ci: test AWS ECR with OIDC

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Merge pull request #1007 from crazy-max/ci-creds-update
2026-06-10 18:30:22 +03:00 · 2026-06-10 14:32:23 +02:00 · 2026-06-09 10:45:03 +02:00 · 2026-06-04 16:19:19 +02:00 · 2026-06-04 16:19:18 +02:00 · 2026-06-04 16:19:18 +02:00
6 changed files with 274 additions and 197 deletions
@@ -7,6 +7,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+env:
+  GHCR_TEST_IMAGE: ghcr.io/docker/login-action-test:ci-${{ github.sha }}
+
 on:
  workflow_dispatch:
  schedule:
@@ -56,8 +59,39 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
          logout: ${{ matrix.logout }}

+  push-ghcr:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Login to GitHub Container Registry
+        uses: ./
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Build and push test image
+        run: |
+          docker buildx build --push -t "${GHCR_TEST_IMAGE}" - <<EOF
+          FROM scratch
+          LABEL org.opencontainers.image.title="docker/login-action CI test image"
+          LABEL org.opencontainers.image.description="Empty image used by CI to verify GHCR authentication."
+          LABEL org.opencontainers.image.source="https://github.com/${GITHUB_REPOSITORY}"
+          EOF
+
  dind:
    runs-on: ubuntu-latest
+    needs:
+      - push-ghcr
+    permissions:
+      contents: read
+      packages: read
    env:
      DOCKER_CONFIG: $HOME/.docker
    steps:
@@ -69,19 +103,19 @@ jobs:
        uses: ./
        with:
          registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
-          password: ${{ secrets.GHCR_PAT }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: DinD
        uses: docker://docker:29.3@sha256:4d90f1f6c400315c2dba96d3ec93c01e64198395cbba04f79d12adce4f737029
        with:
          entrypoint: docker
-          args: pull ghcr.io/docker-ghactiontest/test
+          args: pull ${{ env.GHCR_TEST_IMAGE }}
      -
-        name: Pull private image
+        name: Pull test image
        run: |
          docker image prune -a -f >/dev/null 2>&1
-          docker pull ghcr.io/docker-ghactiontest/test
+          docker pull "${GHCR_TEST_IMAGE}"

  acr:
    runs-on: ubuntu-latest
@@ -93,7 +127,7 @@ jobs:
        name: Login to ACR
        uses: ./
        with:
-          registry: ${{ secrets.AZURE_REGISTRY_NAME }}.azurecr.io
+          registry: officialgithubactions.azurecr.io
          username: ${{ secrets.AZURE_CLIENT_ID }}
          password: ${{ secrets.AZURE_CLIENT_SECRET }}

@@ -113,8 +147,8 @@ jobs:
        name: Login to Docker Hub
        uses: ./
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}

  ecr:
    runs-on: ${{ matrix.os }}
@@ -132,7 +166,7 @@ jobs:
        name: Login to ECR
        uses: ./
        with:
-          registry: ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.us-east-1.amazonaws.com
+          registry: 175142243308.dkr.ecr.us-east-1.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

@@ -159,7 +193,34 @@ jobs:
        name: Login to ECR
        uses: ./
        with:
-          registry: ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.us-east-1.amazonaws.com
+          registry: 175142243308.dkr.ecr.us-east-1.amazonaws.com
+
+  ecr-oidc:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - windows-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
+        with:
+          role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd_login_action
+          aws-region: us-east-1
+      -
+        name: Login to ECR
+        uses: ./
+        with:
+          registry: 175142243308.dkr.ecr.us-east-1.amazonaws.com

  ecr-public:
    runs-on: ${{ matrix.os }}
@@ -210,6 +271,34 @@ jobs:
        with:
          registry: public.ecr.aws

+  ecr-public-oidc:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - windows-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
+        with:
+          role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd_login_action
+          aws-region: us-east-1
+      -
+        name: Login to Public ECR
+        continue-on-error: ${{ matrix.os == 'windows-latest' }}
+        uses: ./
+        with:
+          registry: public.ecr.aws
+
  ghcr:
    runs-on: ${{ matrix.os }}
    strategy:
@@ -266,7 +355,7 @@ jobs:
        name: Login to Google Artifact Registry
        uses: ./
        with:
-          registry: ${{ secrets.GAR_LOCATION }}-docker.pkg.dev
+          registry: us-east4-docker.pkg.dev
          username: _json_key
          password: ${{ secrets.GAR_JSON_KEY }}

