Closed phuonghuynh closed 2 years ago
ronaldtse
commented
2 years ago These secrets are now available to this repo.
UPDATE: I've restricted the scope of these secrets to different repositories because we're using separate accounts in different repositories.
ronaldtse
commented
2 years ago We need to give extra permissions to the CI user for uploading lambda. Right now it's also set to the wrong AWS user... argh.
ronaldtse
commented
2 years ago Updated and trying.
ronaldtse
commented
2 years ago The credentials work, but it's failing due to ECR not accepting the image tag:
https://github.com/interscript/interscript-api/runs/3418121832?check_suite_focus=true
Successfully built d9f15fb6ccfd
Successfully tagged ***.dkr.ecr.us-east-1.amazonaws.com/interscript-api:v2.3.2-preview.4
invalid reference formatThe same tag when pushed to GitHub's package repository works.
Successfully built d9b60475688d
Successfully tagged docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:latest
Successfully tagged docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
The push refers to repository [docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api]
...
9cf94819b0a1: Layer already exists
646f74fd1cd5: Pushed
latest: digest: sha256:d28002e6d2b91773312cb85f470572839137c925ee0646027b4ea43dcd46b644 size: 1793
The push refers to repository [docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api]@phuonghuynh I've tested locally to push to ECR using interscript-ci account and it works.
It seems you're debugging another workflow in infrastructure-lambda-api so I won't update the workflows here.
This works:
$ docker pull docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
WARNING: ⚠️ Failed to pull manifest by the resolved digest. This registry does not
appear to conform to the distribution registry specification; falling back to
pull by tag. This fallback is DEPRECATED, and will be removed in a future
release. Please contact admins of https://docker.pkg.github.com. ⚠️
v2.3.2-preview.4: Pulling from interscript/interscript-api/awslambda-interscript-api
e6bcf8dfcded: Pull complete
53522ef4e44a: Pull complete
f6836a75e146: Pull complete
bb2e44738d79: Pull complete
2e870ea6e409: Pull complete
3e71b1876edb: Pull complete
c316d7d5f2fb: Pull complete
Digest: sha256:3b9e7eb28f3dcd00a25da9ad8b9a78bdfe53ef3a0eab4f82a2e52e2d6dd41488
Status: Downloaded newer image for docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 458282504429.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /Users/me/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker tag docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4 458282504429.dkr.ecr.us-east-1.amazonaws.com/interscript-api:v2.3.2-preview.4
$ docker push 458282504429.dkr.ecr.us-east-1.amazonaws.com/interscript-api:v2.3.2-preview.4
The push refers to repository [458282504429.dkr.ecr.us-east-1.amazonaws.com/interscript-api]
646f74fd1cd5: Pushing [=====> ] 12.75MB/121.7MB
86164a2aa57a: Pushing [==> ] 8.596MB/150.2MB
096d4fb9b223: Pushing [=========================================> ] 23.42MB/28.21MB
f6ae2f36d5d7: Layer already exists
3ef382becb9b: Pushed
9cf94819b0a1: Pushing [==================================================>] 456.7kB
35e2a1be67d7: Waiting 
phuonghuynh
commented
2 years ago Yes, I use GHA event to trigger -infra workflow for pull+push to ECR, so we dont need to set up this anymore. Close now
As titled, GHA can not push Docker image to ECR because of missing AWS CI account, @ronaldtse