Refactor Skills for clearer separation of responsibilities #6324

Workflow file for this run

.github/workflows/container.yml at 60cebf8

	name: Container

	on:
	push:

	env:
	ECR_REGION: us-west-2
	AWS_ACCOUNT_ID: "850406765696"

	jobs:
	build:
	name: Build ${{ matrix.arch }}
	runs-on: ${{ matrix.runner }}
	strategy:
	matrix:
	arch: [amd64, arm64]
	include:
	- arch: amd64
	runner: ubuntu-24.04
	- arch: arm64
	runner: arm-4core-linux-ubuntu24.04
	permissions:
	contents: read
	packages: write
	id-token: write # Required for OIDC authentication with AWS

	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	sparse-checkout: .

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
	with:
	role-to-assume: arn:aws:iam::850406765696:role/lading-ci-sccache-oidc
	aws-region: us-west-2

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Log in to GitHub Container Registry
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract metadata
	uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
	id: meta
	with:
	images: ghcr.io/datadog/lading
	flavor: \|
	suffix=-${{ matrix.arch }}
	latest=false
	tags: \|
	type=semver,pattern={{version}},event=tag
	type=sha,format=long

	- name: Build and push to GHCR
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	file: Dockerfile
	tags: ${{ steps.meta.outputs.tags }}
	push: true
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=registry,ref=ghcr.io/datadog/lading:cache-${{ matrix.arch }}
	cache-to: type=registry,ref=ghcr.io/datadog/lading:cache-${{ matrix.arch }},mode=max
	build-args: \|
	SCCACHE_BUCKET=lading-sccache
	SCCACHE_REGION=us-west-2
	secrets: \|
	aws_access_key_id=${{ env.AWS_ACCESS_KEY_ID }}
	aws_secret_access_key=${{ env.AWS_SECRET_ACCESS_KEY }}
	aws_session_token=${{ env.AWS_SESSION_TOKEN }}

	copy-to-ecr:
	name: Copy ${{ matrix.arch }} to ECR
	needs: build
	runs-on: ubuntu-latest
	strategy:
	matrix:
	arch: [amd64, arm64]
	permissions:
	contents: read
	id-token: write # Required for OIDC authentication

	steps:
	- name: Log in to GitHub Container Registry
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure AWS credentials via OIDC
	uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/lading-container-publisher-oidc
	aws-region: ${{ env.ECR_REGION }}

	- name: Log in to AWS ECR
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	registry: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Extract metadata
	uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
	id: meta
	with:
	images: ghcr.io/datadog/lading
	flavor: \|
	suffix=-${{ matrix.arch }}
	latest=false
	tags: \|
	type=semver,pattern={{version}},event=tag
	type=sha,format=long

	- name: Copy to ECR
	run: \|
	ECR_REGISTRY="${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com"
	TAGS="${{ steps.meta.outputs.tags }}"

	for GHCR_TAG in $TAGS; do
	TAG_NAME="${GHCR_TAG##*:}"
	ECR_TAG="${ECR_REGISTRY}/lading:${TAG_NAME}"

	echo "Copying ${GHCR_TAG} to ${ECR_TAG}"
	docker buildx imagetools create \
	--tag "${ECR_TAG}" \
	"${GHCR_TAG}"
	done

	manifest:
	name: Create ${{ matrix.registry }} manifest
	needs: [build, copy-to-ecr]
	runs-on: ubuntu-latest
	strategy:
	matrix:
	registry: [ghcr, ecr]
	include:
	- registry: ghcr
	registry_url: ghcr.io
	image_name: datadog/lading
	- registry: ecr
	image_name: lading
	permissions:
	contents: read
	packages: write
	id-token: write # Required for OIDC authentication

	steps:
	- name: Log in to GitHub Container Registry
	if: matrix.registry == 'ghcr'
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Configure AWS credentials via OIDC
	if: matrix.registry == 'ecr'
	uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/lading-container-publisher-oidc
	aws-region: ${{ env.ECR_REGION }}

	- name: Log in to AWS ECR
	if: matrix.registry == 'ecr'
	uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
	with:
	registry: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Set registry URL
	id: registry
	run: \|
	if [ "${{ matrix.registry }}" = "ghcr" ]; then
	echo "url=ghcr.io" >> "$GITHUB_OUTPUT"
	else
	echo "url=${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com" >> "$GITHUB_OUTPUT"
	fi

	- name: Extract metadata
	uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
	id: meta
	with:
	images: ${{ steps.registry.outputs.url }}/${{ matrix.image_name }}
	flavor: \|
	latest=false
	tags: \|
	type=semver,pattern={{version}},event=tag
	type=sha,format=long

	- name: Create and push manifest
	run: \|
	TAGS="${{ steps.meta.outputs.tags }}"
	for TAG in $TAGS; do
	echo "Creating manifest for ${TAG}"
	docker buildx imagetools create \
	--tag "${TAG}" \
	"${TAG}-amd64" \
	"${TAG}-arm64"
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Refactor Skills for clearer separation of responsibilities #6324

Workflow file

Refactor Skills for clearer separation of responsibilities #6324

Uh oh!

Workflow file for this run