From c191b61e905d62100729cad765e82b9be0b4bba4 Mon Sep 17 00:00:00 2001
From: Perry Zhu <perryzhu2004@outlook.com>
Date: Sat, 18 Oct 2025 17:32:30 -0700
Subject: [PATCH] feat: gha to build and push script image to ECR

---
 .github/workflows/build-lambda-image.yaml | 42 +++++++++++++++++++++++
 .github/workflows/push-artifacts.yaml     |  6 ++--
 2 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/build-lambda-image.yaml

diff --git a/.github/workflows/build-lambda-image.yaml b/.github/workflows/build-lambda-image.yaml
new file mode 100644
index 0000000..6ee9511
--- /dev/null
+++ b/.github/workflows/build-lambda-image.yaml
@@ -0,0 +1,42 @@
+# Build and push the script image to ECR, which will be used by Lambda functions.
+name: Build Container-Based Lambda Image and Push to ECR
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - scripts/**
+  workflow_dispatch:
+jobs:
+  build-and-push-lambda-to-ecr:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Log in to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build, tag, and push image to Amazon ECR
+        id: build-image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY_LAMBDA }}
+        run: |
+          # Build the Docker image from the 'scripts' directory.
+          # This assumes your Dockerfile is located in 'scripts/Dockerfile'.
+          docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts
+
+          # Push the built image to ECR
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+
+          # Output the full image URI for use in subsequent steps
+          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/push-artifacts.yaml b/.github/workflows/push-artifacts.yaml
index 4eaf418..6c1c55b 100644
--- a/.github/workflows/push-artifacts.yaml
+++ b/.github/workflows/push-artifacts.yaml
@@ -22,7 +22,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
-          aws-region: ${{ secrets.AWS_REGION }}
+          aws-region: ${{ vars.AWS_REGION }}
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -34,10 +34,10 @@ jobs:
         run: yarn cibuild
       - name: Deploy to S3
         run: |
-          aws s3 sync ./dist s3://${{ secrets.AWS_S3_BUCKET }}/website --delete
+          aws s3 sync ./dist s3://${{ vars.AWS_S3_BUCKET }}/website --delete
       - name: Invalidate CloudFront cache
         uses: foxdalas/cloudfront-invalidator@v4
         with:
           tag_key: "Name"
-          tag_value: ${{ secrets.CLOUDFRONT_DISTRIBUTION_NAME }}
+          tag_value: ${{ vars.CLOUDFRONT_DISTRIBUTION_NAME }}
           paths: "/*"