docker/login-action
1
0
Fork 0
mirror of https://github.com/docker/login-action.git synced 2025-03-25 16:20:05 +01:00
Code Activity

Merge a98cecd3e7 into 327cd5a69d

Browse source
This commit is contained in:
Helen 2025-02-28 16:42:17 +00:00 committed by GitHub
commit eb5fa3810a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 213 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
README.md
View file

@ -352,6 +352,30 @@ jobs:
> Only available with [AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html)
You can use the environment variable `AWS_REGIONS` to set multiple regions account ids in `AWS_ACCOUNT_IDS`.
```yaml
name: ci
on:
push:
branches: main
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Login to ECR
uses: docker/login-action@v3
with:
registry: <aws-account-number>.dkr.ecr.<region>.amazonaws.com
username: ${{ vars.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
AWS_REGIONS: us-west-2,us-east-1,eu-central-1
```
You can also use the [Configure AWS Credentials](https://github.com/aws-actions/configure-aws-credentials)
action in combination with this action:

167
__tests__/aws.test.ts
View file

@ -29,14 +29,21 @@ describe('isPubECR', () => {
});
});
describe('getRegion', () => {
describe('getRegions', () => {
test.each([
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', 'eu-west-3'],
['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', 'cn-north-1'],
['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', 'cn-northwest-1'],
['public.ecr.aws', 'us-east-1']
])('given registry %p', async (registry, expected) => {
expect(aws.getRegion(registry)).toEqual(expected);
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', undefined, ['eu-west-3']],
['876820548815.dkr.ecr.cn-north-1.amazonaws.com.cn', undefined, ['cn-north-1']],
['390948362332.dkr.ecr.cn-northwest-1.amazonaws.com.cn', undefined, ['cn-northwest-1']],
['public.ecr.aws', undefined, ['us-east-1']],
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', 'us-west-1,us-east-1', ['eu-west-3', 'us-west-1', 'us-east-1']],
['012345678901.dkr.ecr.eu-west-3.amazonaws.com', 'us-west-1,eu-west-3,us-east-1', ['eu-west-3', 'us-west-1', 'us-east-1']],
['', 'us-west-1,us-east-1', ['us-west-1', 'us-east-1']],
['', 'us-west-1,us-east-1,us-east-1', ['us-west-1', 'us-east-1']]
])('given registry %p', async (registry, regionsEnv, expected) => {
if (regionsEnv) {
process.env.AWS_REGIONS = regionsEnv;
}
expect(aws.getRegions(registry)).toEqual(expected);
});
});
@ -76,12 +83,13 @@ describe('getRegistriesData', () => {
beforeEach(() => {
jest.clearAllMocks();
delete process.env.AWS_ACCOUNT_IDS;
delete process.env.AWS_REGIONS;
});
// prettier-ignore
test.each([
[
'012345678901.dkr.ecr.aws-region-1.amazonaws.com',
'dkr.ecr.aws-region-1.amazonaws.com', undefined,
'dkr.ecr.aws-region-1.amazonaws.com', undefined, undefined,
[
{
registry: '012345678901.dkr.ecr.aws-region-1.amazonaws.com',
@ -94,6 +102,7 @@ describe('getRegistriesData', () => {
'012345678901.dkr.ecr.eu-west-3.amazonaws.com',
'dkr.ecr.eu-west-3.amazonaws.com',
'012345678910,023456789012',
undefined,
[
{
registry: '012345678901.dkr.ecr.eu-west-3.amazonaws.com',
@ -116,6 +125,7 @@ describe('getRegistriesData', () => {
'public.ecr.aws',
undefined,
undefined,
undefined,
[
{
registry: 'public.ecr.aws',
@ -123,34 +133,129 @@ describe('getRegistriesData', () => {
password: 'world'
}
]
],
[
'012345678901.dkr.ecr.eu-west-3.amazonaws.com',
undefined,
undefined,
'us-west-1,us-east-3',
[
{
registry: '012345678901.dkr.ecr.eu-west-3.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '012345678901.dkr.ecr.us-west-1.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '012345678901.dkr.ecr.us-east-3.amazonaws.com',
username: '012345678901',
password: 'world'
}
],
],
[
'012345678901.dkr.ecr.eu-west-3.amazonaws.com',
undefined,
'023456789012',
'us-west-1,us-east-3',
[
{
registry: '012345678901.dkr.ecr.eu-west-3.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '023456789012.dkr.ecr.eu-west-3.amazonaws.com',
username: '023456789012',
password: 'world'
},
{
registry: '012345678901.dkr.ecr.us-west-1.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '023456789012.dkr.ecr.us-west-1.amazonaws.com',
username: '023456789012',
password: 'world'
},
{
registry: '012345678901.dkr.ecr.us-east-3.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '023456789012.dkr.ecr.us-east-3.amazonaws.com',
username: '023456789012',
password: 'world'
}
]
],
[
'',
undefined,
'012345678901,023456789012',
'us-west-1,us-east-3',
[
{
registry: '012345678901.dkr.ecr.us-west-1.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '023456789012.dkr.ecr.us-west-1.amazonaws.com',
username: '023456789012',
password: 'world'
},
{
registry: '012345678901.dkr.ecr.us-east-3.amazonaws.com',
username: '012345678901',
password: 'world'
},
{
registry: '023456789012.dkr.ecr.us-east-3.amazonaws.com',
username: '023456789012',
password: 'world'
}
]
]
])('given registry %p', async (registry, fqdn, accountIDsEnv, expected: aws.RegistryData[]) => {
])('given registry %p', async (registry, fqdn, accountIDsEnv, regionsEnv, expected: aws.RegistryData[]) => {
if (accountIDsEnv) {
process.env.AWS_ACCOUNT_IDS = accountIDsEnv;
}
const accountIDs = aws.getAccountIDs(registry);
const authData: AuthorizationData[] = [];
if (accountIDs.length == 0) {
mockEcrPublicGetAuthToken.mockImplementation(() => {
return Promise.resolve({
authorizationData: {
authorizationToken: Buffer.from(`AWS:world`).toString('base64'),
}
});
});
} else {
aws.getAccountIDs(registry).forEach(accountID => {
authData.push({
authorizationToken: Buffer.from(`${accountID}:world`).toString('base64'),
proxyEndpoint: `${accountID}.${fqdn}`
});
});
mockEcrGetAuthToken.mockImplementation(() => {
return Promise.resolve({
authorizationData: authData
});
});
if (regionsEnv) {
process.env.AWS_REGIONS = regionsEnv;
}
const accountIDs = aws.getAccountIDs(registry);
const regions = aws.getRegions(registry);
const authDataByRegion: AuthorizationData[][] = [];
if (accountIDs.length == 0) {
mockEcrPublicGetAuthToken.mockImplementation(() => ({
authorizationData: {
authorizationToken: Buffer.from(`AWS:world`).toString('base64'),
}
}));
} else {
regions.forEach(region => {
const regionAuthData = accountIDs.map(accountID => ({
authorizationToken: Buffer.from(`${accountID}:world`).toString('base64'),
proxyEndpoint: `${accountID}.dkr.ecr.${region}.amazonaws.com`
}));
authDataByRegion.push(regionAuthData);
});
mockEcrGetAuthToken.mockImplementation(() => {
const regionAuthData = authDataByRegion.shift();
return { authorizationData: regionAuthData };
});
}
const regData = await aws.getRegistriesData(registry);
expect(regData).toEqual(expected);
});

