Skip to content

test: replace AWS ECR with Docker Hub in test workflows #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
crazy-max merged 1 commit into from
Jun 10, 2026
+134 −250
Merged

test: replace AWS ECR with Docker Hub in test workflows #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
188 changes: 65 additions & 123 deletions .github/workflows/.test-bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,14 @@ on:
- 'test/**'

jobs:
bake-aws-single:
bake-dockerhub-single:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
cache: true
cache-scope: bake-aws-single
cache-scope: bake-dockerhub-single
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -42,51 +42,51 @@ jobs:
*.args.VERSION={{meta.version}}
target: hello
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-single-${{ github.run_id }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-aws-single-verify:
bake-dockerhub-single-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-aws-single
- bake-dockerhub-single
with:
builder-outputs: ${{ toJSON(needs.bake-aws-single.outputs) }}
builder-outputs: ${{ toJSON(needs.bake-dockerhub-single.outputs) }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-aws-single-outputs:
bake-dockerhub-single-outputs:
runs-on: ubuntu-24.04
needs:
- bake-aws-single
- bake-dockerhub-single
steps:
-
name: Builder outputs
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-single.outputs) }}
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-single.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-aws:
bake-dockerhub:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
cache: true
cache-scope: bake-aws
cache-scope: bake-dockerhub
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -99,70 +99,63 @@ jobs:
*.args.VERSION={{meta.version}}
target: hello-cross
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-${{ github.run_id }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-aws-verify:
bake-dockerhub-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-aws
- bake-dockerhub
with:
builder-outputs: ${{ toJSON(needs.bake-aws.outputs) }}
builder-outputs: ${{ toJSON(needs.bake-dockerhub.outputs) }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-aws-outputs:
bake-dockerhub-outputs:
runs-on: ubuntu-24.04
needs:
- bake-aws
- bake-dockerhub
steps:
-
name: Builder outputs
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws.outputs) }}
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-aws-scan:
bake-dockerhub-scan:
runs-on: ubuntu-24.04
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-aws
- bake-dockerhub
steps:
-
name: Login to registry
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-
name: Scan for vulnerabilities
uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0
with:
image: public.ecr.aws/q3b5f1u4/test-docker-action@${{ needs.bake-aws.outputs.digest }}
image: docker.io/dockereng/github-builder-test@${{ needs.bake-dockerhub.outputs.digest }}

bake-aws-nosign:
bake-dockerhub-nosign:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
cache: true
cache-scope: bake-aws-nosign
cache-scope: bake-dockerhub-nosign
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -171,96 +164,45 @@ jobs:
*.args.VERSION={{meta.version}}
sign: false
target: hello-cross
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
meta-tags: |
type=raw,value=bake-ghbuilder-nosign-${{ github.run_id }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

bake-aws-nosign-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-aws-nosign
with:
builder-outputs: ${{ toJSON(needs.bake-aws-nosign.outputs) }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

bake-aws-nosign-outputs:
runs-on: ubuntu-24.04
needs:
- bake-aws-nosign
steps:
-
name: Builder outputs
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-aws-nosign.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-dockerhub:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
sbom: true
set: |
*.args.VERSION={{meta.version}}
target: hello-cross
meta-images: |
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-${{ github.run_id }}
type=raw,value=bake-ghbuilder-nosign-${{ github.run_id }}
secrets:
registry-auths: |
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-dockerhub-verify:
bake-dockerhub-nosign-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-dockerhub
- bake-dockerhub-nosign
with:
builder-outputs: ${{ toJSON(needs.bake-dockerhub.outputs) }}
builder-outputs: ${{ toJSON(needs.bake-dockerhub-nosign.outputs) }}
secrets:
registry-auths: |
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-dockerhub-outputs:
bake-dockerhub-nosign-outputs:
runs-on: ubuntu-24.04
needs:
- bake-dockerhub
- bake-dockerhub-nosign
steps:
-
name: Builder outputs
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub.outputs) }}
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-dockerhub-nosign.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
core.info(JSON.stringify(builderOutputs, null, 2));

bake-ghcr-and-aws:
bake-ghcr-and-dockerhub:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
Expand All @@ -276,44 +218,44 @@ jobs:
target: hello-cross
meta-images: |
ghcr.io/docker/github-builder-test
public.ecr.aws/q3b5f1u4/test-docker-action
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=${{ github.run_id }},prefix=bake-ghcr-and-aws-
type=raw,value=${{ github.run_id }},prefix=bake-ghcr-and-dockerhub-
secrets:
registry-auths: |
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-ghcr-and-aws-verify:
bake-ghcr-and-dockerhub-verify:
uses: ./.github/workflows/verify.yml
if: ${{ github.event_name != 'pull_request' }}
needs:
- bake-ghcr-and-aws
- bake-ghcr-and-dockerhub
with:
builder-outputs: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }}
builder-outputs: ${{ toJSON(needs.bake-ghcr-and-dockerhub.outputs) }}
secrets:
registry-auths: |
- registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-ghcr-and-aws-outputs:
bake-ghcr-and-dockerhub-outputs:
runs-on: ubuntu-24.04
needs:
- bake-ghcr-and-aws
- bake-ghcr-and-dockerhub
steps:
-
name: Builder outputs
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-ghcr-and-aws.outputs) }}
INPUT_BUILDER-OUTPUTS: ${{ toJSON(needs.bake-ghcr-and-dockerhub.outputs) }}
with:
script: |
const builderOutputs = JSON.parse(core.getInput('builder-outputs'));
Expand Down Expand Up @@ -477,7 +419,7 @@ jobs:
*.args.VERSION={{meta.version}}
target: hello-cross
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-${{ github.run_id }}

Expand All @@ -495,7 +437,7 @@ jobs:
*.args.VERSION={{meta.version}}
target: hello-cross
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-${{ github.run_id }}

Expand All @@ -512,15 +454,15 @@ jobs:
sbom: true
target: hello-cross

bake-aws-nodistrib:
bake-dockerhub-nodistrib:
uses: ./.github/workflows/bake.yml
permissions:
contents: read
id-token: write
with:
distribute: false
cache: true
cache-scope: bake-aws-nodistrib
cache-scope: bake-dockerhub-nodistrib
context: test
output: image
push: ${{ github.event_name != 'pull_request' }}
Expand All @@ -529,14 +471,14 @@ jobs:
*.args.VERSION={{meta.version}}
target: hello-cross
meta-images: |
public.ecr.aws/q3b5f1u4/test-docker-action
docker.io/dockereng/github-builder-test
meta-tags: |
type=raw,value=bake-ghbuilder-nodistrib-${{ github.run_id }}
secrets:
registry-auths: |
- registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}

bake-local-nodistrib:
uses: ./.github/workflows/bake.yml
Expand Down
Loading
Loading