Skip to content
Build and Push to ECR

Build and Push to ECR #1

Sign in to view logs

Build and Push to ECR

Build and Push to ECR #1

Workflow file for this run

.github/workflows/build-and-push-to-ecr.yml at 3fd1187
name: Build and Push to ECR
on:
workflow_dispatch:
inputs:
ecr_registry:
description: 'ECR Registry URL (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com)'
required: true
type: string
ecr_repository:
description: 'ECR Repository Name (e.g., node-app)'
required: true
default: 'node-app'
type: string
image_tag:
description: 'Image tag (e.g., latest, v1.0.0, staging) - leave empty to use commit SHA'
required: false
type: string
jobs:
build:
name: 'Build Docker Image'
runs-on: ubuntu-latest
outputs:
image_tag: ${{ steps.set-tag.outputs.tag }}
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Generate image tag
id: set-tag
run: |
if [ -z "${{ github.event.inputs.image_tag }}" ]; then
SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
echo "tag=${SHORT_SHA}" >> $GITHUB_OUTPUT
else
echo "tag=${{ github.event.inputs.image_tag }}" >> $GITHUB_OUTPUT
fi
- name: Build and tag image
env:
ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
IMAGE_TAG: ${{ steps.set-tag.outputs.tag }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
echo "Built image: $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
# Save image to a tar file
mkdir -p /tmp/docker-images
docker save $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -o /tmp/docker-images/image.tar
- name: Upload Docker image
uses: actions/upload-artifact@v4
with:
name: docker-image
path: /tmp/docker-images/image.tar
retention-days: 1
scan:
name: 'Security Scan'
runs-on: ubuntu-latest
needs: build
steps:
- name: Download Docker image
uses: actions/download-artifact@v4
with:
name: docker-image
path: /tmp/docker-images
- name: Load Docker image
env:
ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
run: |
docker load -i /tmp/docker-images/image.tar
- name: Run Trivy scan
env:
ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
run: |
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --severity HIGH,CRITICAL $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
push:
name: 'Push to ECR'
runs-on: ubuntu-latest
needs: [build, scan]
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Download Docker image
uses: actions/download-artifact@v4
with:
name: docker-image
path: /tmp/docker-images
- name: Load Docker image and push
env:
ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
run: |
docker load -i /tmp/docker-images/image.tar
# Push image with unique tag
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
# Tag and push as latest
docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest