Skip to content

chore(deps): lock file maintenance (#2047) #1290

chore(deps): lock file maintenance (#2047)

chore(deps): lock file maintenance (#2047) #1290

name: Build and push container
on:
push:
branches:
- main
paths:
- ".dockerignore"
- ".github/workflows/build_push_container.yml"
- "wordpress/**"
release:
types:
- created
env:
AWS_REGION: ca-central-1
DOCKER_BUILDKIT: 1
REPO_NAME: platform/wordpress
STAGING_ECR_REGISTRY: 729164266357.dkr.ecr.ca-central-1.amazonaws.com
permissions:
id-token: write
contents: read
jobs:
build-push-container:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
env:
ROLE_NAME: ${{ github.ref == 'refs/heads/main' && 'gc-articles-apply' || 'gc-articles-ecr-tag-release' }}
with:
role-to-assume: arn:aws:iam::729164266357:role/${{ env.ROLE_NAME }}
role-session-name: ECRPush
aws-region: ${{ env.AWS_REGION }}
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
- name: Docker image tag
run: |
if [[ $GITHUB_EVENT_NAME == "release" ]]; then
echo "IMAGE_TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
else
echo "IMAGE_TAG=sha-${GITHUB_SHA}" >> $GITHUB_ENV
fi
- name: Add Composer auth credentials
run: |
cd wordpress
composer config github-oauth.github.com ${{ secrets.COMPOSER_GITHUB_TOKEN }}
composer config http-basic.my.yoast.com token ${{ secrets.COMPOSER_YOAST_TOKEN }}
- name: Build container
run: |
docker build \
--build-arg git_sha="$GITHUB_SHA" \
--build-arg WPML_USER_ID="${{ secrets.WPML_USER_ID }}" \
--build-arg WPML_KEY="${{ secrets.WPML_KEY }}" \
-t "${{ env.STAGING_ECR_REGISTRY }}/${{ env.REPO_NAME }}:${{ env.IMAGE_TAG }}" \
-f ./wordpress/docker/Dockerfile .
- name: Push containers to ECR
run: |
docker push ${{ env.STAGING_ECR_REGISTRY }}/${{ env.REPO_NAME }}:${{ env.IMAGE_TAG }}
- name: Docker generate SBOM
uses: cds-snc/security-tools/.github/actions/generate-sbom@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.STAGING_ECR_REGISTRY }}/${{ env.REPO_NAME }}:${{ env.IMAGE_TAG }}"
dockerfile_path: "wordpress/docker/Dockerfile"
sbom_name: "wordpress"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Logout of ECR
if: always()
run: docker logout ${{ steps.login-ecr.outputs.registry }}