2
dist/index.js generated vendored
View file

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored
View file

File diff suppressed because one or more lines are too long

80
src/aws.ts
View file

@ -15,23 +15,39 @@ export const isPubECR = (registry: string): boolean => {
return registry === 'public.ecr.aws';
};
export const getRegion = (registry: string): string => {
export const getRegions = (registry: string): string[] => {
if (isPubECR(registry)) {
return process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION || 'us-east-1';
return [process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION || 'us-east-1'];
}
const matches = registry.match(ecrRegistryRegex);
if (!matches) {
return '';
if (process.env.AWS_REGIONS) {
const regions: Array<string> = [...process.env.AWS_REGIONS.split(',')];
return regions.filter((item, index) => regions.indexOf(item) === index);
}
return [];
}
return matches[3];
const regions: Array<string> = [matches[3]];
if (process.env.AWS_REGIONS) {
regions.push(...process.env.AWS_REGIONS.split(','));
}
return regions.filter((item, index) => regions.indexOf(item) === index);
};
export const getAccountIDs = (registry: string): string[] => {
if (isPubECR(registry)) {
return [];
}
const matches = registry.match(ecrRegistryRegex);
if (!matches) {
if (process.env.AWS_ACCOUNT_IDS) {
const accountIDs: Array<string> = [...process.env.AWS_ACCOUNT_IDS.split(',')];
return accountIDs.filter((item, index) => accountIDs.indexOf(item) === index);
}
return [];
}
const accountIDs: Array<string> = [matches[2]];
@ -48,7 +64,7 @@ export interface RegistryData {
}
export const getRegistriesData = async (registry: string, username?: string, password?: string): Promise<RegistryData[]> => {
const region = getRegion(registry);
const regions = getRegions(registry);
const accountIDs = getAccountIDs(registry);
const authTokenRequest = {};
@ -80,11 +96,11 @@ export const getRegistriesData = async (registry: string, username?: string, pas
: undefined;
if (isPubECR(registry)) {
core.info(`AWS Public ECR detected with ${region} region`);
core.info(`AWS Public ECR detected with region ${regions[0]}`);
const ecrPublic = new ECRPUBLIC({
customUserAgent: 'docker-login-action',
credentials,
region: region,
region: regions[0],
requestHandler: new NodeHttpHandler({
httpAgent: httpProxyAgent,
httpsAgent: httpsProxyAgent
@ -106,31 +122,37 @@ export const getRegistriesData = async (registry: string, username?: string, pas
}
];
} else {
core.info(`AWS ECR detected with ${region} region`);
const ecr = new ECR({
customUserAgent: 'docker-login-action',
credentials,
region: region,
requestHandler: new NodeHttpHandler({
httpAgent: httpProxyAgent,
httpsAgent: httpsProxyAgent
})
});
const authTokenResponse = await ecr.getAuthorizationToken(authTokenRequest);
if (!Array.isArray(authTokenResponse.authorizationData) || !authTokenResponse.authorizationData.length) {
throw new Error('Could not retrieve an authorization token from AWS ECR');
if (regions.length > 1) {
core.info(`AWS ECR detected with regions ${regions}`);
} else {
core.info(`AWS ECR detected with region ${regions[0]}`);
}
const regDatas: RegistryData[] = [];
for (const authData of authTokenResponse.authorizationData) {
const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
regDatas.push({
registry: authData.proxyEndpoint || '',
username: creds[0],
password: creds[1]
for (const region of regions) {
const ecr = new ECR({
customUserAgent: 'docker-login-action',
credentials,
region: region,
requestHandler: new NodeHttpHandler({
httpAgent: httpProxyAgent,
httpsAgent: httpsProxyAgent
})
});
const authTokenResponse = await ecr.getAuthorizationToken(authTokenRequest);
if (!Array.isArray(authTokenResponse.authorizationData) || !authTokenResponse.authorizationData.length) {
throw new Error('Could not retrieve an authorization token from AWS ECR');
}
for (const authData of authTokenResponse.authorizationData) {
const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
const creds = authToken.split(':', 2);
core.setSecret(creds[0]); // redacted in workflow logs
core.setSecret(creds[1]); // redacted in workflow logs
regDatas.push({
registry: authData.proxyEndpoint || '',
username: creds[0],
password: creds[1]
});
}
}
return regDatas;
}