Skip to content

Commit

Permalink
feat: release v2 (#520)
Browse files Browse the repository at this point in the history
* feat: change the default value of mask-password to true

BREAKING CHANGE: The default value of the 'mask-password' input has been updated from false to true.

* Treat maskPassword as false only if explicitly set to false

* Add new-v2-release to README
  • Loading branch information
yyichenn authored Sep 28, 2023
1 parent 3542211 commit d71acaf
Show file tree
Hide file tree
Showing 6 changed files with 19,538 additions and 23,705 deletions.
58 changes: 36 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or

<!-- toc -->

- [New v2 Release](#new-v2-release)
- [Example of Usage](#examples-of-usage)
- [Building and pushing an image](#building-and-pushing-an-image)
- [Using an image as a service](#using-an-image-as-a-service)
Expand All @@ -23,6 +24,28 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or

<!-- tocstop -->

## New v2 Release

In the new major version for this action, the default value of the `mask-password` input has changed from `false` to `true`.

If you are **not** consuming the Docker credentials as outputs in subsequent jobs, you can simply update your action version to `aws-actions/amazon-ecr-login@v2`.

For any customer consuming the Docker credentials as outputs in subsequent jobs:

- If you are relying on the default value of the `mask-password` input, which is currently `false` in v1, your workflow will break when upgrading to v2. To fix this, please set the mask-password input to `false`:

```
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'false'
```

- If you are already setting the `mask-password` input to `false`, you can simply update your action version to `aws-actions/amazon-ecr-login@v2`.

For more information on why this change is being made, see [Masking Docker Credentials in Amazon ECR Login Action](https://github.com/aws-actions/amazon-ecr-login/issues/526).

## Examples of Usage

### Building and pushing an image
Expand All @@ -43,9 +66,7 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
```yaml
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
mask-password: 'true'
uses: aws-actions/amazon-ecr-login@v2

- name: Build, tag, and push docker image to Amazon ECR
env:
Expand All @@ -61,9 +82,8 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
```yaml
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'
registry-type: public

- name: Build, tag, and push docker image to Amazon ECR Public
Expand All @@ -81,9 +101,7 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
```yaml
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
mask-password: 'true'
uses: aws-actions/amazon-ecr-login@v2

- name: Package and push helm chart to Amazon ECR
env:
Expand All @@ -98,9 +116,8 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
```yaml
- name: Login to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'
registry-type: public

- name: Package and push helm chart to Amazon ECR Public
Expand All @@ -115,11 +132,6 @@ Logs in the local Docker client to one or more Amazon ECR Private registries or
Helm uses the same credential store as Docker, so Helm can authenticate with the same credentials that you use for Docker.
> [!WARNING]
> Setting `mask-password` to `'true'` is the recommended approach if following any of the examples above.
> However, this will prevent the Docker password output from being shared between separate jobs.
> For more information, see the [Docker Credentials](#docker-credentials) section below.

### Other use-cases
#### Login to ECR on multiple AWS accounts
Expand All @@ -133,7 +145,7 @@ Helm uses the same credential store as Docker, so Helm can authenticate with the

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@v2
with:
registries: "123456789012,998877665544"
```
Expand All @@ -149,7 +161,7 @@ for details on how to configure ECR policies
Use the action to output your Docker credentials for logging into ECR Private, then use the credentials to run your private image as a service in another job.

> [!WARNING]
> Not setting `mask-password` or setting `mask-password` to `'false'` will log your Docker password output if [debug logging is enabled](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging).
> Setting `mask-password` to `'false'` will log your Docker password output if [debug logging is enabled](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging).
> For more information, see the [Docker Credentials](#docker-credentials) section below.

```yaml
Expand All @@ -165,7 +177,9 @@ jobs:
mask-aws-account-id: 'false'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'false'
outputs:
registry: ${{ steps.login-ecr.outputs.registry }}
docker_username: ${{ steps.login-ecr.outputs.docker_username_123456789012_dkr_ecr_us_east_1_amazonaws_com }} # More information on these outputs can be found below in the 'Docker Credentials' section
Expand Down Expand Up @@ -205,7 +219,7 @@ This action relies on the [default behavior of the AWS SDK for Javascript](https
- name: Login to Amazon ECR Private
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
uses: aws-actions/amazon-ecr-login@v2
```

We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) when using AWS services in GitHub Actions workflows, including:
Expand All @@ -229,10 +243,10 @@ If using ECR Public:
- Docker password output: `docker_password_public_ecr_aws`

> [!IMPORTANT]
> If **you are not** using the Docker credential outputs, make sure the `mask-password` input is **set to `'true'`**.
> If **you are not** using the Docker credential outputs, make sure the `mask-password` input is **not set or set to `'true'`**.
> This masks your Docker password and prevents it from being printed to the action logs if you [enable debug logging](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging).
>
> If **you are** using the Docker credential outputs, make sure the `mask-password` input is **not set or set to `'false'`**.
> If **you are** using the Docker credential outputs, make sure the `mask-password` input is **set to `'false'`**.
> Masked values cannot be passed to separate jobs (see [this issue](https://github.com/actions/runner/issues/1498#issuecomment-1066836352)).

## Self-Hosted Runners
Expand All @@ -245,7 +259,7 @@ Additionally, this action will always consider an already configured proxy in th

Proxy configured via action input:
```yaml
uses: aws-actions/amazon-ecr-login@v1.6.0
uses: aws-actions/amazon-ecr-login@v2
with:
http-proxy: "http://companydomain.com:3128"
````
Expand Down
2 changes: 1 addition & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ inputs:
NOTE: This will prevent the Docker password output from being shared between separate jobs.
Options: ['true', 'false']
required: false
default: 'false'
default: 'true'
registries:
description: >-
A comma-delimited list of AWS account IDs that are associated with the ECR Private registries.
Expand Down
2 changes: 1 addition & 1 deletion dist/cleanup/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -626,7 +626,7 @@ class OidcClient {
.catch(error => {
throw new Error(`Failed to get ID Token. \n
Error Code : ${error.statusCode}\n
Error Message: ${error.result.message}`);
Error Message: ${error.message}`);
});
const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value;
if (!id_token) {
Expand Down
Loading

0 comments on commit d71acaf

Please sign in to comment.