} role-to-assume: arn:aws:iam::494494944992:role/GithubImagePusher - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 # create-github-app-token only accepts comma/newline-separated repos, but # the documented interface also allows spaces; normalize to commas here so @@ -139,12 +139,21 @@ jobs: PRIVATE_MODULE_REPOS: ${{ inputs.private_module_repos }} run: | repos=$(printf '%s' "$PRIVATE_MODULE_REPOS" | tr -s ' \t\n,' ',' | sed 's/^,//; s/,$//') + # A whitespace-only input is non-empty (so the steps run) but normalizes + # to nothing; an empty `repositories` makes create-github-app-token scope + # the token to every repo the app can access. Fail loudly instead. + if [ -z "$repos" ]; then + echo "::error::private_module_repos is set but contains no repository names after normalization; refusing to mint an all-repository-scoped token." + exit 1 + fi echo "repos=$repos" >> "$GITHUB_OUTPUT" - name: Mint token for private module repos id: module-token if: ${{ inputs.private_module_repos != '' }} - uses: actions/create-github-app-token@v1 + # Pinned to the v1 tag commit; this step handles SIGNER_APP_PRIVATE_KEY, so + # don't run a mutable tag here. + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ secrets.SIGNER_APP_ID }} private-key: ${{ secrets.SIGNER_APP_PRIVATE_KEY }} @@ -153,7 +162,7 @@ jobs: - name: Build and push by digest id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . file: ${{ inputs.docker_file_path }} @@ -173,7 +182,7 @@ jobs: touch "${{ runner.temp }}/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ inputs.matrix_key }}-digests-${{ env.PLATFORM_PAIR }} path: ${{ runner.temp }}/digests/* @@ -193,20 +202,20 @@ jobs: tag: ${{ steps.meta.outputs.version }} steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 with: aws-region: us-east-2 role-session-name: ${{ github.run_id }} role-to-assume: arn:aws:iam::494494944992:role/GithubImagePusher - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: ${{ runner.temp }}/digests pattern: ${{ inputs.matrix_key }}-digests-* @@ -214,7 +223,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 env: DOCKER_METADATA_PR_HEAD_SHA: true with: From 1fc1e5ad7e63a94622ccac3b327cc3533aa81393 Mon Sep 17 00:00:00 2001 From: Diana Borbe Date: Tue, 16 Jun 2026 13:43:04 +0200 Subject: [PATCH 10/10] After code review --- .github/workflows/build-base.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml index f3a50df..7b9aefe 100644 --- a/.github/workflows/build-base.yml +++ b/.github/workflows/build-base.yml @@ -257,4 +257,6 @@ jobs: echo "version=$version" >> "$GITHUB_OUTPUT" - name: Inspect manifest - run: docker buildx imagetools inspect "${{ steps.extract.outputs.version }}" + env: + INSPECT_REF: ${{ steps.extract.outputs.version }} + run: docker buildx imagetools inspect "$INSPECT_REF"