Merge pull request #1016 from docker/ci-ecr-oidc

ci: test AWS ECR with OIDC

.github/workflows/ci.yml

@@ -195,6 +195,33 @@ jobs:
         with:
           registry: 175142243308.dkr.ecr.us-east-1.amazonaws.com
 
+  ecr-oidc:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - windows-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
+        with:
+          role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd_login_action
+          aws-region: us-east-1
+      -
+        name: Login to ECR
+        uses: ./
+        with:
+          registry: 175142243308.dkr.ecr.us-east-1.amazonaws.com
+
   ecr-public:
     runs-on: ${{ matrix.os }}
     strategy:
@@ -244,6 +271,34 @@ jobs:
         with:
           registry: public.ecr.aws
 
+  ecr-public-oidc:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - windows-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      -
+        name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
+        with:
+          role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd_login_action
+          aws-region: us-east-1
+      -
+        name: Login to Public ECR
+        continue-on-error: ${{ matrix.os == 'windows-latest' }}
+        uses: ./
+        with:
+          registry: public.ecr.aws
+
   ghcr:
     runs-on: ${{ matrix.os }}
     strategy:

dist/licenses.txt

@@ -2891,7 +2891,7 @@ The following npm packages may be included in this product:
  - agent-base@9.0.0
  - https-proxy-agent@7.0.4
  - https-proxy-agent@7.0.6
- - https-proxy-agent@9.1.0
+ - https-proxy-agent@9.0.0
  - socks-proxy-agent@8.0.3
 
 These packages each contain the following license:
@@ -2924,7 +2924,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 The following npm packages may be included in this product:
 
  - http-proxy-agent@7.0.2
- - http-proxy-agent@9.1.0
+ - http-proxy-agent@9.0.0
 
 These packages each contain the following license:
 
@@ -5604,7 +5604,6 @@ The following npm packages may be included in this product:
  - imurmurhash@0.1.4
  - is-gzip@1.0.0
  - isarray@1.0.0
- - proxy-agent-negotiate@1.1.0
  - xml-naming@0.1.0
 
 These packages each contain the following license:

package.json

@@ -27,8 +27,8 @@
     "@aws-sdk/client-ecr": "^3.1050.0",
     "@aws-sdk/client-ecr-public": "^3.1050.0",
     "@docker/actions-toolkit": "^0.91.0",
-    "http-proxy-agent": "^9.1.0",
-    "https-proxy-agent": "^9.1.0",
+    "http-proxy-agent": "^9.0.0",
+    "https-proxy-agent": "^9.0.0",
     "js-yaml": "^4.1.1"
   },
   "devDependencies": {

yarn.lock

@@ -3274,8 +3274,8 @@ __metadata:
     eslint-plugin-prettier: "npm:^5.5.5"
     generate-license-file: "npm:^4.1.1"
     globals: "npm:^17.3.0"
-    http-proxy-agent: "npm:^9.1.0"
-    https-proxy-agent: "npm:^9.1.0"
+    http-proxy-agent: "npm:^9.0.0"
+    https-proxy-agent: "npm:^9.0.0"
     js-yaml: "npm:^4.1.1"
     prettier: "npm:^3.8.1"
     typescript: "npm:^5.9.3"
@@ -4129,14 +4129,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"http-proxy-agent@npm:^9.1.0":
-  version: 9.1.0
-  resolution: "http-proxy-agent@npm:9.1.0"
+"http-proxy-agent@npm:^9.0.0":
+  version: 9.0.0
+  resolution: "http-proxy-agent@npm:9.0.0"
   dependencies:
     agent-base: "npm:9.0.0"
     debug: "npm:^4.3.4"
-    proxy-agent-negotiate: "npm:1.1.0"
-  checksum: 10/d76441afe6849c3ea6f8143371062908fe4cb1037c5f6ad709f068e8086afd544e1980cc33b06513770878f423529db6f33ac0b5db4877214ec5a157e1e950c9
+  checksum: 10/8cf23a49ab274b2a5199011e5a96268d75dd6e4031cf72b723182c41b47d876c507c2fa125451743b87cd9f826cf60f5260dcc5e7db58f9dcc38823c9c07e625
   languageName: node
   linkType: hard
 
@@ -4160,14 +4159,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"https-proxy-agent@npm:^9.1.0":
-  version: 9.1.0
-  resolution: "https-proxy-agent@npm:9.1.0"
+"https-proxy-agent@npm:^9.0.0":
+  version: 9.0.0
+  resolution: "https-proxy-agent@npm:9.0.0"
   dependencies:
     agent-base: "npm:9.0.0"
     debug: "npm:^4.3.4"
-    proxy-agent-negotiate: "npm:1.1.0"
-  checksum: 10/45021d326c032bf8cd480acee488d5f701842cbef4756a33b81244a872304c918498ef6cf667d8348c11e9b065dd520ec1fd9138196147f608c5837500e7395b
+  checksum: 10/27457d671278c8c1074cc901fe305b70d1e340127433219124c4aefc44153a179a8921e4b16d67beb2868a3a39b6b7ec84d91d8f24f2ec1d39cf4ac385351a92
   languageName: node
   linkType: hard
 
@@ -5486,18 +5484,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"proxy-agent-negotiate@npm:1.1.0":
-  version: 1.1.0
-  resolution: "proxy-agent-negotiate@npm:1.1.0"
-  peerDependencies:
-    kerberos: ^2.0.0
-  peerDependenciesMeta:
-    kerberos:
-      optional: true
-  checksum: 10/4554c42b8b872f37cf76c9044b7a5827bccf41ad77a1992b09bb89b84c779f5536bdd0d3312f247565e09fba8700e48a25f233e339705978242e3ca1d0dab149
-  languageName: node
-  linkType: hard
-
 "pump@npm:^2.0.0":
   version: 2.0.1
   resolution: "pump@npm:2.0.1"