From df5abcf5a85447324f5ec1ca20af6a4cbca61249 Mon Sep 17 00:00:00 2001
From: John DiSanti <jdisanti@amazon.com>
Date: Fri, 3 Feb 2023 03:17:51 -0800
Subject: [PATCH] Fix CI on main and don't acquire Docker login for forks
 (#2295)

* Fix CI on main and don't acquire Docker login for forks

* Convert empty env vars into `None`

* Optimize base image acquisition on main
---
 .github/scripts/acquire-build-image |  4 +--
 .github/workflows/ci-main.yml       | 39 ++++++++++++++++++-----------
 .github/workflows/ci-pr.yml         |  3 ++-
 3 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/.github/scripts/acquire-build-image b/.github/scripts/acquire-build-image
index ec2ed027b..4c18b90ca 100755
--- a/.github/scripts/acquire-build-image
+++ b/.github/scripts/acquire-build-image
@@ -64,8 +64,8 @@ class Context:
         image_tag = get_cmd_output("./docker-image-hash", cwd=script_path)[1]
         allow_local_build = os.getenv("ALLOW_LOCAL_BUILD") != "false"
         github_actions = os.getenv("GITHUB_ACTIONS") == "true"
-        encrypted_docker_password = os.getenv("ENCRYPTED_DOCKER_PASSWORD")
-        docker_passphrase = os.getenv("DOCKER_LOGIN_TOKEN_PASSPHRASE")
+        encrypted_docker_password = os.getenv("ENCRYPTED_DOCKER_PASSWORD") or None
+        docker_passphrase = os.getenv("DOCKER_LOGIN_TOKEN_PASSPHRASE") or None
 
         print(f"Start path: {start_path}")
         print(f"Script path: {script_path}")
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 196c7544e..cfc904208 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -19,40 +19,51 @@ env:
   ecr_repository: public.ecr.aws/w0m4q9l7/github-awslabs-smithy-rs-ci
 
 jobs:
-  # Rebuild and upload the Docker build image
-  rebuild-docker-build-image:
+  # Build and upload the Docker build image if necessary
+  acquire-base-image:
     runs-on: smithy_ubuntu-latest_8-core
-    name: Rebuild image
+    name: Acquire Base Image
+    outputs:
+      docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
       id-token: write
       contents: read
     steps:
     - name: Checkout
       uses: actions/checkout@v3
-    - name: Build image
-      run: |
-        IMAGE_TAG="$(./.github/scripts/docker-image-hash)"
-        cd tools/ci-build
-        docker build \
-          -t "${{ env.ecr_repository }}:${IMAGE_TAG}" \
-          -t "${{ env.ecr_repository }}:main" \
-          .
     - name: Acquire credentials
       uses: aws-actions/configure-aws-credentials@v1-node16
       with:
         role-to-assume: ${{ secrets.SMITHY_RS_PUBLIC_ECR_PUSH_ROLE_ARN }}
         role-session-name: GitHubActions
         aws-region: us-west-2
-    - name: Upload image
+    - name: Save the docker login password to the output
+      id: set-token
+      run: |
+        ENCRYPTED_PAYLOAD=$(
+          gpg --symmetric --batch --passphrase "${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}" --output - <(aws ecr-public get-login-password --region us-east-1) | base64 -w0
+        )
+        echo "docker-login-password=$ENCRYPTED_PAYLOAD" >> $GITHUB_OUTPUT
+    - name: Acquire base image
+      id: acquire
+      env:
+        DOCKER_BUILDKIT: 1
+        ENCRYPTED_DOCKER_PASSWORD: ${{ steps.set-token.outputs.docker-login-password }}
+        DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
+      run: ./.github/scripts/acquire-build-image
+    - name: Tag and upload image
       run: |
         IMAGE_TAG="$(./.github/scripts/docker-image-hash)"
-        aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+        docker tag "${{ env.ecr_repository }}:${IMAGE_TAG}" "${{ env.ecr_repository }}:main"
         docker push "${{ env.ecr_repository }}:${IMAGE_TAG}"
         docker push "${{ env.ecr_repository }}:main"
 
   # Run the shared CI after a Docker build image has been uploaded to ECR
   ci:
-    needs: rebuild-docker-build-image
+    needs: acquire-base-image
     uses: ./.github/workflows/ci.yml
     with:
       run_sdk_examples: true
+    secrets:
+      ENCRYPTED_DOCKER_PASSWORD: ${{ needs.acquire-base-image.outputs.docker-login-password }}
+      DOCKER_LOGIN_TOKEN_PASSPHRASE: ${{ secrets.DOCKER_LOGIN_TOKEN_PASSPHRASE }}
diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml
index c1b55a258..374d23a9b 100644
--- a/.github/workflows/ci-pr.yml
+++ b/.github/workflows/ci-pr.yml
@@ -20,13 +20,14 @@ jobs:
   # be encrypted with the passphrase stored as a GitHub secret. The login password expires after 12h.
   # The login password is encrypted with the repo secret DOCKER_LOGIN_TOKEN_PASSPHRASE
   save-docker-login-token:
+    name: Save a docker login token
+    if: ${{ github.event.pull_request.head.repo.full_name == 'awslabs/smithy-rs' }}
     outputs:
       docker-login-password: ${{ steps.set-token.outputs.docker-login-password }}
     permissions:
       id-token: write
       contents: read
     continue-on-error: true
-    name: Save a docker login token
     runs-on: ubuntu-latest
     steps:
     - name: Attempt to load a docker login password
-- 
GitLab