@jcoreio/aws-ecr-utils 1.1.1 → 1.2.0

package/checkECRRepositoryPolicy.d.ts

@@ -0,0 +1,20 @@
+import AWS from 'aws-sdk';
+/**
+ * Checks if the given ECR repository has a sufficient repository
+ * policy to allow the given AWS principal to access docker images.
+ *
+ * If not, prints a warning, and if the terminal is interactive, asks the user if they
+ * would like to add/update the repository policy.
+ */
+export default function checkECRRepositoryPolicy({ ecr, awsConfig, repositoryName, awsPrincipal, Action, log, }: {
+    ecr?: AWS.ECR;
+    awsConfig?: AWS.ConfigurationOptions;
+    repositoryName: string;
+    awsPrincipal: string;
+    Action?: string[];
+    log?: {
+        info: (...args: any[]) => void;
+        warn: (...args: any[]) => void;
+        error: (...args: any[]) => void;
+    };
+}): Promise<boolean>;

package/checkECRRepositoryPolicy.js

@@ -0,0 +1,132 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports["default"] = checkECRRepositoryPolicy;
+var _regenerator = _interopRequireDefault(require("@babel/runtime/regenerator"));
+var _toConsumableArray2 = _interopRequireDefault(require("@babel/runtime/helpers/toConsumableArray"));
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _asyncToGenerator2 = _interopRequireDefault(require("@babel/runtime/helpers/asyncToGenerator"));
+var _awsSdk = _interopRequireDefault(require("aws-sdk"));
+var _inquirer = _interopRequireDefault(require("inquirer"));
+var _isInteractive = _interopRequireDefault(require("is-interactive"));
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { (0, _defineProperty2["default"])(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+/**
+ * Checks if the given ECR repository has a sufficient repository
+ * policy to allow the given AWS principal to access docker images.
+ *
+ * If not, prints a warning, and if the terminal is interactive, asks the user if they
+ * would like to add/update the repository policy.
+ */
+function checkECRRepositoryPolicy(_x) {
+  return _checkECRRepositoryPolicy.apply(this, arguments);
+}
+function _checkECRRepositoryPolicy() {
+  _checkECRRepositoryPolicy = (0, _asyncToGenerator2["default"])( /*#__PURE__*/_regenerator["default"].mark(function _callee(_ref) {
+    var _policy$Statement, _statementForAction$P;
+    var ecr, awsConfig, repositoryName, awsPrincipal, _ref$Action, Action, _ref$log, log, rootUserMatch, principalAliases, _yield$ecr$getReposit, policyText, policy, statementForAction, statementPrincipal, _yield$inquirer$promp, update, _statementForAction$A, finalPolicy;
+    return _regenerator["default"].wrap(function _callee$(_context) {
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          ecr = _ref.ecr, awsConfig = _ref.awsConfig, repositoryName = _ref.repositoryName, awsPrincipal = _ref.awsPrincipal, _ref$Action = _ref.Action, Action = _ref$Action === void 0 ? ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'] : _ref$Action, _ref$log = _ref.log, log = _ref$log === void 0 ? console : _ref$log;
+          rootUserMatch = /^arn:aws:iam::(\d+):root$/.exec(awsPrincipal);
+          if (rootUserMatch) awsPrincipal = rootUserMatch[1];
+          principalAliases = /^(\d+)$/.test(awsPrincipal) ? [awsPrincipal, "arn:aws:iam::".concat(awsPrincipal, ":root")] : [awsPrincipal];
+          if (!ecr) ecr = new _awsSdk["default"].ECR(awsConfig);
+          _context.next = 7;
+          return ecr.getRepositoryPolicy({
+            repositoryName: repositoryName
+          }).promise()["catch"](function (error) {
+            if (error.name === 'RepositoryPolicyNotFoundException') return {};
+            throw error;
+          });
+        case 7:
+          _yield$ecr$getReposit = _context.sent;
+          policyText = _yield$ecr$getReposit.policyText;
+          policy = JSON.parse(policyText || '{}');
+          statementForAction = (_policy$Statement = policy.Statement) === null || _policy$Statement === void 0 ? void 0 : _policy$Statement.find(function (s) {
