From c4d82a41c36781dc7e2ed165852627d63df872ff Mon Sep 17 00:00:00 2001
From: Dima Ryazanov <dima@gmail.com>
Date: Thu, 1 Feb 2024 22:44:28 -0800
Subject: [PATCH] test ecr

---
 .github/workflows/deploy-lambdas.yml | 62 +++++++++++++++++++++-------
 lambdas/upload_ecr.sh                | 28 +++++++++++++
 2 files changed, 74 insertions(+), 16 deletions(-)
 create mode 100755 lambdas/upload_ecr.sh

diff --git a/.github/workflows/deploy-lambdas.yml b/.github/workflows/deploy-lambdas.yml
index 6736bb5c59e..61e389c10c4 100644
--- a/.github/workflows/deploy-lambdas.yml
+++ b/.github/workflows/deploy-lambdas.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches:
       - ci_deploy_lambdas
+    paths:
+#      - '.github/workflows/deploy-lambdas.yml'
+      - 'lambdas/**'
 
 jobs:
   deploy-lambda-s3:
@@ -30,19 +33,19 @@ jobs:
       - uses: actions/checkout@v4
       - name: Build zip
         run: |
-            BUILDER_IMAGE=quiltdata/lambda:build-3.8
+          BUILDER_IMAGE=quiltdata/lambda:build-3.8
 
-            docker pull "$BUILDER_IMAGE"
+          docker pull "$BUILDER_IMAGE"
 
-            touch ./out.zip
+          touch ./out.zip
 
-            docker run --rm \
-              --entrypoint /build_zip.sh \
-              -v "$PWD/lambdas/${{ matrix.path }}":/lambda/function:z \
-              -v "$PWD/lambdas/shared":/lambda/shared:z \
-              -v "$PWD/out.zip":/out.zip:z \
-              -v "$PWD/lambdas/build_zip.sh":/build_zip.sh:z \
-              "$BUILDER_IMAGE"
+          docker run --rm \
+            --entrypoint /build_zip.sh \
+            -v "$PWD/lambdas/${{ matrix.path }}":/lambda/function:z \
+            -v "$PWD/lambdas/shared":/lambda/shared:z \
+            -v "$PWD/out.zip":/out.zip:z \
+            -v "$PWD/lambdas/build_zip.sh":/build_zip.sh:z \
+            "$BUILDER_IMAGE"
       - name: Configure AWS credentials from Prod account
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -50,8 +53,8 @@ jobs:
           aws-region: us-east-1
       - name: Upload zips to Prod S3
         run: |
-            s3_key="$(basename ${{ matrix.path }})/${{ github.sha }}.zip"
-            ./lambdas/upload_zip.sh ./out.zip "$AWS_REGION" "$s3_key"
+          s3_key="$(basename ${{ matrix.path }})/${{ github.sha }}.zip"
+          ./lambdas/upload_zip.sh ./out.zip "$AWS_REGION" "$s3_key"
       - name: Configure AWS credentials from GovCloud account
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -59,18 +62,45 @@ jobs:
           aws-region: us-gov-east-1
       - name: Upload zips to GovCloud S3
         run: |
-            s3_key="$(basename ${{ matrix.path }})/${{ github.sha }}.zip"
-            ./lambdas/upload_zip.sh ./out.zip "$AWS_REGION" "$s3_key"
+          s3_key="$(basename ${{ matrix.path }})/${{ github.sha }}.zip"
+          ./lambdas/upload_zip.sh ./out.zip "$AWS_REGION" "$s3_key"
 
   deploy-lambda-ecr:
     strategy:
       matrix:
         path:
           - molecule
-          - thumbnail
+#          - thumbnail
     runs-on: ubuntu-latest
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Build Docker image
+        working-directory: ./lambdas/${{ matrix.path }}
         run: |
-            echo TODO
+          image_name=quiltdata/lambdas/${{ matrix.path }}:${{ github.sha }}
+          docker buildx build --pull --platform=linux/amd64 -t "$image_name" -f Dockerfile ..
+      - name: Configure AWS credentials from Prod account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::730278974607:role/github/GitHub-Quilt
+          aws-region: us-east-1
+      - name: Login to Prod ECR
+        id: login-prod-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Push Docker image to Prod ECR
+        run: ./lambdas/upload_ecr.sh 730278974607 quiltdata/lambdas/${{ matrix.path }}:${{ github.sha }}
+      - name: Configure AWS credentials from GovCloud account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws-us-gov:iam::313325871032:role/github/GitHub-Quilt
+          aws-region: us-gov-east-1
+      - name: Login to GovCloud ECR
+        id: login-govcloud-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Push Docker image to GovCloud ECR
+        run: ./lambdas/upload_ecr.sh 313325871032 quiltdata/lambdas/${{ matrix.path }}:${{ github.sha }}
+
diff --git a/lambdas/upload_ecr.sh b/lambdas/upload_ecr.sh
new file mode 100755
index 00000000000..ab8f42f3831
--- /dev/null
+++ b/lambdas/upload_ecr.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+error() {
+    echo $@ 2>&1
+    exit 1
+}
+
+[[ $# == 2 ]] || error "Usage: $0 account_id image_name"
+
+account_id=$1
+image_name=$2
+
+regions=$(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text)
+
+for region in $regions
+do
+    docker_url=$account_id.dkr.ecr.$region.amazonaws.com
+    echo "Logging in to $docker_url..."
+    aws ecr get-login-password --region $region | docker login -u AWS --password-stdin "$docker_url"
+
+    echo "Pushing to $region..."
+    remote_image_name="$docker_url/$image_name"
+    docker tag "$image_name" "$remote_image_name"
+    docker push "$remote_image_name"
+done
+