Merge pull request #2031 from alphagov/whi-tw/fix-push-ecr-weirdness

Fix intermittent 403 when pushing review apps to ECR

Author: whi-tw

.github/workflows/reusable-review_apps_on_pr_change.yml

@@ -26,6 +26,8 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::${{ inputs.aws-account-number }}:role/review-github-actions-${{ inputs.app-name }}
           aws-region: ${{ inputs.aws-region }}
+      - name: Log in to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2.0.2
 
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -42,14 +44,11 @@ jobs:
           echo "BASE_URI=${BASE_URI}" >> "$GITHUB_OUTPUT"
           echo "URI=${BASE_URI}-${HEAD_SHA}-$(date +%s)" >> "$GITHUB_OUTPUT"
 
-      - name: Log in to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
-
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           push: true
           tags: ${{ steps.generate_image_uri.outputs.URI }}

infra/deployments/integration/review/github_actions_codebuild.tf

@@ -156,7 +156,8 @@ data "aws_iam_policy_document" "github_actions" {
       "ecr:CompleteLayerUpload",
       "ecr:InitiateLayerUpload",
       "ecr:PutImage",
-      "ecr:UploadLayerPart"
+      "ecr:UploadLayerPart",
+      "ecr:BatchGetImage"
     ]
     resources = [each.value.ecr_repository_arn]
   }