qzl
95 lines
3.4 KiB
YAML
95 lines
3.4 KiB
YAML
name: Build production Docker image
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
build-backend-image:
|
|
runs-on: wsl2-docker-host
|
|
env:
|
|
IMAGE_NAME: eryao-backend
|
|
IMAGE_SIZE_LIMIT_BYTES: 500000000
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Validate ECR configuration
|
|
run: |
|
|
set -euo pipefail
|
|
test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
|
|
test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
|
|
test -n "${{ secrets.AWS_REGION }}"
|
|
test -n "${{ secrets.AWS_ACCOUNT_ID }}"
|
|
test -n "${{ secrets.ECR_REPOSITORY }}"
|
|
|
|
- name: Build backend production image
|
|
run: |
|
|
set -euo pipefail
|
|
docker buildx build \
|
|
--provenance=false \
|
|
--load \
|
|
--file backend/Dockerfile \
|
|
--tag ${IMAGE_NAME}:prod-${GITHUB_SHA} \
|
|
--tag ${IMAGE_NAME}:prod-latest \
|
|
.
|
|
|
|
- name: Check image size budget
|
|
run: |
|
|
set -euo pipefail
|
|
image_size_bytes="$(docker image inspect ${IMAGE_NAME}:prod-${GITHUB_SHA} --format '{{.Size}}')"
|
|
echo "Image size: ${image_size_bytes} bytes"
|
|
if [ "${image_size_bytes}" -gt "${IMAGE_SIZE_LIMIT_BYTES}" ]; then
|
|
echo "Image exceeds ${IMAGE_SIZE_LIMIT_BYTES} bytes" >&2
|
|
exit 1
|
|
fi
|
|
|
|
- name: Smoke test backend image
|
|
run: |
|
|
set -euo pipefail
|
|
docker run --rm \
|
|
-e ERYAO_RUNTIME__ENVIRONMENT=prod \
|
|
-e ERYAO_SUPABASE__PUBLIC_URL=http://localhost:8001 \
|
|
-e ERYAO_POINTS_POLICY__REGISTER_BONUS_HMAC_KEY=ci-smoke-test-key \
|
|
--entrypoint python \
|
|
${IMAGE_NAME}:prod-${GITHUB_SHA} \
|
|
-c "import app; print(app.app.title)"
|
|
|
|
- name: Push backend image to ECR
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
|
|
AWS_REGION: ${{ secrets.AWS_REGION }}
|
|
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
|
|
ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
|
|
run: |
|
|
set -euo pipefail
|
|
caller_account_id="$(aws sts get-caller-identity --query Account --output text)"
|
|
if [ "${caller_account_id}" != "${AWS_ACCOUNT_ID}" ]; then
|
|
echo "AWS_ACCOUNT_ID does not match caller identity" >&2
|
|
exit 1
|
|
fi
|
|
|
|
ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
|
|
ecr_image="${ecr_registry}/${ECR_REPOSITORY}"
|
|
|
|
aws ecr describe-repositories \
|
|
--region "${AWS_REGION}" \
|
|
--repository-names "${ECR_REPOSITORY}" >/dev/null 2>&1 \
|
|
|| aws ecr create-repository \
|
|
--region "${AWS_REGION}" \
|
|
--repository-name "${ECR_REPOSITORY}" \
|
|
--image-scanning-configuration scanOnPush=true \
|
|
--encryption-configuration encryptionType=AES256 >/dev/null
|
|
|
|
aws ecr get-login-password --region "${AWS_REGION}" \
|
|
| docker login --username AWS --password-stdin "${ecr_registry}"
|
|
|
|
docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:${GITHUB_SHA}"
|
|
docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest"
|
|
docker push "${ecr_image}:${GITHUB_SHA}"
|
|
docker push "${ecr_image}:latest"
|