docker · thaJeztah · Aug 17, 2022 · Aug 17, 2022 · Aug 11, 2022 · Aug 17, 2022
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,121 @@
+name: deploy
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - lab
+      - master
+      - published
+
+# these permissions are needed to interact with GitHub's OIDC Token endpoint.
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-20.04
+    steps:
+      -
+        name: Prepare
+        run: |
+          JEKYLL_ENV=development
+          DOCS_AWS_REGION=us-east-1
+          if [ "${{ github.ref }}" = "refs/heads/master" ]; then
+            DOCS_URL="https://docs-stage2.docker.com" # TODO: change this to https://docs-stage.docker.com when new env switched and ready
+            DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/stage-docs-docker.github.io-20220816140248629900000003"
+            DOCS_S3_BUCKET="stage-docs-docker.github.io"
+            DOCS_S3_CONFIG="s3-config.json"
+            DOCS_CLOUDFRONT_ID="E1R7CSW3F0X4H8"
+            DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-stage"
+            DOCS_SLACK_MSG="Successfully deployed docs-stage2 from master branch. $DOCS_URL" # TODO: change to "deployed docs-stage" when new env switched and ready
+          elif [ "${{ github.ref }}" = "refs/heads/published" ]; then
+            #JEKYLL_ENV=production # TODO: uncomment when new env switched and ready
+            DOCS_URL="https://docs2.docker.com" # TODO: change this to https://docs.docker.com when new env switched and ready
+            DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/prod-docs-docker.github.io-20220816161549883800000001"
+            DOCS_S3_BUCKET="prod-docs-docker.github.io"
+            DOCS_S3_CONFIG="s3-config.json"
+            DOCS_CLOUDFRONT_ID="E228TTN20HNU8F"
+            DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-prod"
+            DOCS_SLACK_MSG="Successfully deployed docs2 from published branch. $DOCS_URL" # TODO: change to "deployed docs" when new env switched and ready
+          elif [ "${{ github.ref }}" = "refs/heads/lab" ]; then
+            DOCS_URL="https://docs-labs.docker.com"
+            DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/labs-docs-docker.github.io-20220728143917865600000003"
+            DOCS_S3_BUCKET="labs-docs-docker.github.io"
+            DOCS_S3_CONFIG="s3-config.json"
+            DOCS_CLOUDFRONT_ID="E1MYDYF65FW3HG"
+            DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-labs"
+            DOCS_SLACK_MSG="Successfully deployed docs-labs from lab branch. $DOCS_URL"
+          else
+            echo >&2 "ERROR: unknown branch ${{ github.ref }}"
+            exit 1
+          fi
+          SEND_SLACK_MSG="true"
+          if [ -z "$DOCS_AWS_IAM_ROLE" ] || [ -z "$DOCS_S3_BUCKET" ] || [ -z "$DOCS_CLOUDFRONT_ID" ] || [ -z "$DOCS_SLACK_MSG" ]; then
+            SEND_SLACK_MSG="false"
+          fi
+          echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
+          echo "JEKYLL_ENV=$JEKYLL_ENV" >> $GITHUB_ENV
+          echo "DOCS_URL=$DOCS_URL" >> $GITHUB_ENV
+          echo "DOCS_AWS_REGION=$DOCS_AWS_REGION" >> $GITHUB_ENV
+          echo "DOCS_AWS_IAM_ROLE=$DOCS_AWS_IAM_ROLE" >> $GITHUB_ENV
+          echo "DOCS_S3_BUCKET=$DOCS_S3_BUCKET" >> $GITHUB_ENV
+          echo "DOCS_S3_CONFIG=$DOCS_S3_CONFIG" >> $GITHUB_ENV
+          echo "DOCS_CLOUDFRONT_ID=$DOCS_CLOUDFRONT_ID" >> $GITHUB_ENV
+          echo "DOCS_LAMBDA_FUNCTION_REDIRECTS=$DOCS_LAMBDA_FUNCTION_REDIRECTS" >> $GITHUB_ENV
+          echo "DOCS_SLACK_MSG=$DOCS_SLACK_MSG" >> $GITHUB_ENV
+          echo "SEND_SLACK_MSG=$SEND_SLACK_MSG" >> $GITHUB_ENV
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Build website
+        uses: docker/bake-action@v2
+        with:
+          targets: release
+          set: |
+            *.cache-from=type=gha,scope=deploy-${{ env.BRANCH_NAME }}
+            *.cache-to=type=gha,scope=deploy-${{ env.BRANCH_NAME }},mode=max
+      -
+        name: Configure AWS Credentials
+        if: ${{ env.DOCS_AWS_IAM_ROLE != '' }}
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ env.DOCS_AWS_IAM_ROLE }}
+          aws-region: ${{ env.DOCS_AWS_REGION }}
+      -
+        name: Upload files to S3 bucket
+        if: ${{ env.DOCS_S3_BUCKET != '' }}
+        run: |
+          aws --region ${{ env.DOCS_AWS_REGION }} s3 sync --acl public-read _site s3://${{ env.DOCS_S3_BUCKET }}/ --delete
+      -
+        name: Update S3 config
+        if: ${{ env.DOCS_S3_BUCKET != '' && env.DOCS_S3_CONFIG != '' }}
+        uses: docker/bake-action@v2
+        with:
+          targets: aws-s3-update-config
+          set: |
+            *.cache-from=type=gha,scope=releaser
+        env:
+          AWS_REGION: ${{ env.DOCS_AWS_REGION }}
+          AWS_S3_BUCKET: ${{ env.DOCS_S3_BUCKET }}
+          AWS_S3_CONFIG: ${{ env.DOCS_S3_CONFIG }}
+      -
+        name: Update Cloudfront config
+        if: ${{ env.DOCS_CLOUDFRONT_ID != '' }}
+        uses: docker/bake-action@v2
+        with:
+          targets: aws-cloudfront-update
+        env:
+          AWS_REGION: us-east-1 # cloudfront and lambda edge functions are only available in us-east-1 region
+          AWS_CLOUDFRONT_ID: ${{ env.DOCS_CLOUDFRONT_ID }}
+          AWS_LAMBDA_FUNCTION: ${{ env.DOCS_LAMBDA_FUNCTION_REDIRECTS }}
+      -
+        name: Send Slack notification
+        if: ${{ env.SEND_SLACK_MSG == 'true' }}
+        run: |
+          curl -X POST -H 'Content-type: application/json' --data '{"text":"${{ env.DOCS_SLACK_MSG }}"}' ${{ secrets.SLACK_WEBHOOK }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,7 +4,6 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - lab
       - master
       - published
 
