update workflow to use reusable join action (#642) (#644)

.github/workflows/main.yml

@@ -13,11 +13,11 @@ on:
       - release\/*
 
 permissions:
-      id-token: write
-      pull-requests: write
-      contents: read
-      deployments: write
-      packages: write
+  id-token: write
+  pull-requests: write
+  contents: read
+  deployments: write
+  packages: write
 
 env:
   DOTNET_VERSION: "7.0.x"
@@ -227,52 +227,39 @@ jobs:
   join-gateway-images:
     name: Gateway
     needs:
-      - setup-tags
       - docker-gateway-api-private
       - docker-gateway-api-private-arm
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      image_name: private-babylon-ng-gateway-api
-      image_tag: ${{ needs.setup-tags.outputs.gateway-api-tag }}
-      tag_suffix_1: amd64
-      tag_suffix_2: arm64
+      amd_meta_data_json: ${{ needs.docker-gateway-api-private.outputs.json }}
       aws_dockerhub_secret: github-actions/common/dockerhub-credentials
     secrets:
       role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
 
   join-aggregator-images:
     name: Aggregator
     needs:
-      - setup-tags
       - docker-data-aggregator-private
       - docker-data-aggregator-private-arm
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      image_name: private-babylon-ng-data-aggregator
-      image_tag: ${{ needs.setup-tags.outputs.data-aggregator-tag }}
-      tag_suffix_1: amd64
-      tag_suffix_2: arm64
+      amd_meta_data_json: ${{ needs.docker-data-aggregator-private.outputs.json }}
       aws_dockerhub_secret: github-actions/common/dockerhub-credentials
     secrets:
       role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
 
   join-migrations-images:
     name: Migration
     needs:
-      - setup-tags
       - docker-database-migrations-private
       - docker-database-migrations-private-arm
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      image_name: private-babylon-ng-database-migrations
-      image_tag: ${{ needs.setup-tags.outputs.database-migrations-tag }}
-      tag_suffix_1: amd64
-      tag_suffix_2: arm64
+      amd_meta_data_json: ${{ needs.docker-database-migrations-private.outputs.json }}
       aws_dockerhub_secret: github-actions/common/dockerhub-credentials
     secrets:
       role-to-assume: ${{ secrets.GH_COMMON_SECRETS_READ_ROLE }}
 
-
   deploy-on-mardunet:
     runs-on: ubuntu-22.04
     needs:

.github/workflows/releases.yml

@@ -67,6 +67,11 @@ jobs:
     name: AMD DatabaseMigrations
     needs:
       - setup-tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: ubuntu-22.04
@@ -90,6 +95,11 @@ jobs:
     name: ARM DatabaseMigrations
     needs:
       - setup-tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: babylon-gateway-arm
@@ -115,6 +125,11 @@ jobs:
     name: AMD DataAggregator
     needs:
       - setup-tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: ubuntu-22.04
@@ -138,6 +153,11 @@ jobs:
     name: ARM DataAggregator
     needs:
       - setup-tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: babylon-gateway-arm
@@ -163,6 +183,11 @@ jobs:
     name: AMD GatewayApi
     needs:
       - setup-tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: ubuntu-22.04
@@ -186,6 +211,11 @@ jobs:
     name: ARM GatewayApi
     needs:
       - setup-tags
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
       runs_on: babylon-gateway-arm
@@ -210,15 +240,15 @@ jobs:
   join-gateway-images:
     name: Gateway
     needs:
-      - setup-tags
       - docker-gateway-api-dockerhub
       - docker-gateway-api-dockerhub-arm
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      image_name: babylon-ng-gateway-api
-      image_tag: ${{ needs.setup-tags.outputs.version-suffix }}
-      tag_suffix_1: amd64
-      tag_suffix_2: arm64
+      amd_meta_data_json: ${{ needs.docker-gateway-api-dockerhub.outputs.json }}
       aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
     secrets:
       role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
@@ -229,12 +259,13 @@ jobs:
       - setup-tags
       - docker-data-aggregator-dockerhub
       - docker-data-aggregator-dockerhub-arm
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      image_name: babylon-ng-data-aggregator
-      image_tag: ${{ needs.setup-tags.outputs.version-suffix }}
-      tag_suffix_1: amd64
-      tag_suffix_2: arm64
+      amd_meta_data_json: ${{ needs.docker-data-aggregator-dockerhub.outputs.json }}
       aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
     secrets:
       role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
@@ -245,12 +276,13 @@ jobs:
       - setup-tags
       - docker-database-migrations-dockerhub
       - docker-database-migrations-dockerhub-arm
-    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/merge-docker-images.yml@main
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      image_name: babylon-ng-database-migrations
-      image_tag: ${{ needs.setup-tags.outputs.version-suffix }}
-      tag_suffix_1: amd64
-      tag_suffix_2: arm64
+      amd_meta_data_json: ${{ needs.docker-database-migrations-dockerhub.outputs.json }}
       aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
     secrets:
       role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
@@ -277,10 +309,8 @@ jobs:
         with:
           role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
           app_name: 'babylon-gateway'
-          step_name: 'snyk-container-monitor'
           dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
           snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
           snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
           image: docker.io/radixdlt/babylon-ng-${{ matrix.app }}:${{ needs.setup-tags.outputs.version-suffix }}
           target_ref: ${{ github.ref_name }}

apps/DataAggregator/Dockerfile

@@ -5,15 +5,6 @@
 FROM mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim AS base
 WORKDIR /app
 
-# Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix
-# docker run -it mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim ldd --version
-# This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above
-RUN apt-get update -y \
-  && apt-get -y --no-install-recommends install \    
-    libc6=2.36-9+deb12u3 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
 FROM mcr.microsoft.com/dotnet/sdk:7.0-bookworm-slim AS build
 WORKDIR /src
 COPY babylon-gateway.sln \

apps/DatabaseMigrations/Dockerfile

@@ -5,15 +5,6 @@
 FROM mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim AS base
 WORKDIR /app
 
-# Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix
-# docker run -it mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim ldd --version
-# This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above
-RUN apt-get update -y \
-  && apt-get -y --no-install-recommends install \    
-    libc6=2.36-9+deb12u3 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
 FROM mcr.microsoft.com/dotnet/sdk:7.0-bookworm-slim AS build
 WORKDIR /src
 COPY babylon-gateway.sln \

apps/GatewayApi/Dockerfile

@@ -5,15 +5,6 @@
 FROM mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim AS base
 WORKDIR /app
 
-# Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix
-# docker run -it mcr.microsoft.com/dotnet/aspnet:7.0-bookworm-slim ldd --version
-# This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above
-RUN apt-get update -y \
-  && apt-get -y --no-install-recommends install \    
-    libc6=2.36-9+deb12u3 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
 FROM mcr.microsoft.com/dotnet/sdk:7.0-bookworm-slim AS build
 WORKDIR /src
 COPY babylon-gateway.sln \