From 9351ca4b470571f22fef1d3ae48f4ed53348b7bb Mon Sep 17 00:00:00 2001 From: Tim Robinson Date: Tue, 11 Apr 2023 19:25:17 +1000 Subject: [PATCH] Migrate to Quay and ECR --- .github/workflows/build-push.yml | 103 ++++++++++++++++++ .../dockerhub-build-push-multi-arch.yml | 78 ------------- README.md | 12 +- 3 files changed, 109 insertions(+), 84 deletions(-) create mode 100644 .github/workflows/build-push.yml delete mode 100644 .github/workflows/dockerhub-build-push-multi-arch.yml diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml new file mode 100644 index 0000000..46562bc --- /dev/null +++ b/.github/workflows/build-push.yml @@ -0,0 +1,103 @@ +name: build and push on main and tags + +on: + push: + branches: + - main + tags: + - v[0-9]+.[0-9]+.[0-9]+ + - v[0-9]+.[0-9]+.[0-9]+-[0-9]+ + pull_request: + +env: + GITHUB_ROLE_ARN: arn:aws:iam::461800378586:role/GitHubECRPublic + +permissions: + id-token: write # Required for OIDC + contents: read # This is required for actions/checkout + +jobs: + build_and_push: + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Get repo name + id: image_name + run: | + sed -E -e 's/docker-//' -e 's/^/image_name=/' <<<"${{ github.repository }}" >> "$GITHUB_OUTPUT" + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + # list of Docker images to use as base name for tags + images: | + quay.io/${{ steps.image_name.outputs.image_name }} + public.ecr.aws/${{ steps.image_name.outputs.image_name }} + # generate Docker tags based on the following events/attributes + tags: | + # type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + # type=sha + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2 + + # The values provided to these two AWS steps are always the same for Panubo owned repos + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + role-to-assume: ${{ env.GITHUB_ROLE_ARN }} + aws-region: us-east-1 + + - name: Login to ECR + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: public.ecr.aws + + - name: Login to Quay.io + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.PANUBUILD_QUAYIO_USERNAME }} + password: ${{ secrets.PANUBUILD_QUAYIO_TOKEN }} + + # - name: Setup BATS + # uses: mig4/setup-bats@v1 + # with: + # bats-version: 1.7.0 + + - name: Build and export to Docker + uses: docker/build-push-action@v4 + with: + builder: ${{ steps.buildx.outputs.name }} + cache-from: type=gha + load: true + tags: ${{ steps.image_name.outputs.image_name }}:test + + # - name: Test + # run: | + # make _ci_test + + - name: Build and Push + uses: docker/build-push-action@v3 + with: + builder: ${{ steps.buildx.outputs.name }} + push: ${{ github.event_name != 'pull_request' }} + cache-from: type=gha + cache-to: type=gha,mode=max + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/dockerhub-build-push-multi-arch.yml b/.github/workflows/dockerhub-build-push-multi-arch.yml deleted file mode 100644 index 68606cd..0000000 --- a/.github/workflows/dockerhub-build-push-multi-arch.yml +++ /dev/null @@ -1,78 +0,0 @@ -# Source: https://github.com/panubo/reference-github-actions/blob/main/dockerhub-build-push-multi-arch.yml -# Description: Multi arch build and push to Docker Hub -# LICENSE: MIT License, Copyright (c) 2022 Volt Grid Pty Ltd t/a Panubo - -# - Multi arch build, amd64 and arm64 -# - Uses docker/metadata-action to generate image tags -# - Push to dockerhub - -name: Docker Hub Build and Push (Multi-arch) - -env: - REPO_NAME: panubo/sshd - -on: - schedule: - - cron: "0 0 * * 0" - push: - branches: - - main - tags: - - 'v*' - -jobs: - build_and_push: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v4 - with: - # list of Docker images to use as base name for tags - images: | - docker.io/${{ env.REPO_NAME }} - quay.io/${{ env.REPO_NAME }} - # generate Docker tags based on the following events/attributes - tags: | - type=schedule,pattern=weekly - type=raw,value=latest,enable={{is_default_branch}} - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v2 - - - name: Login to Docker Hub - if: github.event_name != 'pull_request' - uses: docker/login-action@v2 - with: - username: ${{ secrets.PANUBUILD_DOCKERHUB_USERNAME }} - password: ${{ secrets.PANUBUILD_DOCKERHUB_TOKEN }} - - - name: Login to Quay.io - if: github.event_name != 'pull_request' - uses: docker/login-action@v2 - with: - registry: quay.io - username: ${{ secrets.PANUBUILD_QUAYIO_USERNAME }} - password: ${{ secrets.PANUBUILD_QUAYIO_TOKEN }} - - - name: Build and Push - uses: docker/build-push-action@v3 - with: - builder: ${{ steps.buildx.outputs.name }} - context: . - file: Dockerfile - push: ${{ github.event_name != 'pull_request' }} - cache-from: type=gha - cache-to: type=gha,mode=max - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} diff --git a/README.md b/README.md index ba5c1a7..8276592 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # SSHD -Minimal Alpine Linux Docker image with `sshd` exposed and `rsync` installed. +Minimal Alpine Linux Docker image with `sshd` exposed and `rsync` installed. The image is available on quay.io `quay.io/panubo/sshd` and AWS ECR Public `public.ecr.aws/panubo/sshd`. ## Environment Options @@ -98,7 +98,7 @@ It is strongly recommend to pre-hash passwords. Passwords that are not hashed ar To generate a hashed password use `mkpasswd` which is available in this image or use [https://trnubo.github.io/passwd.html](https://trnubo.github.io/passwd.html) to generate a hash in your browser. Example use of `mkpasswd` below. ``` -$ docker run --rm -it --entrypoint /usr/bin/env docker.io/panubo/sshd:1.4.0 mkpasswd +$ docker run --rm -it --entrypoint /usr/bin/env quay.io/panubo/sshd:1.6.0 mkpasswd Password: $6$w0ZvF/gERVgv08DI$PTq73dIcZLfMK/Kxlw7rWDvVcYvnWJuOWtxC7sXAYZL69CnItCS.QM.nTUyMzaT0aYjDBdbCH1hDiwbQE8/BY1 ``` @@ -111,7 +111,7 @@ docker run -ti -p 2222:22 \ -e SSH_USERS=user:1000:1000 \ -e SSH_ENABLE_PASSWORD_AUTH=true \ -v $(pwd)/entrypoint.d/:/etc/entrypoint.d/ \ - docker.io/panubo/sshd:1.4.0 + quay.io/panubo/sshd:1.6.0 ``` To enable password authentication on the root account, the previous `setpasswd.sh` script must also define a password for the root user, then @@ -121,7 +121,7 @@ the command will be: docker run -ti -p 2222:22 \ -e SSH_ENABLE_ROOT_PASSWORD_AUTH=true \ -v $(pwd)/entrypoint.d/:/etc/entrypoint.d/ \ - docker.io/panubo/sshd:1.3.0 + quay.io/panubo/sshd:1.6.0 ``` ## Usage Example @@ -138,7 +138,7 @@ docker run -ti -p 2222:22 \ -v $(pwd)/keys/:/etc/ssh/keys \ -v $(pwd)/data/:/data/ \ -e SSH_ENABLE_ROOT=true \ - docker.io/panubo/sshd:1.4.0 + quay.io/panubo/sshd:1.6.0 ``` Create a `www` user with gid/uid 48. You can access with `ssh www@localhost -p 2222` using your private key. @@ -149,7 +149,7 @@ docker run -ti -p 2222:22 \ -v $(pwd)/keys/:/etc/ssh/keys \ -v $(pwd)/data/:/data/ \ -e SSH_USERS="www:48:48" \ - docker.io/panubo/sshd:1.4.0 + quay.io/panubo/sshd:1.6.0 ``` ## Releases