@@ -30,15 +29,13 @@ jobs:
             DOCS_S3_CONFIG="_website-config-docs.json"
             DOCS_LAMBDA_FUNCTION_CACHE="arn:aws:lambda:us-east-1:710015040892:function:docs-cache-invalidator"
             DOCS_SLACK_MSG="Successfully published docs. https://docs.docker.com/"
-          elif [ "${{ github.ref }}" = "refs/heads/lab" ]; then
-            DOCS_URL="https://docs-lab.docker.com"
-            DOCS_S3_BUCKET=""
-            DOCS_LAMBDA_FUNCTION_CACHE=""
-            DOCS_S3_CONFIG="_website-config-docs-lab.json"
           else
             echo >&2 "ERROR: unknown branch ${{ github.ref }}"
             exit 1
           fi
+          echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV
+          echo "AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}" >> $GITHUB_ENV
+          echo "AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> $GITHUB_ENV
           echo "JEKYLL_ENV=$JEKYLL_ENV" >> $GITHUB_ENV
           echo "DOCS_URL=$DOCS_URL" >> $GITHUB_ENV
           echo "DOCS_AWS_REGION=$DOCS_AWS_REGION" >> $GITHUB_ENV
@@ -58,15 +55,12 @@ jobs:
         with:
           targets: release
           set: |
-            *.cache-from=type=gha,scope=publish
-            *.cache-to=type=gha,scope=publish,mode=max
+            *.cache-from=type=gha,scope=publish-${{ env.BRANCH_NAME }}
+            *.cache-to=type=gha,scope=publish-${{ env.BRANCH_NAME }},mode=max
       -
         name: Upload files to S3 bucket
         run: |
           aws --region ${{ env.DOCS_AWS_REGION }} s3 sync --acl public-read _site s3://${{ env.DOCS_S3_BUCKET }}/ --delete
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       -
         name: Update S3 config
         uses: docker/bake-action@v2
@@ -75,8 +69,6 @@ jobs:
           set: |
             *.cache-from=type=gha,scope=releaser
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ env.DOCS_AWS_REGION }}
           AWS_S3_BUCKET: ${{ env.DOCS_S3_BUCKET }}
           AWS_S3_CONFIG: ${{ env.DOCS_S3_CONFIG }}
@@ -89,8 +81,6 @@ jobs:
           set: |
             *.cache-from=type=gha,scope=releaser
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ env.DOCS_AWS_REGION }}
           AWS_LAMBDA_FUNCTION: ${{ env.DOCS_LAMBDA_FUNCTION_CACHE }}
       -

diff --git a/_releaser/Dockerfile b/_releaser/Dockerfile
@@ -8,15 +8,13 @@ FROM golang:${GO_VERSION}-alpine AS base
 RUN apk add --no-cache jq openssl
 ENV CGO_ENABLED=0
 WORKDIR /src
-
-FROM base AS vendor
-COPY go.mod go.sum *.go ./
+COPY go.mod go.sum ./
 RUN --mount=type=cache,target=/go/pkg/mod \
-  go mod tidy && go mod download
+  go mod download
 
-FROM vendor AS releaser
-COPY go.mod go.sum *.go ./
-RUN --mount=type=cache,target=/go/pkg/mod \
+FROM base AS releaser
+RUN --mount=type=bind,target=. \
+  --mount=type=cache,target=/go/pkg/mod \
   --mount=type=cache,target=/root/.cache/go-build \
   go build -o /out/releaser .
 
@@ -42,6 +40,7 @@ RUN --mount=type=bind,target=. \
   --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
   --mount=type=secret,id=AWS_ACCESS_KEY_ID \
   --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
+  --mount=type=secret,id=AWS_SESSION_TOKEN \
   releaser aws s3-update-config
 
 FROM base AS aws-lambda-invoke
@@ -50,4 +49,20 @@ ARG AWS_LAMBDA_FUNCTION
 RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
   --mount=type=secret,id=AWS_ACCESS_KEY_ID \
   --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
+  --mount=type=secret,id=AWS_SESSION_TOKEN \
   releaser aws lambda-invoke
+
+FROM base AS aws-cloudfront-update
+ARG AWS_REGION
+ARG AWS_LAMBDA_FUNCTION
+ARG AWS_CLOUDFRONT_ID
+RUN --mount=type=bind,target=. \
+  --mount=type=bind,from=sitedir,target=/site \
+  --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
+  --mount=type=secret,id=AWS_ACCESS_KEY_ID \
+  --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
+  --mount=type=secret,id=AWS_SESSION_TOKEN \
+  AWS_LAMBDA_FUNCTION_FILE=cloudfront-lambda-redirects.js \
+  REDIRECTS_JSON=$(jq -c '.' /site/redirects.json) \
+  REDIRECTS_PREFIXES_JSON=$(jq -c '.' redirects-prefixes.json) \
+  releaser aws cloudfront-update