From e41c7c6f20d5b428a9d5c4bd4f752aa8b6f7573f Mon Sep 17 00:00:00 2001
From: ab77 <anton@balena.io>
Date: Thu, 2 Nov 2023 08:16:50 -0700
Subject: [PATCH] AWS/ECR public support

change-type: patch
---
 .github/workflows/flowzone.yml | 30 ++++++++++++++++++++++++++++++
 flowzone.yml                   | 13 +++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
index f90b9246e..e66c67e3c 100644
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@@ -2157,6 +2157,21 @@ jobs:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USER || secrets.DOCKER_REGISTRY_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN || secrets.DOCKER_REGISTRY_PASS }}
+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        continue-on-error: true
+        with:
+          role-to-assume: ${{ matrix.role || inputs.aws_iam_role }}
+          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
+          aws-region: ${{ matrix.region || inputs.aws_region }}
+          mask-aws-account-id: false
+      - name: Get caller identity (AWS/whoami)
+        run: aws sts get-caller-identity
+      - name: Login to AWS/ECR (public)
+        continue-on-error: true
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
+        with:
+          registry: public.ecr.aws
       - name: Publish manifest to remote(s)
         uses: akhilerm/tag-push-action@85bf542f43f5f2060ef76262a67ee3607cb6db37
         with:
@@ -2350,6 +2365,21 @@ jobs:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USER || secrets.DOCKER_REGISTRY_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN || secrets.DOCKER_REGISTRY_PASS }}
+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        continue-on-error: true
+        with:
+          role-to-assume: ${{ matrix.role || inputs.aws_iam_role }}
+          role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
+          aws-region: ${{ matrix.region || inputs.aws_region }}
+          mask-aws-account-id: false
+      - name: Get caller identity (AWS/whoami)
+        run: aws sts get-caller-identity
+      - name: Login to AWS/ECR (public)
+        continue-on-error: true
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
+        with:
+          registry: public.ecr.aws
       - name: Publish final tags
         uses: akhilerm/tag-push-action@85bf542f43f5f2060ef76262a67ee3607cb6db37
         with:
diff --git a/flowzone.yml b/flowzone.yml
index 884ce145b..52de7d77f 100644
--- a/flowzone.yml
+++ b/flowzone.yml
@@ -162,6 +162,13 @@
       # so this will fail for external PRs as the automatic actions token will be read-only
       password: ${{ secrets.GITHUB_TOKEN }}
 
+  - &loginWithECRPublic
+    name: Login to AWS/ECR (public)
+    continue-on-error: true
+    uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+    with:
+      registry: public.ecr.aws
+
   - &customWorkingDirectory
     defaults:
       run:
@@ -2409,6 +2416,9 @@ jobs:
 
       - *loginWithGitHubContainerRegistry
       - *loginWithDockerHub
+      - *configureAWSCredentials
+      - *getAWSCallerIdentity
+      - *loginWithECRPublic
 
       # https://github.com/akhilerm/tag-push-action
       - name: Publish manifest to remote(s)
@@ -2479,6 +2489,9 @@ jobs:
       - *setupCrane
       - *loginWithGitHubContainerRegistry
       - *loginWithDockerHub
+      - *configureAWSCredentials
+      - *getAWSCallerIdentity
+      - *loginWithECRPublic
 
       # https://github.com/akhilerm/tag-push-action
       - name: Publish final tags