Skip to content

feat: gha to build and push script image to ECR #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Perry2004 merged 1 commit into from
Oct 19, 2025
Merged

feat: gha to build and push script image to ECR #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/workflows/build-lambda-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Build and push the script image to ECR, which will be used by Lambda functions.
name: Build Container-Based Lambda Image and Push to ECR
on:
push:
branches:
- main
paths:
- scripts/**
workflow_dispatch:
jobs:
build-and-push-lambda-to-ecr:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
aws-region: ${{ vars.AWS_REGION }}
- name: Log in to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2

- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY_LAMBDA }}
run: |
# Build the Docker image from the 'scripts' directory.
# This assumes your Dockerfile is located in 'scripts/Dockerfile'.
docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts

# Push the built image to ECR
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest

Comment on lines +36 to +40
Copy link

Copilot AI Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow uses 'docker buildx build' but doesn't push the image using buildx's '--push' flag. This means the image is built, loaded into the local Docker daemon, then pushed separately. For efficiency, consider using '--push' flag directly in the buildx build command to stream the image to the registry without loading it locally first.

Suggested change
docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts
# Push the built image to ECR
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
docker buildx build --platform linux/amd64 --provenance=false --push -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts

Copilot uses AI. Check for mistakes.
# Output the full image URI for use in subsequent steps
echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT
Comment on lines +36 to +42
Copy link

Copilot AI Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The image is only tagged with 'latest', which makes it difficult to track deployments and roll back to previous versions. Consider adding a commit SHA or timestamp tag alongside 'latest' for better version tracking.

Suggested change
docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script -t $ECR_REGISTRY/$ECR_REPOSITORY:latest ./scripts
# Push the built image to ECR
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
# Output the full image URI for use in subsequent steps
echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT
# Tag with both 'latest' and commit SHA
docker buildx build --platform linux/amd64 --provenance=false -f ./scripts/Dockerfile.script \
-t $ECR_REGISTRY/$ECR_REPOSITORY:latest \
-t $ECR_REGISTRY/$ECR_REPOSITORY:${GITHUB_SHA} \
./scripts
# Push both tags to ECR
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
docker push $ECR_REGISTRY/$ECR_REPOSITORY:${GITHUB_SHA}
# Output the full image URIs for use in subsequent steps
echo "image_latest=$ECR_REGISTRY/$ECR_REPOSITORY:latest" >> $GITHUB_OUTPUT
echo "image_sha=$ECR_REGISTRY/$ECR_REPOSITORY:${GITHUB_SHA}" >> $GITHUB_OUTPUT

Copilot uses AI. Check for mistakes.
6 changes: 3 additions & 3 deletions .github/workflows/push-artifacts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE_ARN }}
aws-region: ${{ secrets.AWS_REGION }}
aws-region: ${{ vars.AWS_REGION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
Expand All @@ -34,10 +34,10 @@ jobs:
run: yarn cibuild
- name: Deploy to S3
run: |
aws s3 sync ./dist s3://${{ secrets.AWS_S3_BUCKET }}/website --delete
aws s3 sync ./dist s3://${{ vars.AWS_S3_BUCKET }}/website --delete
- name: Invalidate CloudFront cache
uses: foxdalas/cloudfront-invalidator@v4
with:
tag_key: "Name"
tag_value: ${{ secrets.CLOUDFRONT_DISTRIBUTION_NAME }}
tag_value: ${{ vars.CLOUDFRONT_DISTRIBUTION_NAME }}
paths: "/*"