CI job for building docker images

dotemacs · dotemacs · commit 01b23235aa11 · 2026-01-08T08:13:26.000Z
Updated it to use GitHub's GHCR instead of AWS ECR
diff --git a/.github/workflows/build_image.yaml b/.github/workflows/build_image.yaml
@@ -1,37 +1,54 @@
-name: Build and upload docker images
+name: Build and Push Image
 
 on:
   push:
     branches:
       - '**'
 
 permissions:
-  id-token: write   # for JWT request
-  contents: read    # for actions/checkout
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: cabinetoffice/fb-user-filestore-api
 
 jobs:
-  docker-image-build:
-    name: docker-image-build
+  build-fb-user-filestore-api:
     runs-on: ubuntu-latest
-    environment: preprod
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4.1.7
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4.0.2
-        with:
-          role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
-          aws-region: eu-west-2
-          role-session-name: github-aws-access
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2.0.1
-      - name: Build fb-user-filestore, tag, and push docker image to Amazon ECR
-        env:
-          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: "fb-user-filestore"
-          IMAGE_TAG: ${{ github.sha }}
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Compute tag
+        id: tag
+        shell: bash
         run: |
-          docker build -t ${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }} .
-          docker tag ${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }} ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }}
-          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }}
+          set -euo pipefail
+          sha="${GITHUB_SHA}"
+          short_sha="${sha:0:7}"
+          ref="${GITHUB_REF_NAME}"
+
+          if [[ "$ref" == "main" ]]; then
+            tag="main-${short_sha}"
+          else
+            # Sanitize branch name for Docker tag compatibility.
+            safe_ref="$(echo "$ref" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9_.-]/-/g')"
+            tag="branch-${safe_ref}-${short_sha}"
+          fi
+
+          echo "value=$tag" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.value }}