@@ -301,8 +390,8 @@ jobs:
        uses: ./
        with:
          registry-auth: |
-            - username: ${{ secrets.DOCKERHUB_USERNAME }}
-              password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+              password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
            - registry: ghcr.io
              username: ${{ github.actor }}
              password: ${{ secrets.GITHUB_TOKEN }}
@@ -350,8 +439,8 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry-auth: |
-            - username: ${{ secrets.DOCKERHUB_USERNAME }}
-              password: ${{ secrets.DOCKERHUB_TOKEN }}
+            - username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+              password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
      -
        name: Check
        run: |
@@ -376,8 +465,8 @@ jobs:
        name: Login to Docker Hub
        uses: ./
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
          scope: '@push'
      -
        name: Print config.json files
@@ -406,8 +495,8 @@ jobs:
        name: Login to Docker Hub
        uses: ./
        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_READ_PAT }}
          scope: 'docker/buildx-bin@push'
      -
        name: Print config.json files
@@ -2821,12 +2821,11 @@ SOFTWARE.

 -----------

-The following npm packages may be included in this product:
+The following npm package may be included in this product:

 - js-yaml@4.1.1
- - js-yaml@4.2.0

-These packages each contain the following license:
+This package contains the following license:

 (The MIT License)

@@ -29,7 +29,7 @@
    "@docker/actions-toolkit": "^0.91.0",
    "http-proxy-agent": "^9.0.0",
    "https-proxy-agent": "^9.0.0",
-    "js-yaml": "^4.2.0"
+    "js-yaml": "^4.1.1"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.3",
@@ -3276,7 +3276,7 @@ __metadata:
    globals: "npm:^17.3.0"
    http-proxy-agent: "npm:^9.0.0"
    https-proxy-agent: "npm:^9.0.0"
-    js-yaml: "npm:^4.2.0"
+    js-yaml: "npm:^4.1.1"
    prettier: "npm:^3.8.1"
    typescript: "npm:^5.9.3"
    vitest: "npm:^4.0.18"
@@ -4459,17 +4459,6 @@ __metadata:
  languageName: node
  linkType: hard

-"js-yaml@npm:^4.2.0":
-  version: 4.2.0
-  resolution: "js-yaml@npm:4.2.0"
-  dependencies:
-    argparse: "npm:^2.0.1"
-  bin:
-    js-yaml: bin/js-yaml.js
-  checksum: 10/51de2067a2b44b07ba5206132e56005f8b568ff279bb4d2f645068958c56fa4827d40a6841c983234671fa0a134bf094d0b0717873c2a3d319185297af145a6d
-  languageName: node
-  linkType: hard
-
 "jsbn@npm:1.1.0":
  version: 1.1.0
  resolution: "jsbn@npm:1.1.0"
Author	SHA1	Message	Date
CrazyMax	eb1946f59c	ci: test AWS ECR with OIDC Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-10 14:32:23 +02:00
CrazyMax	946f94de75	Merge pull request #1007 from crazy-max/ci-creds-update ci: update registry auth credentials	2026-06-09 10:45:03 +02:00
CrazyMax	f50e5f80f8	ci: update registry to auth to gar Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-04 16:19:19 +02:00
CrazyMax	c5e5fd0017	ci: update registry to auth to acr Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-04 16:19:18 +02:00
CrazyMax	60e5331f1c	ci: update registry to auth to ecr Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-04 16:19:18 +02:00
CrazyMax	6a848e5a16	ci: update secrets to auth to docker hub Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-04 16:19:18 +02:00
CrazyMax	0267638d8a	Merge pull request #1008 from crazy-max/ci-ghcr-dind-test-image ci: replace GHCR PAT in DinD test	2026-06-04 16:12:23 +02:00
CrazyMax	250c56f969	ci: replace GHCR PAT in DinD test Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-06-02 14:16:24 +02:00