publish to ECR

irvingpop · irvingpop · commit a7791d75c072 · 2026-01-25T10:56:40.000-08:00
diff --git a/.github/SETUP.md b/.github/SETUP.md
@@ -0,0 +1,79 @@
+# GitHub Actions Environment Variables Setup
+
+This is a quick reference guide. For complete setup instructions, see [`OPS.md`](../OPS.md#github-actions-aws-oidc-setup).
+
+## Required Secret
+
+The workflow requires one GitHub repository secret:
+
+- **`AWS_ROLE_ARN`**: The ARN of the IAM role that GitHub Actions will assume to push Docker images to ECR
+
+## Setup Steps
+
+### 1. Create AWS IAM Role
+
+**Follow the complete instructions in [`OPS.md`](../OPS.md#github-actions-aws-oidc-setup)** which includes:
+- Creating the OIDC identity provider
+- Creating the IAM role with trust policy  
+- Attaching ECR permissions policy
+
+After completing the AWS setup, you'll have an IAM role ARN (typically: `arn:aws:iam::633607774026:role/GitHubActions-ECR-Push`)
+
+### 2. Add GitHub Secret
+
+Add the IAM role ARN as a GitHub repository secret using the GitHub CLI:
+
+```bash
+# Ensure you're authenticated with GitHub CLI
+# If not already authenticated, run: gh auth login
+
+# Set the secret (replace with your actual role ARN if different)
+gh secret set AWS_ROLE_ARN --body "arn:aws:iam::633607774026:role/GitHubActions-ECR-Push"
+```
+
+**Note**: Make sure you're in the repository directory or specify the repo with `--repo operationcode/back-end`.
+
+### 3. Verify Setup
+
+After adding the secret, the workflow will automatically:
+- Authenticate to AWS using OIDC (no credentials stored)
+- Build Docker images for ARM64 platform
+- Push to ECR with appropriate tags:
+  - `:staging` for non-master branches
+  - `:prod` for master branch (after CI passes)
+
+## Testing
+
+To test the setup:
+
+1. **Test staging build**: Push to any branch except `master`
+   - Should trigger Docker build and push to `:staging` tag
+   - Check ECR repository to verify image was pushed
+
+2. **Test production build**: Merge to `master` branch
+   - Should run lint, test, security checks first
+   - If all pass, should build and push to `:prod` tag
+   - Check ECR repository to verify image was pushed
+
+## Troubleshooting
+
+### Build fails with "Error assuming role"
+- Verify the `AWS_ROLE_ARN` secret is set correctly
+- Check that the IAM role exists and has the correct trust policy
+- Ensure the OIDC identity provider is configured
+
+### Build fails with "AccessDenied" to ECR
+- Verify the IAM role has the ECR push policy attached
+- Check that the policy allows access to the correct ECR repository
+- Ensure the repository path matches: `633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end`
+
+### Production build runs even when tests fail
+- This shouldn't happen - production builds depend on `ci-success` job
+- Check that `ci-success` job is properly failing when tests fail
+- Verify branch protection rules if using them
+
+## Additional Resources
+
+- Full AWS OIDC setup: See [`OPS.md`](../OPS.md#github-actions-aws-oidc-setup)
+- GitHub Actions secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
+- AWS OIDC with GitHub: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: [master]
+    branches: ['**']  # Trigger on push to any branch for Docker builds
   pull_request:
     branches: [master]
 
@@ -14,6 +14,8 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    # Only run on master branch pushes and PRs to master
+    if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master'
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -60,6 +62,8 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    # Only run on master branch pushes and PRs to master
+    if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master'
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -121,6 +125,8 @@ jobs:
   security:
     name: Security Scan
     runs-on: ubuntu-latest
+    # Only run on master branch pushes and PRs to master
+    if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master'
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -164,22 +170,97 @@ jobs:
       - name: Display Bandit results
         run: poetry run bandit -r src --skip B101 --severity-level high -f txt || true
 
