Registry identities for AWS ECR authentication#243
Open
crazy-max wants to merge 3 commits into
Open
Conversation
98b6067 to
af243c7
Compare
af243c7 to
495131c
Compare
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
495131c to
505d6c1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
relates to #146
This adds a
registry-identitiesinput to the reusablebuild.ymlandbake.ymlworkflows so callers can authenticate to registries through keyless identity metadata instead of passing static registry credentials. The first supported provider is AWS ECR through GitHub OIDC andaws-actions/configure-aws-credentials, followed bydocker/login-actionusing ambient AWS credentials.This introduces a shared
setup-registry-identities.ymlreusable workflow that parses the YAML input before build work starts. The build and bake workflows call that parser, configure AWS credentials when anaws-ecridentity is present, and then run a separatedocker/login-actionstep with generated ECRregistry-authentries. Existingregistry-authssecrets continue to work through a separate login step, so secret-based auth and identity-based auth are not merged into the same YAML payload.The
aws-ecridentity currently accepts one registry identity withaws-region,role-to-assume, andregistry. Callers pass the exact ECR registry server that should be used for Docker login, such as175142243308.dkr.ecr.us-east-2.amazonaws.comfor private ECR orpublic.ecr.awsfor public ECR.The goal is to let callers move AWS ECR authentication away from long-lived static credentials while keeping the provider-specific auth steps pinned and controlled inside GitHub Builder.