Updated version of check_images_x_region & Tags Fix (#10)

* Use updated version of check_images_x_region And use tagged version of configure-aws-credentials * Remove tag from push --all-tags This used to work, but now gives an error. I guess it is funny to say "all-tags" and then specify a tag.
sublime-security · Dec 23, 2021 · e494fe6 · e494fe6
1 parent f6f6fd3
commit e494fe6
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 15 deletions.
diff --git a/.github/workflows/check_images_x_region.sh b/.github/workflows/check_images_x_region.sh
@@ -4,6 +4,11 @@ set -e
 
 tag=$1
 
+timeout_seconds=120
+
+# Use a variable because return 1 will exit the script with `set -e`, but we want to retry.
+checkImageResult="false"
+
 function checkImages() {
   repo=$1
   primary_sha=$(aws ecr describe-images --region us-east-1 --repository-name $repo --image-ids imageTag=$tag | jq -r '.imageDetails[0].imageDigest')
@@ -13,12 +18,40 @@ function checkImages() {
 
     if [[ "$sha" != "$primary_sha" ]]; then
       echo "Incomplete ECR propagation for repo $repo (tag $tag) in $region. Expected $primary_sha but found $sha."
-      exit 1
+      return 0
     fi
+
+    echo "ECR propagation for repo $repo (tag $tag) in $region is complete. Found $sha"
+  done
+
+  checkImageResult="true"
+
+  return 0
+}
+
+function checkImagesWithTimeout() {
+  repo=$1
+
+  end=$((SECONDS+$timeout_seconds))
+
+  while [ $SECONDS -lt $end ]; do
+      checkImageResult="false"
+      checkImages $repo
+
+      if [ "$checkImageResult" = "true" ]; then
+          return 0
+      fi
+      echo "Replication has not finished for $repo, sleeping."
+      sleep 5
   done
+
+  echo "Replication did not finish for $repo after waiting $timeout_seconds"
+
+  # Just exit instead of checking status codes below (although it doesn't matter with `set -e`
+  exit 1
 }
 
-checkImages strelka-frontend
-checkImages strelka-backend
-checkImages strelka-manager
-checkImages strelka-mmrpc
+checkImagesWithTimeout strelka-frontend
+checkImagesWithTimeout strelka-backend
+checkImagesWithTimeout strelka-manager
+checkImagesWithTimeout strelka-mmrpc
diff --git a/.github/workflows/release-images.yml b/.github/workflows/release-images.yml
@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@036a4a1ddf2c0e7a782dca6e083c6c53e5d90321 # No released version with OIDC
+        uses: aws-actions/configure-aws-credentials@1.6
         with:
           # Use a role instead of including credentials in secrets, but still hide that role name to be gated by GH environments.
           role-to-assume: ${{ secrets.ECR_REPO_ROLE }}

diff --git a/.github/workflows/tag-latest.yml b/.github/workflows/tag-latest.yml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@036a4a1ddf2c0e7a782dca6e083c6c53e5d90321 # No released version with OIDC
+        uses: aws-actions/configure-aws-credentials@1.6
         with:
           # Use a role instead of including credentials in secrets, but still hide that role name to be gated by GH environments.
           role-to-assume: ${{ secrets.ECR_REPO_ROLE }}
@@ -79,8 +79,8 @@ jobs:
           docker tag $ECR_REGISTRY/strelka-frontend:$VERSION $ECR_REGISTRY/strelka-frontend:$MINOR_VERSION
           docker tag $ECR_REGISTRY/strelka-frontend:$VERSION sublimesec/strelka-frontend:$MINOR_VERSION
 
-          docker push --all-tags $ECR_REGISTRY/strelka-frontend:latest
-          docker push --all-tags sublimesec/strelka-frontend:latest
+          docker push --all-tags $ECR_REGISTRY/strelka-frontend
+          docker push --all-tags sublimesec/strelka-frontend
 
       - name: Pull, Tag, Push BackEnd
         env:
@@ -100,8 +100,8 @@ jobs:
           docker tag $ECR_REGISTRY/strelka-backend:$VERSION $ECR_REGISTRY/strelka-backend:$MINOR_VERSION
           docker tag $ECR_REGISTRY/strelka-backend:$VERSION sublimesec/strelka-backend:$MINOR_VERSION
 
-          docker push --all-tags $ECR_REGISTRY/strelka-backend:latest
-          docker push --all-tags sublimesec/strelka-backend:latest
+          docker push --all-tags $ECR_REGISTRY/strelka-backend
+          docker push --all-tags sublimesec/strelka-backend
 
       - name: Pull, Tag, Push Manager
         env:
@@ -121,8 +121,8 @@ jobs:
           docker tag $ECR_REGISTRY/strelka-manager:$VERSION $ECR_REGISTRY/strelka-manager:$MINOR_VERSION
           docker tag $ECR_REGISTRY/strelka-manager:$VERSION sublimesec/strelka-manager:$MINOR_VERSION
 
-          docker push --all-tags $ECR_REGISTRY/strelka-manager:latest
-          docker push --all-tags sublimesec/strelka-manager:latest
+          docker push --all-tags $ECR_REGISTRY/strelka-manager
+          docker push --all-tags sublimesec/strelka-manager
 
       - name: Pull, Tag, Push MMRPC
         env:
@@ -142,8 +142,8 @@ jobs:
           docker tag $ECR_REGISTRY/strelka-mmrpc:$VERSION $ECR_REGISTRY/strelka-mmrpc:$MINOR_VERSION
           docker tag $ECR_REGISTRY/strelka-mmrpc:$VERSION sublimesec/strelka-mmrpc:$MINOR_VERSION
 
-          docker push --all-tags $ECR_REGISTRY/strelka-mmrpc:latest
-          docker push --all-tags sublimesec/strelka-mmrpc:latest
+          docker push --all-tags $ECR_REGISTRY/strelka-mmrpc
+          docker push --all-tags sublimesec/strelka-mmrpc
 
       - name: Validate All X-Region Replication
         run: |