+            return s.Effect === 'Allow' && Array.isArray(Action) && Action.every(function (a) {
+              var _s$Action;
+              return (_s$Action = s.Action) === null || _s$Action === void 0 ? void 0 : _s$Action.includes(a);
+            });
+          });
+          statementPrincipal = statementForAction === null || statementForAction === void 0 || (_statementForAction$P = statementForAction.Principal) === null || _statementForAction$P === void 0 ? void 0 : _statementForAction$P.AWS;
+          if (!(statementPrincipal && typeof statementPrincipal === 'string' && principalAliases.includes(statementPrincipal) || Array.isArray(statementPrincipal) && statementPrincipal.some(function (s) {
+            return principalAliases.includes(s);
+          }))) {
+            _context.next = 15;
+            break;
+          }
+          // eslint-disable-next-line no-console
+          log.info("Found policy on ECR repository ".concat(repositoryName, " to allow access for AWS Principal ").concat(awsPrincipal, "."));
+          return _context.abrupt("return", true);
+        case 15:
+          // eslint-disable-next-line no-console
+          console.warn("Missing policy on ECR repository ".concat(repositoryName, " to allow access for AWS Principal ").concat(awsPrincipal, ".\n\nThe policy should include:\n\n  ").concat(JSON.stringify({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: {
+                AWS: [awsPrincipal]
+              },
+              Action: Action
+            }]
+          }, null, 2).replace(/\n/gm, '\n  '), "\n"));
+          if (!(0, _isInteractive["default"])()) {
+            _context.next = 28;
+            break;
+          }
+          _context.next = 19;
+          return _inquirer["default"].prompt([{
+            name: 'update',
+            message: 'Do you want to add/update the policy?',
+            type: 'confirm',
+            "default": false
+          }]);
+        case 19:
+          _yield$inquirer$promp = _context.sent;
+          update = _yield$inquirer$promp.update;
+          if (!update) {
+            _context.next = 28;
+            break;
+          }
+          finalPolicy = policy;
+          if ((statementForAction === null || statementForAction === void 0 || (_statementForAction$A = statementForAction.Action) === null || _statementForAction$A === void 0 ? void 0 : _statementForAction$A.length) === Action.length) {
+            statementForAction.Principal = _objectSpread(_objectSpread({}, statementForAction.Principal), {}, {
+              AWS: [].concat((0, _toConsumableArray2["default"])(typeof statementPrincipal === 'string' ? [statementPrincipal] : Array.isArray(statementPrincipal) ? statementPrincipal : []), [awsPrincipal])
+            });
+          } else {
+            finalPolicy = _objectSpread(_objectSpread({
+              Version: '2012-10-17'
+            }, policy), {}, {
+              Statement: [].concat((0, _toConsumableArray2["default"])(policy.Statement || []), [{
+                Effect: 'Allow',
+                Principal: {
+                  AWS: [awsPrincipal]
+                },
+                Action: Action
+              }])
+            });
+          }
+          _context.next = 26;
+          return ecr.setRepositoryPolicy({
+            repositoryName: repositoryName,
+            policyText: JSON.stringify(finalPolicy, null, 2)
+          }).promise();
+        case 26:
+          log.info("updated policy on ECR repository ".concat(repositoryName));
+          return _context.abrupt("return", true);
+        case 28:
+          return _context.abrupt("return", false);
+        case 29:
+        case "end":
+          return _context.stop();
+      }
+    }, _callee);
+  }));
+  return _checkECRRepositoryPolicy.apply(this, arguments);
+}
+module.exports = exports.default;

