@@ -3,14 +3,16 @@ name: China Cloud Deployment
33on :
44 push :
55 branches : [ya/china-cloud-cd]
6- # paths: ["cloud/**"]
76
87jobs :
98 china-cloud-deploy :
109 runs-on : ubuntu-latest
1110 permissions :
12- id-token : write
1311 contents : read
12+ env :
13+ ACR_INSTANCE_ID : cri-h675v46p9lj694l6
14+ ACR_REGION_ID : cn-shenzhen
15+ ACR_PUBLIC_DOMAIN : mentra-acr-cnsz-a-registry.cn-shenzhen.cr.aliyuncs.com
1416
1517 steps :
1618 # 1. Checkout source code
@@ -21,80 +23,54 @@ jobs:
2123 run : echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
2224
2325 # 3. Compute Docker tags dynamically
24- # - id: docker-tags
25- # run: |
26- # BRANCH=${GITHUB_REF_NAME//\//-} # replace / with - for valid tag
27- # TAGS="${BRANCH}-${{ steps.vars.outputs.sha_short }}"
28- # # Add 'latest' only for main or release branches
29- # if [[ "$GITHUB_REF_NAME" == "main" || "$GITHUB_REF_NAME" == release/* ]]; then
30- # TAGS="$TAGS latest"
31- # fi
32- # echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
3326 - id : docker-tags
3427 run : |
35- BRANCH=${GITHUB_REF_NAME//\//-} # replace / with -
28+ BRANCH=${GITHUB_REF_NAME//\//-}
3629 echo "tags=$BRANCH latest" >> "$GITHUB_OUTPUT"
3730
3831# 4. Docker Buildx
3932 - uses : docker/setup-buildx-action@v2
4033
41- # 5. Install and configure Alibaba Cloud CLI
34+ # 5. Install Alibaba Cloud CLI
4235 - name : Install Alibaba Cloud CLI
4336 run : |
4437 curl -sSL https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz | tar -xz
4538 sudo mv aliyun /usr/local/bin/
4639
40+ # 6. Configure Alibaba CLI with long-lived AK/SK
4741 - name : Configure Alibaba Cloud CLI
4842 run : |
4943 aliyun configure set \
5044 --profile default \
5145 --mode AK \
52- --region cn-shenzhen \
46+ --region $ACR_REGION_ID \
5347 --access-key-id ${{ secrets.ALIBABA_ACCESS_KEY_ID }} \
5448 --access-key-secret ${{ secrets.ALIBABA_ACCESS_KEY_SECRET }}
5549shell : bash
5650
57- # 6. AssumeRole → generate STS token
58- - id : sts
51+ # 7. Get temporary Docker login token
52+ - id : acr-token
5953 run : |
60- # Get JSON output and store in a variable
61- CREDS_JSON=$(aliyun sts AssumeRole \
62- --RoleArn "${{ secrets.ALIBABA_STS_ROLE_ARN }}" \
63- --RoleSessionName "github-actions" \
64- --DurationSeconds 3600)
65-
66- # Extract values using jq
67- AKID=$(echo "$CREDS_JSON" | jq -r '.Credentials.AccessKeyId')
68- TOKEN=$(echo "$CREDS_JSON" | jq -r '.Credentials.SecurityToken')
69-
70- # Output for next steps
71- echo "akid=$AKID" >> "$GITHUB_OUTPUT"
54+ TOKEN=$(aliyun cr GetAuthorizationToken \
55+ --InstanceId $ACR_INSTANCE_ID \
56+ --RegionId $ACR_REGION_ID \
57+ | jq -r '.AuthorizationToken')
7258 echo "token=$TOKEN" >> "$GITHUB_OUTPUT"
7359
74- # For debugging
75- echo "Temporary credentials generated successfully"
76-
77- # 7. Get ACR authorization token and login
78- - name : Login to ACR
60+ # 8. Docker login with temporary token
61+ - name : Docker Login to ACR
7962 run : |
80- # Get ACR authorization token using STS credentials
81- AUTH_TOKEN=$(aliyun cr GetAuthorizationToken \
82- --InstanceId mentra-acr-cnsz-a \
83- --access-key-id ${{ steps.sts.outputs.akid }} \
84- --access-key-secret $(echo "${{ steps.sts.outputs.token }}" | cut -d'.' -f1) \
85- --sts-token ${{ steps.sts.outputs.token }} \
86- --region cn-shenzhen | jq -r '.data.authorizationToken')
87-
88- # Login to ACR
89- echo $AUTH_TOKEN | docker login \
90- --username=cr_temp_user \
91- --password-stdin \
92- mentra-acr-cnsz-a-registry.cn-shenzhen.cr.aliyuncs.com
63+ docker login \
64+ --username cr_temp_user \
65+ --password ${{ steps.acr-token.outputs.token }} \
66+ $ACR_PUBLIC_DOMAIN
9367
94- # 8 . Build & push Docker image
68+ # 9 . Build & push Docker image
9569 - uses : docker/build-push-action@v4
9670 with :
9771 context : ./cloud
9872 file : ./cloud/docker/Dockerfile.porter
9973 push : true
100- tags : ${{ steps.docker-tags.outputs.tags }}
74+ tags : |
75+ ${{ env.ACR_PUBLIC_DOMAIN }}/mentra-dev/backend:${{ steps.vars.outputs.sha_short }}
76+ ${{ env.ACR_PUBLIC_DOMAIN }}/mentra-dev/backend:latest
0 commit comments