Skip to content

Add a GitHub workflow

Given this configuration, you should achieve the following outcome after completing this page:

Configuration
Environment pirates-dev
AppName too-tikki
Outcome
Workflow file .github/workflows/_gp_too-tikki_pirates-dev_build_and_push_image.yml

Want to know more?

Check out the reference material for more information about building Docker images with reusable workflows.

Step 1: Create configuration file

Create a new configuration file for the build-push workflow in your application repository:

repo-apps/.github/workflows/environments/dev/app-too-tikki/build-push.yml
AppName: too-tikki
Dispatch:
  Enable: false
OnPushPaths:
  - "main.go"
OnPushBranches:
  - "main"
Cache:
  Enable: false
Ecr:
  Enable: true
  Login: true
  Push: true
Ghcr:
  Enable: false
DockerfilePath: Dockerfile

This configuration file result in the workflow being executed when main.go is updated in the main branch of the too-tikki application repository. The workflow will build the Docker image using the Dockerfile in the root of the repository and push it to ECR.

Step 2: Add Docker build secrets (optional)

Are you using RUN instructions in your Dockerfile that require secrets, such as when authenticating with GitHub Packages? If so you need add these to the workflow configuration file.

repo-apps/.github/workflows/environments/dev/app-too-tikki/build-push.yml
DockerfilePath: Dockerfile
+DockerSecrets:
+  GPR_USERNAME: "secrets.GPR_USERNAME"
+  GPR_ACCESS_TOKEN: "secrets.GPR_ACCESS_TOKEN"

The example configuration will generate the following secret setup in the workflow:

Example secrets generated
DOCKER_SECRETS: |
  GPR_ACCESS_TOKEN=${{ secrets.GPR_ACCESS_TOKEN }}
  GPR_USERNAME=${{ secrets.GPR_USERNAME }}

Using secrets in RUN instructions

Secrets in DOCKER_SECRETS are available as volumes. Use the --mount option to mount them.

Example
RUN --mount=type=secret,id=GPR_USERNAME \
    --mount=type=secret,id=GPR_ACCESS_TOKEN \
    GPR_USERNAME=$(cat /run/secrets/GPR_USERNAME) \
    GPR_ACCESS_TOKEN=$(cat /run/secrets/GPR_ACCESS_TOKEN) \
    gradle buildFatJar --no-daemon

Ask in #origo-kjøremiljø-support if you need help with this.

Step 3: Fetch the build-push template

repo-apps/.github/workflows/environments/dev/app-too-tikki
boilerplate \
  --template-url "git@github.com:oslokommune/golden-path-boilerplate.git//boilerplate/github-actions/docker-build-push/?ref=main" \
  --var-file build-push.yml \
  --var-file ../common-config.yml \
  --output-folder ../../../ \
  --non-interactive

Step 4: Verify

The application repository should now contain a new workflow file located at .github/workflows/_gp_too-tikki_pirates-dev_build_and_push_image.yml.

Commit your files

At this stage it is a good idea to commit your files.

Step 5: Try to run the workflow

Try to run the workflow in the application repository under Actions . It will fail because the workflow is not able to authenticate with AWS yet. The next section will show you how to configure this.

Next step

Create the IAM roles that will allow the workflow to push the image to ECR.