Skip to content

Instantly share code, notes, and snippets.

@joeyslalom

joeyslalom/github-docker-artifact-registry.yaml

Created March 16, 2022 00:08
Show Gist options
  • Star 14 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save joeyslalom/3a3b4783ea9f2e7fa3493c13bcf68e0a to your computer and use it in GitHub Desktop.
Save joeyslalom/3a3b4783ea9f2e7fa3493c13bcf68e0a to your computer and use it in GitHub Desktop.
Download ZIP
GitHub Action - docker build and push to Artifact Registry
Raw
github-docker-artifact-registry.yaml
# 1. Create service account
#. * Service Account Token Creator
#. * Artifact Registry Writer
# 2. Generate service account key
#. * In GitHub project -> Settings -> Secrets -> Actions -> New Repository Secret
#. Name: GCP_CREDENTIALS
#. Value: key.json contents
# 3. Create repo in artifact repository
#. * Name: $env.REPOSITORY below
#. * Region: $env.GAR_LOCATION below
name: Docker build and push to Artifact Registry
on:
push:
branches:
- main
- github-action
env:
PROJECT_ID: slalom-2020-293920
GAR_LOCATION: us-west1
REPOSITORY: reimagined-couscous
IMAGE: main
jobs:
login-build-push:
name: Docker login, build, and push
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: 'Docker build'
run: |-
docker build \
--tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \
app/
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0.6.0'
with:
credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
token_format: 'access_token'
- uses: 'docker/login-action@v1'
name: 'Docker login'
with:
registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
username: 'oauth2accesstoken'
password: '${{ steps.auth.outputs.access_token }}'
- name: 'Docker push'
run: |-
docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"
@joeyslalom
Copy link
Author

corresponding tf:

resource "google_service_account" "github" {
  account_id = "github-docker-push"
}

resource "google_project_iam_member" "github_token_creator" {
  project = google_project.project.project_id
  role    = "roles/iam.serviceAccountTokenCreator"
  member  = "serviceAccount:${google_service_account.github.email}"
}

resource "google_project_iam_member" "github_act_as" {
  project = google_project.project.project_id
  role    = "roles/artifactregistry.writer"
  member  = "serviceAccount:${google_service_account.github.email}"
}

resource "google_artifact_registry_repository" "resdna" {
  provider = google-beta

  location      = var.default_region
  repository_id = "resdna"
  format        = "DOCKER"
  project       = google_project.project.project_id
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment