From 336a1bd1b80694744844739c3450c2b12e98bf28 Mon Sep 17 00:00:00 2001
From: Dmitrii Suchkov <dsuchkov@codio.com>
Date: Mon, 3 Nov 2025 09:28:03 +0000
Subject: [PATCH 1/2] Replace ECR publish from github with OIDC

see https://bugtracker.codiodev.com/issue/codio-17213
---
 .github/workflows/docker-deploy.yml | 85 +++++++++++------------------
 .github/workflows/war.yml           |  4 +-
 2 files changed, 35 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/docker-deploy.yml b/.github/workflows/docker-deploy.yml
index 242bcda548..35ff1027aa 100644
--- a/.github/workflows/docker-deploy.yml
+++ b/.github/workflows/docker-deploy.yml
@@ -1,8 +1,10 @@
-name: Deploy Docker
+name: DrawIO Docker Build
 on: [push]
 
 env:
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  REPOSITORY_NAME: ${{ github.event.repository.name }}
+  ECR_REPOSITORY: codio/${{ github.event.repository.name }}
 
 jobs:
   build-docker:
@@ -10,73 +12,52 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.ECR_UPLOADER_KEY }}
-          aws-secret-access-key: ${{ secrets.ECR_UPLOADER_SECRET }}
-          aws-region: us-east-1
+        uses: actions/checkout@v5
 
       - name: Get Current Branch
         id: get-branch
         uses: codio/get-branch-name-github-action@v1
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@main
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::878986216776:role/Github/GithubECRUploadRole_${{ env.REPOSITORY_NAME }}
+          role-session-name: GithubAction
+
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
 
-      - name: app Docker build
-        run: docker build -t tmp_app_img --file ./docker-codio/Dockerfile .
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: push app image to Amazon ECR
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          ECR_REPOSITORY: codio/drawio
-          IMAGE_TAG: ${{ github.sha }}
-          BRANCH: ${{ steps.get-branch.outputs.branch }}
+      - name: Create and use a new builder instance
         run: |
-          docker tag tmp_app_img $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-          docker tag tmp_app_img $ECR_REGISTRY/$ECR_REPOSITORY:$BRANCH
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$BRANCH
+          docker buildx create --name ga-builder --use
 
-      - name: push app dev version
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          ECR_REPOSITORY: codio/drawio
-        run: |
-          docker tag tmp_app_img $ECR_REGISTRY/$ECR_REPOSITORY:dev
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:dev
-        if: ${{ steps.get-branch.outputs.branch == 'dev' }}
+      - name: push image to Amazon ECR
+        uses: docker/build-push-action@v5
+        timeout-minutes: 20
+        with:
+          context: .
+          file: ./docker-codio/Dockerfile
+          push: true
+          tags: |
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.get-branch.outputs.branch }}
+          builder: ga-builder
+          cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:cache
+          cache-to: type=registry,mode=max,image-manifest=true,oci-mediatypes=true,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:cache
 
       - name: Logout of Amazon ECR
         if: always()
         run: docker logout ${{ steps.login-ecr.outputs.registry }}
 
       - name: Slack
-        uses: 8398a7/action-slack@v3
-        with:
-          status: custom
-          custom_payload: |
-            {
-              attachments: [{
-              text: "<https://github.com/${{ github.repository }}/actions/runs/${{github.run_id}}|${{ github.workflow }} build> for ${{ github.repository }} by ${{ github.actor }} has ${{ job.status }} on branch ${{ github.ref_name }}",
-              color: "good"
-              }]
-            }
-        if: success()
-
-      - name: Slack
-        uses: 8398a7/action-slack@v3
+        uses: codio/codio-slack-action@master
         with:
-          status: custom
-          custom_payload: |
-            {
-              attachments: [{
-              text: "<https://github.com/${{ github.repository }}/actions/runs/${{github.run_id}}|${{ github.workflow }} build> for ${{ github.repository }} by ${{ github.actor }} has ${{ job.status }} on branch ${{ github.ref_name }}",
-              color: "#FF0000"
-              }]
-            }
-        if: failure()
+          slack_hook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
+          message: "<https://github.com/${{ github.repository }}/actions/runs/${{github.run_id}}|${{ github.workflow }}> for ${{ github.repository }} by ${{ github.actor }} has ${{ job.status }} on branch ${{ github.ref_name }}"
+          success: ${{ job.status }}
+        if: always()
diff --git a/.github/workflows/war.yml b/.github/workflows/war.yml
index 898f0dc4e3..30ee9f4000 100644
--- a/.github/workflows/war.yml
+++ b/.github/workflows/war.yml
@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v5
     - name: Set up JDK 1.8
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v5
       with:
         distribution: 'zulu'
         java-version: '8'

From f24823fd1001c7170cf7c822c94991563d1e597c Mon Sep 17 00:00:00 2001
From: Dmitrii Suchkov <dsuchkov@codio.com>
Date: Mon, 3 Nov 2025 09:29:16 +0000
Subject: [PATCH 2/2] add permissions

---
 .github/workflows/docker-deploy.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/docker-deploy.yml b/.github/workflows/docker-deploy.yml
index 35ff1027aa..236bcba96a 100644
--- a/.github/workflows/docker-deploy.yml
+++ b/.github/workflows/docker-deploy.yml
@@ -6,6 +6,10 @@ env:
   REPOSITORY_NAME: ${{ github.event.repository.name }}
   ECR_REPOSITORY: codio/${{ github.event.repository.name }}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build-docker:
     name: "Build docker"