+  docker-build-push:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    # Run on push events only (not pull_request)
+    if: github.event_name == 'push'
+    # For master branch, wait for CI checks to pass; for other branches, ci-success will pass immediately
+    needs: [ci-success]
+    permissions:
+      id-token: write  # Required for OIDC authentication
+      contents: read   # Required to checkout code
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Determine Docker tag
+        id: docker-tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/master" ]; then
+            echo "tag=prod" >> $GITHUB_OUTPUT
+            echo "environment=Production" >> $GITHUB_OUTPUT
+          else
+            echo "tag=staging" >> $GITHUB_OUTPUT
+            echo "environment=Staging" >> $GITHUB_OUTPUT
+          fi
+          echo "Building for ${{ steps.docker-tag.outputs.environment }} with tag: ${{ steps.docker-tag.outputs.tag }}"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          platforms: linux/arm64
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHubActions-DockerBuild-${{ steps.docker-tag.outputs.environment }}
+          aws-region: us-east-2
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: runtime
+          platforms: linux/arm64
+          push: true
+          tags: |
+            633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end:${{ steps.docker-tag.outputs.tag }}
+          provenance: false
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Output image URI
+        run: |
+          echo "Successfully pushed ${{ steps.docker-tag.outputs.environment }} image:"
+          echo "633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end:${{ steps.docker-tag.outputs.tag }}"
+
   # Final status check for branch protection
   ci-success:
     name: CI Success
     needs: [lint, test, security]
     runs-on: ubuntu-latest
+    # Always run to satisfy docker-build-push dependency
     if: always()
     steps:
-      - name: Check all jobs passed
+      - name: Check all jobs passed (master/PR only)
+        if: github.event_name == 'pull_request' || github.ref == 'refs/heads/master'
         run: |
+          # Check if jobs were skipped (non-master) or failed
+          if [[ "${{ needs.lint.result }}" == "skipped" ]]; then
+            echo "Lint job was skipped - this should not happen on master/PR"
+            exit 1
+          fi
           if [[ "${{ needs.lint.result }}" != "success" ]]; then
             echo "Lint job failed"
             exit 1
           fi
+          if [[ "${{ needs.test.result }}" == "skipped" ]]; then
+            echo "Test job was skipped - this should not happen on master/PR"
+            exit 1
+          fi
           if [[ "${{ needs.test.result }}" != "success" ]]; then
             echo "Test job failed"
             exit 1
           fi
           # Security is informational, doesn't fail CI
           echo "All required jobs passed!"
+      - name: Pass through for non-master branches
+        if: github.event_name != 'pull_request' && github.ref != 'refs/heads/master'
+        run: |
+          echo "Skipping CI checks for non-master branch (staging build will proceed)"
diff --git a/OPS.md b/OPS.md
@@ -4,7 +4,18 @@ The backend is deployed to AWS ECS (Elastic Container Service) with separate sta
 
 ## Building and Pushing Docker Images
 
-Use the `docker-build.sh` script to build multi-architecture images and push to AWS ECR:
+### Automated Builds (Recommended)
+
+Docker images are automatically built and pushed to AWS ECR via GitHub Actions:
+
+- **PR branches** (any branch except `master`): Automatically builds and pushes to `:staging` tag
+- **Master branch**: Automatically builds and pushes to `:prod` tag after CI checks pass
+
+The automated builds use AWS OIDC for secure authentication (no long-lived credentials).
+
+### Manual Builds (Legacy)
+
+For manual builds, use the `docker-build.sh` script:
 
 ```bash
 # Build and push staging images
@@ -14,9 +25,7 @@ Use the `docker-build.sh` script to build multi-architecture images and push to
 ./docker-build.sh prod
 ```
 
-This creates:
-- `back-end:staging-amd64` and `back-end:staging-arm64` images
-- A multi-arch manifest at `back-end:staging`
+This creates ARM64 images tagged as `back-end:staging` or `back-end:prod`.
 
 ## Deploying to ECS
 
@@ -74,3 +83,140 @@ aws logs tail /ecs/back-end-staging --follow
 aws logs tail /ecs/back-end-production --follow
 ```
 
+# GitHub Actions AWS OIDC Setup
+
+The CI/CD pipeline uses AWS OIDC (OpenID Connect) for secure authentication to AWS without storing long-lived credentials. This follows AWS security best practices.
+
+## Prerequisites
+
+- AWS account with ECR repository: `633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end`
+- GitHub repository: `operationcode/back-end`
+- AWS IAM permissions to create IAM roles and policies
+
+## Setup Instructions
+
+### 1. Create IAM OIDC Identity Provider
+
+If not already configured, create an OIDC identity provider for GitHub:
+
+```bash
+aws iam create-open-id-connect-provider \
+  --url https://token.actions.githubusercontent.com \
+  --client-id-list sts.amazonaws.com \
+  --thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea1
+```
+
+### 2. Create IAM Role for GitHub Actions
+
+Create an IAM role that GitHub Actions can assume:
+
+```bash
+# Create trust policy file
+cat > github-actions-trust-policy.json <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::633607774026:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+        },
+        "StringLike": {
+          "token.actions.githubusercontent.com:sub": "repo:operationcode/back-end:*"
+        }
+      }
+    }
+  ]
+}
+EOF
+
+# Create the role
+aws iam create-role \
+  --role-name GitHubActions-ECR-Push \
+  --assume-role-policy-document file://github-actions-trust-policy.json \
+  --description "Allows GitHub Actions to push Docker images to ECR"
+```
+
+### 3. Attach ECR Permissions Policy
+
+Create and attach a policy that allows pushing to ECR:
+
+```bash
+# Create policy file
+cat > ecr-push-policy.json <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:PutImage",
+        "ecr:InitiateLayerUpload",
+        "ecr:UploadLayerPart",
+        "ecr:CompleteLayerUpload"
+      ],
+      "Resource": "arn:aws:ecr:us-east-2:633607774026:repository/back-end"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ecr:GetAuthorizationToken",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
+# Create the policy
+aws iam create-policy \
+  --policy-name GitHubActions-ECR-Push-Policy \
+  --policy-document file://ecr-push-policy.json
+
+# Attach policy to role
+aws iam attach-role-policy \
+  --role-name GitHubActions-ECR-Push \
+  --policy-arn arn:aws:iam::633607774026:policy/GitHubActions-ECR-Push-Policy
+```
+
+### 4. Configure GitHub Secret
+
+Add the IAM role ARN as a GitHub repository secret using the GitHub CLI:
+
+```bash
+# Ensure you're authenticated with GitHub CLI
+# If not already authenticated, run: gh auth login
+
+# Set the secret (replace with your actual role ARN if different)
+gh secret set AWS_ROLE_ARN --body "arn:aws:iam::633607774026:role/GitHubActions-ECR-Push"
+```
+
+**Note**: Make sure you're in the repository directory or specify the repo with `--repo operationcode/back-end`.
+
+### 5. Verify Setup
+
+After setup, the GitHub Actions workflow will automatically:
+- Authenticate to AWS using OIDC
+- Build Docker images for ARM64 platform
+- Push images to ECR with appropriate tags (`:staging` or `:prod`)
+
+You can verify by:
+1. Pushing a commit to a non-master branch (should push `:staging`)
+2. Merging to master (should push `:prod` after tests pass)
+3. Checking ECR repository for new images
+
+## Security Best Practices
+
+✅ **OIDC Authentication**: No long-lived AWS credentials stored in GitHub  
+✅ **Least Privilege**: IAM role only has permissions needed for ECR push operations  
+✅ **Repository Scoping**: Trust policy restricts access to `operationcode/back-end` repository  
+✅ **Conditional Access**: Production builds only run after CI checks pass  
+✅ **Build Caching**: Uses GitHub Actions cache to speed up builds
+