package/checkECRRepositoryPolicy.mjs

@@ -0,0 +1,100 @@
+import AWS from 'aws-sdk';
+import inquirer from 'inquirer';
+import isInteractive from 'is-interactive';
+
+/**
+ * Checks if the given ECR repository has a sufficient repository
+ * policy to allow the given AWS principal to access docker images.
+ *
+ * If not, prints a warning, and if the terminal is interactive, asks the user if they
+ * would like to add/update the repository policy.
+ */
+export default async function checkECRRepositoryPolicy({
+  ecr,
+  awsConfig,
+  repositoryName,
+  awsPrincipal,
+  Action = ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'],
+  log = console
+}) {
+  var _policy$Statement, _statementForAction$P;
+  const rootUserMatch = /^arn:aws:iam::(\d+):root$/.exec(awsPrincipal);
+  if (rootUserMatch) awsPrincipal = rootUserMatch[1];
+  const principalAliases = /^(\d+)$/.test(awsPrincipal) ? [awsPrincipal, `arn:aws:iam::${awsPrincipal}:root`] : [awsPrincipal];
+  if (!ecr) ecr = new AWS.ECR(awsConfig);
+  const {
+    policyText
+  } = await ecr.getRepositoryPolicy({
+    repositoryName
+  }).promise().catch(error => {
+    if (error.name === 'RepositoryPolicyNotFoundException') return {};
+    throw error;
+  });
+  const policy = JSON.parse(policyText || '{}');
+  const statementForAction = (_policy$Statement = policy.Statement) === null || _policy$Statement === void 0 ? void 0 : _policy$Statement.find(s => s.Effect === 'Allow' && Array.isArray(Action) && Action.every(a => {
+    var _s$Action;
+    return (_s$Action = s.Action) === null || _s$Action === void 0 ? void 0 : _s$Action.includes(a);
+  }));
+  const statementPrincipal = statementForAction === null || statementForAction === void 0 || (_statementForAction$P = statementForAction.Principal) === null || _statementForAction$P === void 0 ? void 0 : _statementForAction$P.AWS;
+  if (statementPrincipal && typeof statementPrincipal === 'string' && principalAliases.includes(statementPrincipal) || Array.isArray(statementPrincipal) && statementPrincipal.some(s => principalAliases.includes(s))) {
+    // eslint-disable-next-line no-console
+    log.info(`Found policy on ECR repository ${repositoryName} to allow access for AWS Principal ${awsPrincipal}.`);
+    return true;
+  }
+
+  // eslint-disable-next-line no-console
+  console.warn(`Missing policy on ECR repository ${repositoryName} to allow access for AWS Principal ${awsPrincipal}.
+
+The policy should include:
+
+  ${JSON.stringify({
+    Version: '2012-10-17',
+    Statement: [{
+      Effect: 'Allow',
+      Principal: {
+        AWS: [awsPrincipal]
+      },
+      Action
+    }]
+  }, null, 2).replace(/\n/gm, '\n  ')}
+`);
+  if (isInteractive()) {
+    const {
+      update
+    } = await inquirer.prompt([{
+      name: 'update',
+      message: 'Do you want to add/update the policy?',
+      type: 'confirm',
+      default: false
+    }]);
+    if (update) {
+      var _statementForAction$A;
+      let finalPolicy = policy;
+      if ((statementForAction === null || statementForAction === void 0 || (_statementForAction$A = statementForAction.Action) === null || _statementForAction$A === void 0 ? void 0 : _statementForAction$A.length) === Action.length) {
+        statementForAction.Principal = {
+          ...statementForAction.Principal,
+          AWS: [...(typeof statementPrincipal === 'string' ? [statementPrincipal] : Array.isArray(statementPrincipal) ? statementPrincipal : []), awsPrincipal]
+        };
+      } else {
+        finalPolicy = {
+          Version: '2012-10-17',
+          ...policy,
+          Statement: [...(policy.Statement || []), {
+            Effect: 'Allow',
+            Principal: {
+              AWS: [awsPrincipal]
+            },
+            Action
+          }]
+        };
+      }
+      await ecr.setRepositoryPolicy({
+        repositoryName,
+        policyText: JSON.stringify(finalPolicy, null, 2)
+      }).promise();
+      log.info(`updated policy on ECR repository ${repositoryName}`);
+      return true;
+    }
+  }
+  return false;
+}

