mirror of
https://github.com/docker/login-action.git
synced 2025-04-27 17:16:35 +02:00
ecr: switch implementation to use the AWS SDK
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
parent
b776a64ec0
commit
faae4d6665
9 changed files with 39554 additions and 3343 deletions
100
src/aws.ts
100
src/aws.ts
|
|
@ -1,6 +1,5 @@
|
|||
import * as semver from 'semver';
|
||||
import * as exec from '@actions/exec';
|
||||
import * as io from '@actions/io';
|
||||
import * as core from '@actions/core';
|
||||
import * as aws from 'aws-sdk';
|
||||
|
||||
const ecrRegistryRegex = /^(([0-9]{12})\.dkr\.ecr\.(.+)\.amazonaws\.com(.cn)?)(\/([^:]+)(:.+)?)?$/;
|
||||
|
||||
|
|
@ -38,48 +37,65 @@ export const getAccountIDs = (registry: string): string[] => {
|
|||
return accountIDs.filter((item, index) => accountIDs.indexOf(item) === index);
|
||||
};
|
||||
|
||||
export const getCLI = async (): Promise<string> => {
|
||||
return io.which('aws', true);
|
||||
};
|
||||
export interface RegistryData {
|
||||
registry: string;
|
||||
username: string;
|
||||
password: string;
|
||||
}
|
||||
|
||||
export const execCLI = async (args: string[]): Promise<string> => {
|
||||
return exec
|
||||
.getExecOutput(await getCLI(), args, {
|
||||
ignoreReturnCode: true,
|
||||
silent: true
|
||||
})
|
||||
.then(res => {
|
||||
if (res.stderr.length > 0 && res.exitCode != 0) {
|
||||
throw new Error(res.stderr.trim());
|
||||
} else if (res.stderr.length > 0) {
|
||||
return res.stderr.trim();
|
||||
} else {
|
||||
return res.stdout.trim();
|
||||
export const getRegistriesData = async (registry: string, username?: string, password?: string): Promise<RegistryData[]> => {
|
||||
const region = getRegion(registry);
|
||||
const accountIDs = getAccountIDs(registry);
|
||||
|
||||
const authTokenRequest = {};
|
||||
if (accountIDs.length > 0) {
|
||||
core.debug(`Requesting AWS ECR auth token for ${accountIDs.join(', ')}`);
|
||||
authTokenRequest['registryIds'] = accountIDs;
|
||||
}
|
||||
|
||||
if (isPubECR(registry)) {
|
||||
core.info(`AWS Public ECR detected with ${region} region`);
|
||||
const ecrPublic = new aws.ECRPUBLIC({
|
||||
customUserAgent: 'docker-login-action',
|
||||
accessKeyId: username || process.env.AWS_ACCESS_KEY_ID || '',
|
||||
secretAccessKey: password || process.env.AWS_SECRET_ACCESS_KEY || '',
|
||||
region: region
|
||||
});
|
||||
const authTokenResponse = await ecrPublic.getAuthorizationToken(authTokenRequest).promise();
|
||||
if (!authTokenResponse.authorizationData || !authTokenResponse.authorizationData.authorizationToken) {
|
||||
throw new Error('Could not retrieve an authorization token from AWS Public ECR');
|
||||
}
|
||||
const authToken = Buffer.from(authTokenResponse.authorizationData.authorizationToken, 'base64').toString('utf-8');
|
||||
const creds = authToken.split(':', 2);
|
||||
return [
|
||||
{
|
||||
registry: 'public.ecr.aws',
|
||||
username: creds[0],
|
||||
password: creds[1]
|
||||
}
|
||||
});
|
||||
};
|
||||
|
||||
export const getCLIVersion = async (): Promise<string> => {
|
||||
return parseCLIVersion(await execCLI(['--version']));
|
||||
};
|
||||
|
||||
export const parseCLIVersion = async (stdout: string): Promise<string> => {
|
||||
const matches = /aws-cli\/([0-9.]+)/.exec(stdout);
|
||||
if (!matches) {
|
||||
throw new Error(`Cannot parse AWS CLI version`);
|
||||
}
|
||||
return semver.clean(matches[1]);
|
||||
};
|
||||
|
||||
export const getDockerLoginCmds = async (cliVersion: string, registry: string, region: string, accountIDs: string[]): Promise<string[]> => {
|
||||
let ecrCmd = (await isPubECR(registry)) ? 'ecr-public' : 'ecr';
|
||||
if (semver.satisfies(cliVersion, '>=2.0.0') || (await isPubECR(registry))) {
|
||||
return execCLI([ecrCmd, 'get-login-password', '--region', region]).then(pwd => {
|
||||
