abronin / ecr-retag-action Goto Github PK

I have build a workflow that supports the tagging of many images within my organisation. (Using this workflow) I would find it useful to have a continue on error if the image I am trying to retag does not exist.

I have tried this but it does not work

  - name: Tag web
    uses: abronin/ecr-retag-action@v1
    continue-on-error: ${{ inputs.continue-on-error }}
    with:
      aws-account-id: ${{ steps.config-aws-creds.outputs.aws-account-id }}
      aws-region: ${{ inputs.aws-region }}
      repository: ###
      tag: ${{ inputs.tag_to_identify_containers }}
      new-tags: ${{ inputs.new_tag_to_apply_to_containers }}

I initially followed the readme and used @v1 however because there is an old tag with that name it doesn't do the usual semantic versioning thing of downloading the latest i.e. v1.5.0. Maybe deleting the old tag would help this problem?

As GitHub is dropping support for Node 16, it would be great to see this updated to Node 20.

https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/

Thanks for a really useful piece of code 👍

Hi, first of all, thanks for sharing.

I was trying your action, and my use case is the following: I'm using a multi-account setup, where I have my ECR repositories in a shared-services account, and access them from environment accounts (Dev, Staging, Prod). To grant access beside the IAM Role on the environment account, I'm using a Resource Policy on ECR to allow access from the other accounts on the same AWS Organization.

I have other workflows running with this setup, but if I want to re-tag an image I was doing a push. Since you mentioned it's not necessary I wanted to try your action.

This is how I'm using your action:

    - name: Adding environment tag
      uses: abronin/ecr-retag-action@v1
      with:
        repository: ${{ secrets.SHARED_AWS_ECR_DOMAIN }}/${{ env.ECR_REPOSITORY }}
        tag: ${{ github.event.inputs.imageTag }}
        new-tags: ${{ env.ENVIRONMENT }}

Where:

repository: 111111111111.dkr.ecr.us-east-1.amazonaws.com/myRepositoryName
tag: v0.11.6
new-tags: staging

Assume the account id of my shared ECR is 111111111111 and the account id where I'm logging in with aws-actions/configure-aws-credentials@v1 is 222222222222.

The error I'm getting is:

User: arn:aws:sts::222222222222:assumed-role/***/deploy-application-staging is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:222222222222:repository/***/application because no identity-based policy allows the ecr:BatchGetImage action

Which tells me that the action is trying to use the repository on the account 222222222222 instead of doing it in the 111111111111, as I specified on the repository parameter.

Let me know if you plan to support this use case.

Thanks!