package/copyECRImage.js

@@ -1,127 +1,102 @@
 "use strict";
 
 var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
-
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports["default"] = copyECRImage;
-
 var _regenerator = _interopRequireDefault(require("@babel/runtime/regenerator"));
-
 var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
-
 var _asyncToGenerator2 = _interopRequireDefault(require("@babel/runtime/helpers/asyncToGenerator"));
-
 var _promisifyChildProcess = require("promisify-child-process");
-
-var _loginToECR = _interopRequireDefault(require("./loginToECR"));
-
-var _ecrImageExists = _interopRequireDefault(require("./ecrImageExists"));
-
-var _parseECRImageUri3 = _interopRequireDefault(require("./parseECRImageUri"));
-
-function ownKeys(object, enumerableOnly) { var keys = Object.keys(object); if (Object.getOwnPropertySymbols) { var symbols = Object.getOwnPropertySymbols(object); if (enumerableOnly) { symbols = symbols.filter(function (sym) { return Object.getOwnPropertyDescriptor(object, sym).enumerable; }); } keys.push.apply(keys, symbols); } return keys; }
-
-function _objectSpread(target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i] != null ? arguments[i] : {}; if (i % 2) { ownKeys(Object(source), true).forEach(function (key) { (0, _defineProperty2["default"])(target, key, source[key]); }); } else if (Object.getOwnPropertyDescriptors) { Object.defineProperties(target, Object.getOwnPropertyDescriptors(source)); } else { ownKeys(Object(source)).forEach(function (key) { Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key)); }); } } return target; }
-
+var _loginToECR = _interopRequireDefault(require("./loginToECR.js"));
+var _ecrImageExists = _interopRequireDefault(require("./ecrImageExists.js"));
+var _parseECRImageUri3 = _interopRequireDefault(require("./parseECRImageUri.js"));
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { (0, _defineProperty2["default"])(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
 function copyECRImage(_x) {
   return _copyECRImage.apply(this, arguments);
 }
-
 function _copyECRImage() {
   _copyECRImage = (0, _asyncToGenerator2["default"])( /*#__PURE__*/_regenerator["default"].mark(function _callee(_ref) {
     var from, to, srcRepositoryUri, repositoryUri, _parseECRImageUri, fromRegion, _parseECRImageUri2, toRegion, repositoryName, imageTag;
-
     return _regenerator["default"].wrap(function _callee$(_context) {
-      while (1) {
-        switch (_context.prev = _context.next) {
-          case 0:
-            from = _ref.from, to = _ref.to;
-
-            if (!(from.imageUri === to.imageUri)) {
-              _context.next = 3;
-              break;
-            }
-
-            return _context.abrupt("return");
-
-          case 3:
-            srcRepositoryUri = from.imageUri.replace(/:.+/, '');
-            repositoryUri = to.imageUri.replace(/:.+/, '');
-            _parseECRImageUri = (0, _parseECRImageUri3["default"])(from.imageUri), fromRegion = _parseECRImageUri.region;
-            _parseECRImageUri2 = (0, _parseECRImageUri3["default"])(to.imageUri), toRegion = _parseECRImageUri2.region, repositoryName = _parseECRImageUri2.repositoryName, imageTag = _parseECRImageUri2.imageTag;
-            _context.next = 9;
-            return (0, _ecrImageExists["default"])({
-              awsConfig: _objectSpread(_objectSpread({}, to.awsConfig), {}, {
-                region: toRegion
-              }),
-              ecr: to.ecr,
-              repositoryName: repositoryName,
-              imageTag: imageTag
-            });
-
-          case 9:
-            if (!_context.sent) {
-              _context.next = 13;
-              break;
-            }
-
-            // eslint-disable-next-line no-console
-            console.error("Clarity image already exists in your ECR: ".concat(repositoryName, ":").concat(imageTag));
-            _context.next = 27;
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          from = _ref.from, to = _ref.to;
+          if (!(from.imageUri === to.imageUri)) {
+            _context.next = 3;
             break;
-
-          case 13:
-            // eslint-disable-next-line no-console
-            console.error("Logging into source ECR: ".concat(srcRepositoryUri.replace(/\/.*/, ''), "..."));
-            _context.next = 16;
-            return (0, _loginToECR["default"])({
-              ecr: from.ecr,
-              awsConfig: _objectSpread(_objectSpread({}, from.awsConfig), {}, {
-                region: fromRegion
-              })
-            });
-
-          case 16:
-            // eslint-disable-next-line no-console
-            console.error("Pulling ".concat(from.imageUri, "..."));
-            _context.next = 19;
-            return (0, _promisifyChildProcess.spawn)('docker', ['pull', from.imageUri], {
-              stdio: 'inherit'
-            });
-
-          case 19:
-            // eslint-disable-next-line no-console
-            console.error("Logging into dest ECR: ".concat(repositoryUri.replace(/\/.*/, ''), "..."));
-            _context.next = 22;
-            return (0, _loginToECR["default"])({
-              ecr: to.ecr,
-              awsConfig: _objectSpread(_objectSpread({}, to.awsConfig), {}, {
-                region: toRegion
-              })
-            });
-
-          case 22:
-            // eslint-disable-next-line no-console
-            console.error("Pushing ".concat(to.imageUri, "..."));
-            _context.next = 25;
-            return (0, _promisifyChildProcess.spawn)('docker', ['tag', from.imageUri, to.imageUri], {
-              stdio: 'inherit'
-            });
-
-          case 25:
-            _context.next = 27;
-            return (0, _promisifyChildProcess.spawn)('docker', ['push', to.imageUri], {
-              stdio: 'inherit'
-            });
-
-          case 27:
-          case "end":
-            return _context.stop();
-        }
+          }
+          return _context.abrupt("return");
+        case 3:
+          srcRepositoryUri = from.imageUri.replace(/:.+/, '');
+          repositoryUri = to.imageUri.replace(/:.+/, '');
+          _parseECRImageUri = (0, _parseECRImageUri3["default"])(from.imageUri), fromRegion = _parseECRImageUri.region;
+          _parseECRImageUri2 = (0, _parseECRImageUri3["default"])(to.imageUri), toRegion = _parseECRImageUri2.region, repositoryName = _parseECRImageUri2.repositoryName, imageTag = _parseECRImageUri2.imageTag;
+          _context.next = 9;
+          return (0, _ecrImageExists["default"])({
+            awsConfig: _objectSpread(_objectSpread({}, to.awsConfig), {}, {
+              region: toRegion
+            }),
+            ecr: to.ecr,
+            repositoryName: repositoryName,
+            imageTag: imageTag
+          });
+        case 9:
+          if (!_context.sent) {
+            _context.next = 13;
+            break;
+          }
+          // eslint-disable-next-line no-console
+          console.error("Clarity image already exists in your ECR: ".concat(repositoryName, ":").concat(imageTag));
+          _context.next = 27;
+          break;
+        case 13:
+          // eslint-disable-next-line no-console
+          console.error("Logging into source ECR: ".concat(srcRepositoryUri.replace(/\/.*/, ''), "..."));
+          _context.next = 16;
+          return (0, _loginToECR["default"])({
+            ecr: from.ecr,
+            awsConfig: _objectSpread(_objectSpread({}, from.awsConfig), {}, {
+              region: fromRegion
+            })
+          });
+        case 16:
+          // eslint-disable-next-line no-console
+          console.error("Pulling ".concat(from.imageUri, "..."));
+          _context.next = 19;
+          return (0, _promisifyChildProcess.spawn)('docker', ['pull', from.imageUri], {
+            stdio: 'inherit'
+          });
+        case 19:
+          // eslint-disable-next-line no-console
+          console.error("Logging into dest ECR: ".concat(repositoryUri.replace(/\/.*/, ''), "..."));
+          _context.next = 22;
+          return (0, _loginToECR["default"])({
+            ecr: to.ecr,
+            awsConfig: _objectSpread(_objectSpread({}, to.awsConfig), {}, {
+              region: toRegion
+            })
+          });
+        case 22:
+          // eslint-disable-next-line no-console
+          console.error("Pushing ".concat(to.imageUri, "..."));
+          _context.next = 25;
+          return (0, _promisifyChildProcess.spawn)('docker', ['tag', from.imageUri, to.imageUri], {
+            stdio: 'inherit'
+          });
+        case 25:
+          _context.next = 27;
+          return (0, _promisifyChildProcess.spawn)('docker', ['push', to.imageUri], {
+            stdio: 'inherit'
+          });
+        case 27:
+        case "end":
+          return _context.stop();
       }
     }, _callee);
   }));
   return _copyECRImage.apply(this, arguments);
-}
+}
+module.exports = exports.default;