return [`docker login --username AWS --password ${pwd} ${registry}`];
|
||||
});
|
||||
];
|
||||
} else {
|
||||
return execCLI([ecrCmd, 'get-login', '--region', region, '--registry-ids', accountIDs.join(' '), '--no-include-email']).then(dockerLoginCmds => {
|
||||
return dockerLoginCmds.trim().split(`\n`);
|
||||
core.info(`AWS ECR detected with ${region} region`);
|
||||
const ecr = new aws.ECR({
|
||||
customUserAgent: 'docker-login-action',
|
||||
accessKeyId: username || process.env.AWS_ACCESS_KEY_ID || '',
|
||||
secretAccessKey: password || process.env.AWS_SECRET_ACCESS_KEY || '',
|
||||
region: region
|
||||
});
|
||||
const authTokenResponse = await ecr.getAuthorizationToken(authTokenRequest).promise();
|
||||
if (!Array.isArray(authTokenResponse.authorizationData) || !authTokenResponse.authorizationData.length) {
|
||||
throw new Error('Could not retrieve an authorization token from AWS ECR');
|
||||
}
|
||||
const regDatas: RegistryData[] = [];
|
||||
for (const authData of authTokenResponse.authorizationData) {
|
||||
const authToken = Buffer.from(authData.authorizationToken || '', 'base64').toString('utf-8');
|
||||
const creds = authToken.split(':', 2);
|
||||
regDatas.push({
|
||||
registry: authData.proxyEndpoint || '',
|
||||
username: creds[0],
|
||||
password: creds[1]
|
||||
});
|
||||
}
|
||||
return regDatas;
|
||||
}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ import * as core from '@actions/core';
|
|||
import * as exec from '@actions/exec';
|
||||
|
||||
export async function login(registry: string, username: string, password: string): Promise<void> {
|
||||
if (await aws.isECR(registry)) {
|
||||
if (aws.isECR(registry)) {
|
||||
await loginECR(registry, username, password);
|
||||
} else {
|
||||
await loginStandard(registry, username, password);
|
||||
|
|
@ -51,43 +51,21 @@ export async function loginStandard(registry: string, username: string, password
|
|||
}
|
||||
|
||||
export async function loginECR(registry: string, username: string, password: string): Promise<void> {
|
||||
const cliPath = await aws.getCLI();
|
||||
const cliVersion = await aws.getCLIVersion();
|
||||
const region = await aws.getRegion(registry);
|
||||
const accountIDs = await aws.getAccountIDs(registry);
|
||||
|
||||
if (await aws.isPubECR(registry)) {
|
||||
core.info(`AWS Public ECR detected with ${region} region`);
|
||||
} else {
|
||||
core.info(`AWS ECR detected with ${region} region`);
|
||||
}
|
||||
|
||||
if (username) {
|
||||
process.env.AWS_ACCESS_KEY_ID = username;
|
||||
}
|
||||
if (password) {
|
||||
process.env.AWS_SECRET_ACCESS_KEY = password;
|
||||
}
|
||||
|
||||
core.info(`Retrieving docker login command through AWS CLI ${cliVersion} (${cliPath})...`);
|
||||
const loginCmds = await aws.getDockerLoginCmds(cliVersion, registry, region, accountIDs);
|
||||
|
||||
core.info(`Logging into ${registry}...`);
|
||||
loginCmds.forEach((loginCmd, index) => {
|
||||
exec
|
||||
.getExecOutput(loginCmd, [], {
|
||||
core.info(`Retrieving registries data through AWS SDK...`);
|
||||
const regDatas = await aws.getRegistriesData(registry, username, password);
|
||||
for (const regData of regDatas) {
|
||||
core.info(`Logging into ${regData.registry}...`);
|
||||
await exec
|
||||
.getExecOutput('docker', ['login', '--password-stdin', '--username', regData.username, regData.registry], {
|
||||
ignoreReturnCode: true,
|
||||
silent: true
|
||||
silent: true,
|
||||
input: Buffer.from(regData.password)
|
||||
})
|
||||
.then(res => {
|
||||
if (res.stderr.length > 0 && res.exitCode != 0) {
|
||||
throw new Error(res.stderr.trim());
|
||||
}
|
||||
if (loginCmds.length > 1) {
|
||||
core.info(`Login Succeeded! (${index}/${loginCmds.length})`);
|
||||
} else {
|
||||
core.info('Login Succeeded!');
|
||||
}
|
||||
core.info('Login Succeeded!');
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue