build and push to ECR workflow updated

zyusuf88 · zyusuf88 · commit 3fd1187f2a76 · 2025-03-16T00:47:00.000Z
diff --git a/.github/workflows/build-and-push-to-ecr.yml b/.github/workflows/build-and-push-to-ecr.yml
@@ -0,0 +1,136 @@
+name: Build and Push to ECR
+
+on:
+  workflow_dispatch:
+    inputs:
+      ecr_registry:
+        description: 'ECR Registry URL (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com)'
+        required: true
+        type: string
+      ecr_repository:
+        description: 'ECR Repository Name (e.g., node-app)'
+        required: true
+        default: 'node-app'
+        type: string
+      image_tag:
+        description: 'Image tag (e.g., latest, v1.0.0, staging) - leave empty to use commit SHA'
+        required: false
+        type: string
+
+jobs:
+  build:
+    name: 'Build Docker Image'
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.set-tag.outputs.tag }}
+    
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+    
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ secrets.AWS_REGION }}
+    
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v1
+    
+    - name: Generate image tag
+      id: set-tag
+      run: |
+        if [ -z "${{ github.event.inputs.image_tag }}" ]; then
+          SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
+          echo "tag=${SHORT_SHA}" >> $GITHUB_OUTPUT
+        else
+          echo "tag=${{ github.event.inputs.image_tag }}" >> $GITHUB_OUTPUT
+        fi
+    
+    - name: Build and tag image
+      env:
+        ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
+        IMAGE_TAG: ${{ steps.set-tag.outputs.tag }}
+      run: |
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+        echo "Built image: $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
+        
+        # Save image to a tar file
+        mkdir -p /tmp/docker-images
+        docker save $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -o /tmp/docker-images/image.tar
+    
+    - name: Upload Docker image
+      uses: actions/upload-artifact@v4
+      with:
+        name: docker-image
+        path: /tmp/docker-images/image.tar
+        retention-days: 1
+
+  scan:
+    name: 'Security Scan'
+    runs-on: ubuntu-latest
+    needs: build
+    
+    steps:
+    - name: Download Docker image
+      uses: actions/download-artifact@v4
+      with:
+        name: docker-image
+        path: /tmp/docker-images
+    
+    - name: Load Docker image
+      env:
+        ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
+        IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
+      run: |
+        docker load -i /tmp/docker-images/image.tar
+    
+    - name: Run Trivy scan
+      env:
+        ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
+        IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
+      run: |
+        docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --severity HIGH,CRITICAL $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+  push:
+    name: 'Push to ECR'
+    runs-on: ubuntu-latest
+    needs: [build, scan]
+    
+    steps:
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ${{ secrets.AWS_REGION }}
+    
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v1
+    
+    - name: Download Docker image
+      uses: actions/download-artifact@v4
+      with:
+        name: docker-image
+        path: /tmp/docker-images
+    
+    - name: Load Docker image and push
+      env:
+        ECR_REGISTRY: ${{ github.event.inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ github.event.inputs.ecr_repository }}
+        IMAGE_TAG: ${{ needs.build.outputs.image_tag }}
+      run: |
+        docker load -i /tmp/docker-images/image.tar
+        
+        # Push image with unique tag
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        
+        # Tag and push as latest
+        docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
