Skip to content

ECR Login Token Refresh #2530

ECR Login Token Refresh

ECR Login Token Refresh #2530

Workflow file for this run

name: ECR Login Token Refresh
on:
workflow_dispatch:
# Every 6 hours, the password validity is 12 hours
schedule:
- cron: '0 */6 * * *'
permissions:
id-token: write
contents: read
jobs:
login:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS Credentials
id: acquire-credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-gov-west-1
role-to-assume: ${{ secrets.AWS_ROLE }}
output-credentials: true
- name: retrieve ecr password and store as secret
if: steps.acquire-credentials.outcome == 'success'
run: |
sudo apt install python3-venv
python3 -m venv .venv
source .venv/bin/activate
pip install -r .github/workflows/requirements.txt
python .github/workflows/ecr_password_updater.py
env:
AWS_ACCESS_KEY_ID: ${{ steps.acquire-credentials.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.acquire-credentials.outputs.aws-secret-access-key }}
AWS_DEFAULT_REGION: us-gov-west-1
GH_API_ACCESS_TOKEN: ${{ secrets.GH_API_ACCESS_TOKEN }}
# This 'test' job is useful for fast debugging
test:
needs: login
runs-on: ubuntu-latest
timeout-minutes: 1
container:
image: 065403089830.dkr.ecr.us-gov-west-1.amazonaws.com/gaimg-ruby:2.7.3-ga-browsers
credentials:
username: AWS
# Here is the password retrieved as a secret that is set by the `login` job
password: ${{ secrets.VAEC_ECR_PASSWORD }}
steps:
- run: echo "Inside a container pulled from ECR!!"