From 0e812eab2792e2b0314b23cc4a951c4714abd379 Mon Sep 17 00:00:00 2001 From: Ben Moskovitz Date: Thu, 18 Jul 2024 12:39:24 +1000 Subject: [PATCH] Log in to buildkite packages right before pushing images --- .buildkite/steps/publish-docker-image.sh | 7 +++++++ .buildkite/steps/publish-docker-images.sh | 5 ----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.buildkite/steps/publish-docker-image.sh b/.buildkite/steps/publish-docker-image.sh index ebdff2aa00..9968b32b63 100755 --- a/.buildkite/steps/publish-docker-image.sh +++ b/.buildkite/steps/publish-docker-image.sh @@ -40,6 +40,13 @@ release_image() { dry_run skopeo copy --multi-arch all "docker://${source_image}" "docker://docker.io/buildkite/${target_image}:${tag}" echo "--- :github: Copying ${target_image}:${tag} to GHCR" dry_run skopeo copy --multi-arch all "docker://${source_image}" "docker://ghcr.io/buildkite/${target_image}:${tag}" + + # OIDC tokens only last 5 minutes, and issuing them is cheap, so log in as close as possible to the push + buildkite-agent oidc request-token \ + --audience "https://packages.buildkite.com/buildkite/agent-docker" \ + --lifetime 300 \ + | docker login packages.buildkite.com/buildkite/agent-docker --username=buildkite --password-stdin + echo "--- :buildkite: Copying ${target_image}:${tag} to Buildkite Packages" dry_run skopeo copy --multi-arch all "docker://${source_image}" "docker://packages.buildkite.com/buildkite/agent-docker/${target_image}:${tag}" } diff --git a/.buildkite/steps/publish-docker-images.sh b/.buildkite/steps/publish-docker-images.sh index c081f14bc0..1815ce6e25 100755 --- a/.buildkite/steps/publish-docker-images.sh +++ b/.buildkite/steps/publish-docker-images.sh @@ -46,11 +46,6 @@ aws ssm get-parameter \ echo "--- docker login to Buildkite Packages" -buildkite-agent oidc request-token \ - --audience "https://packages.buildkite.com/buildkite/agent-docker" \ - --lifetime 300 \ - | docker login packages.buildkite.com/buildkite/agent-docker --username=buildkite --password-stdin - version=$(buildkite-agent meta-data get "agent-version") build=$(buildkite-agent meta-data get "agent-version-build")