package/copyECRImage.mjs

@@ -0,0 +1,67 @@
+import { spawn } from 'promisify-child-process';
+import loginToECR from "./loginToECR.mjs";
+import ecrImageExists from "./ecrImageExists.mjs";
+import parseECRImageUri from "./parseECRImageUri.mjs";
+export default async function copyECRImage({
+  from,
+  to
+}) {
+  if (from.imageUri === to.imageUri) return;
+  const srcRepositoryUri = from.imageUri.replace(/:.+/, '');
+  const repositoryUri = to.imageUri.replace(/:.+/, '');
+  const {
+    region: fromRegion
+  } = parseECRImageUri(from.imageUri);
+  const {
+    region: toRegion,
+    repositoryName,
+    imageTag
+  } = parseECRImageUri(to.imageUri);
+  if (await ecrImageExists({
+    awsConfig: {
+      ...to.awsConfig,
+      region: toRegion
+    },
+    ecr: to.ecr,
+    repositoryName,
+    imageTag
+  })) {
+    // eslint-disable-next-line no-console
+    console.error(`Clarity image already exists in your ECR: ${repositoryName}:${imageTag}`);
+  } else {
+    // eslint-disable-next-line no-console
+    console.error(`Logging into source ECR: ${srcRepositoryUri.replace(/\/.*/, '')}...`);
+    await loginToECR({
+      ecr: from.ecr,
+      awsConfig: {
+        ...from.awsConfig,
+        region: fromRegion
+      }
+    });
+
+    // eslint-disable-next-line no-console
+    console.error(`Pulling ${from.imageUri}...`);
+    await spawn('docker', ['pull', from.imageUri], {
+      stdio: 'inherit'
+    });
+
+    // eslint-disable-next-line no-console
+    console.error(`Logging into dest ECR: ${repositoryUri.replace(/\/.*/, '')}...`);
+    await loginToECR({
+      ecr: to.ecr,
+      awsConfig: {
+        ...to.awsConfig,
+        region: toRegion
+      }
+    });
+
+    // eslint-disable-next-line no-console
+    console.error(`Pushing ${to.imageUri}...`);
+    await spawn('docker', ['tag', from.imageUri, to.imageUri], {
+      stdio: 'inherit'
+    });
+    await spawn('docker', ['push', to.imageUri], {
+      stdio: 'inherit'
+    });
+  }
+}