elgohr / ecr-login-action Goto Github PK

The registry output returns a url with http protocol prepended like https://809698098.dkr.ecr.us-east-1.amazonaws.com If you pass this manually to docker build it will fail:

invalid argument "https://809698098.dkr.ecr.us-east-1.amazonaws.com/crashgiants:edb1219c31a7e2a27c56dc4b0f747ba191c781a7" for "-t, --tag" flag: invalid reference format

you need to then manually strip the https:// it will pass.

Docker version 19.03.13, build 4484c46d9d

This is a feature request/ asking whether PR would be accepted for the following environment:

• self-hosted runners
• AWS EKS Kubernetes cluster

When running a self hosted runner inside an AWS EKS Kubernetes cluster AWS has a feature called IRSA (IAM roles for service accounts). This feature allows accessing the AWS API directly from a pod.With this feature different environment variables + different API calls are used.
See nr 3 (Web Identity Token credentials from the environment or container) in credentials precedence.

Trigger are the following two env variables:

• 'AWS_ROLE_ARN'
• 'AWS_WEB_IDENTITY_TOKEN_FILE'

The implementation could look as follows:

• if variables are set
  • execute aws sts assume-web-role-identity which will then return AWS_SECRET_KEYS & others.

It will require a rewrite of these lines + making $INPUT_ACCESS_KEY & $INPUT_SECRET_ACCESS_KEY optional. But it should be backwards compatible.

How do we proceed?

In some scenarios we use a builder role in some of our org accounts that is assumable by a central "builder user". It would be nice if this could use AWS_PROFILE (setup by "aws-actions/configure-aws-credentials@v1") in addition to the keys.

Hello, suddenly we are getting this without doing any changes from our side. I noticed this repo updated a few hours ago. must be something that affects it.

Must provide --username with --password-stdin
Error: Process completed with exit code 1.

• name: Docker Login
  env:
  DOCKER_USERNAME: ${{ steps.ecr.outputs.username }}
  DOCKER_PASSWORD: ${{ steps.ecr.outputs.password }}
  run: |
  echo "${DOCKER_PASSWORD}" | docker login --username "${DOCKER_USERNAME}" --password-stdin xxxxxxxx.amazonaws.com

Hi,

recently I started seeing the following (I even see this on past successful builds):

Step 3/12 : LABEL "maintainer"="Lars Gohr"
 ---> Running in 9d77cee4d6ce
Removing intermediate container 9d77cee4d6ce
 ---> 9082b5a5618c
Step 4/12 : RUN apk update   && apk upgrade   && apk add --no-cache python py-pip bash jq   && pip install awscli    && apk --purge -v del py-pip
 ---> Running in cd99825221f7
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
v3.12.0-9-gc3ce4065bd [http://dl-cdn.alpinelinux.org/alpine/v3.12/main]
v3.12.0-5-g644078feb4 [http://dl-cdn.alpinelinux.org/alpine/v3.12/community]
OK: 12726 distinct packages available
(1/1) Upgrading alpine-baselayout (3.2.0-r6 -> 3.2.0-r7)
Executing alpine-baselayout-3.2.0-r7.pre-upgrade
Executing alpine-baselayout-3.2.0-r7.post-upgrade
Executing busybox-1.31.1-r16.trigger
OK: 6 MiB in 14 packages
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
  python (missing):
    required by: world[python]
The command '/bin/sh -c apk update   && apk upgrade   && apk add --no-cache python py-pip bash jq   && pip install awscli    && apk --purge -v del py-pip' returned a non-zero code: 1
##[warning]Docker build failed with exit code 1, back off 5.959 seconds before retry.

Can someone let me know what changed or how can I fix it?

Thanks

We have a use case where we need to use an image from a private ecr repo for a service, however, we need to generate an ECR Password before we can use the image. This isn't like a normal workflow where we could just through this action before an docker pull (or push), since we are using the image in a service.

We tried to run this as a setup and output the password, however, because "set-mask" is set for the password, GithubActions will not output the password.

I fully respect the name change and understand that we must free ourselves from a nomenclature associated with the era of slavery, but in this case the effect of the change has been quite large.

This update has broken hundreds of CI-CD pipelines because the examples and documentation indicated that we should target the master branch.

uses: elgohr/ecr-login-action@master

Can you please keep a master branch to maintain backwards compatibility?

The action is a bit slow. I suggest removing apk upgrade, reducing step count in Dockerfile, not running unit tests on every use

Hello,

I've been using your ecr-login-action for a few weeks now. The last couple of days it has been working, but now I am getting an error:

Run elgohr/ecr-login-action@master
  with:
    access_key: ***
    secret_access_key: ***
    region: ***
/usr/bin/docker run --name bb814fd65fd11dfc42b096513427cdd5ea9a_627926 --label 04bb81 --workdir /github/workspace --rm -e INPUT_ACCESS_KEY -e INPUT_SECRET_ACCESS_KEY -e INPUT_REGION -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/slackcat/slackcat":"/github/workspace" 04bb81:4fd65fd11dfc42b096513427cdd5ea9a

An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
##[error]Docker run failed with exit code 255

This is my code:

name: Push Slackcat to ECR

on:
  push:
    branches:
    - master

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag slackcat
    - name: Login to ECR
      id: ecr
      uses: elgohr/ecr-login-action@master
      with:
        access_key: ${{ secrets.AWS_ACCESS_KEY }}
        secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        region: us-east-1
    - name: Publish to ECR
      uses: elgohr/Publish-Docker-Github-Action@master
      with:
        name: XXXXXX.dkr.ecr.us-east-1.amazonaws.com/slackcat
        username: ${{ steps.ecr.outputs.username }}
        password: ${{ steps.ecr.outputs.password }}
        registry: ${{ steps.ecr.outputs.registry }}
        snapshot: true

Not sure if something has changed in the action that require me to make changes to my code?

Also, I will be opening an issue wrt the Publish-Docker-Github-Action as I was getting errors there as well.

Thanks!

When using this action, this warning appears in the logs:

Warning: The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

This is generated by the use of set-output on lines 19-23 of entrypoint.sh: