Closed phuonghuynh closed 2 years ago
These secrets are now available to this repo.
UPDATE: I've restricted the scope of these secrets to different repositories because we're using separate accounts in different repositories.
We need to give extra permissions to the CI user for uploading lambda. Right now it's also set to the wrong AWS user... argh.
Updated and trying.
The credentials work, but it's failing due to ECR not accepting the image tag:
https://github.com/interscript/interscript-api/runs/3418121832?check_suite_focus=true
Successfully built d9f15fb6ccfd
Successfully tagged ***.dkr.ecr.us-east-1.amazonaws.com/interscript-api:v2.3.2-preview.4
invalid reference format
The same tag when pushed to GitHub's package repository works.
Successfully built d9b60475688d
Successfully tagged docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:latest
Successfully tagged docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
The push refers to repository [docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api]
...
9cf94819b0a1: Layer already exists
646f74fd1cd5: Pushed
latest: digest: sha256:d28002e6d2b91773312cb85f470572839137c925ee0646027b4ea43dcd46b644 size: 1793
The push refers to repository [docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api]
@phuonghuynh I've tested locally to push to ECR using interscript-ci account and it works.
It seems you're debugging another workflow in infrastructure-lambda-api so I won't update the workflows here.
This works:
$ docker pull docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
WARNING: ⚠️ Failed to pull manifest by the resolved digest. This registry does not
appear to conform to the distribution registry specification; falling back to
pull by tag. This fallback is DEPRECATED, and will be removed in a future
release. Please contact admins of https://docker.pkg.github.com. ⚠️
v2.3.2-preview.4: Pulling from interscript/interscript-api/awslambda-interscript-api
e6bcf8dfcded: Pull complete
53522ef4e44a: Pull complete
f6836a75e146: Pull complete
bb2e44738d79: Pull complete
2e870ea6e409: Pull complete
3e71b1876edb: Pull complete
c316d7d5f2fb: Pull complete
Digest: sha256:3b9e7eb28f3dcd00a25da9ad8b9a78bdfe53ef3a0eab4f82a2e52e2d6dd41488
Status: Downloaded newer image for docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4
$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 458282504429.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /Users/me/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker tag docker.pkg.github.com/interscript/interscript-api/awslambda-interscript-api:v2.3.2-preview.4 458282504429.dkr.ecr.us-east-1.amazonaws.com/interscript-api:v2.3.2-preview.4
$ docker push 458282504429.dkr.ecr.us-east-1.amazonaws.com/interscript-api:v2.3.2-preview.4
The push refers to repository [458282504429.dkr.ecr.us-east-1.amazonaws.com/interscript-api]
646f74fd1cd5: Pushing [=====> ] 12.75MB/121.7MB
86164a2aa57a: Pushing [==> ] 8.596MB/150.2MB
096d4fb9b223: Pushing [=========================================> ] 23.42MB/28.21MB
f6ae2f36d5d7: Layer already exists
3ef382becb9b: Pushed
9cf94819b0a1: Pushing [==================================================>] 456.7kB
35e2a1be67d7: Waiting
Yes, I use GHA event to trigger -infra workflow for pull+push to ECR, so we dont need to set up this anymore. Close now
As titled, GHA can not push Docker image to ECR because of missing AWS CI account, @ronaldtse