feat: gha to build and push script image to ECR#57
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a GitHub Actions workflow to build and push Lambda container images to ECR, while also migrating configuration values from secrets to variables for better separation of concerns.
Key Changes:
- Added new workflow for building and pushing Lambda Docker images to Amazon ECR
- Migrated non-sensitive AWS configuration values (region, S3 bucket, CloudFront distribution) from secrets to variables
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/build-lambda-image.yaml |
New workflow that builds Docker images from the scripts directory and pushes them to ECR when changes are detected |
.github/workflows/push-artifacts.yaml |
Updated to use GitHub variables instead of secrets for non-sensitive AWS configuration values |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts | ||
|
|
||
| # Push the built image to ECR | ||
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest | ||
|
|
||
| # Output the full image URI for use in subsequent steps | ||
| echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
The image is only tagged with 'latest', which makes it difficult to track deployments and roll back to previous versions. Consider adding a commit SHA or timestamp tag alongside 'latest' for better version tracking.
| docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts | |
| # Push the built image to ECR | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
| # Output the full image URI for use in subsequent steps | |
| echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT | |
| # Tag with both 'latest' and commit SHA | |
| docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script \ | |
| -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \ | |
| -t $ECR_REGISTRY/$ECR_REPOSITORY:${GITHUB_SHA} \ | |
| ./scripts | |
| # Push both tags to ECR | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:${GITHUB_SHA} | |
| # Output the full image URIs for use in subsequent steps | |
| echo "image_latest=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT | |
| echo "image_sha=$ECR_REGISTRY/$ECR_REPOSITORY:${GITHUB_SHA}" >> $GITHUB_OUTPUT |
| docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts | ||
|
|
||
| # Push the built image to ECR | ||
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest | ||
|
|
There was a problem hiding this comment.
The workflow uses 'docker buildx build' but doesn't push the image using buildx's '--push' flag. This means the image is built, loaded into the local Docker daemon, then pushed separately. For efficiency, consider using '--push' flag directly in the buildx build command to stream the image to the registry without loading it locally first.
| docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts | |
| # Push the built image to ECR | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
| docker buildx build --platform linux/amd64 --provenance=false --push -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts |
No description provided.