[sc-38540] html-pdf-export to ECR

.github/workflows/build.yml

@@ -4,6 +4,12 @@ on:
     types: [ created ]
   push:
     branches: ['**']
+permissions:
+  id-token: write
+  contents: read
+env:
+  ECR_REPO_URL: ${{ secrets.AWS_RELEASE_ECR_REPO }}
+  DEV_ECR_REPO_URL: ${{ secrets.AWS_DEVELOPMENT_ECR_REPO }}
 jobs:
   build-html-pdf-export-container:
     name: Build html-pdf-export container
@@ -14,30 +20,46 @@ jobs:
         uses: ScientaNL/[email protected]
 
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: DockerHub Login
-        uses: docker/login-action@v2
+      - name: Configure AWS Credentials for release
+        uses: aws-actions/configure-aws-credentials@v4
+        if: github.event_name == 'release'
         with:
-          username: ${{ secrets.DOCKERHUB_PUBLIC_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PUBLIC_TOKEN }}
+          aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_RELEASE_ECR_ROLE }}
+          role-session-name: "GithubActions-Release"
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Login to Amazon ECR Operations
+        id: login-ecr-ops
+        if: github.event_name == 'release'
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registries: ${{ secrets.AWS_OPERATIONS_ACCOUNT_ID }}
+
+      - name: Configure AWS Credentials for development
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-3
+          role-to-assume: ${{ secrets.AWS_DEVELOPMENT_ECR_ROLE }}
+          role-session-name: "GithubActions-DEV"
 
-      - name: Cache Docker layers
-        uses: actions/cache@v3
+      - name: Login to Amazon ECR Development
+        id: login-ecr-dev
+        uses: aws-actions/amazon-ecr-login@v2
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
+          registries: ${{ secrets.AWS_DEVELOPMENT_ACCOUNT_ID }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Build & push Docker image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           push: true
-          tags: scienta/html-pdf-export:${{ github.event_name == 'push' && 'branch-' || '' }}${{env.GITHUB_REF_NAME_SLUG}}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          tags: |
+            ${{ env.DEV_ECR_REPO_URL }}/scienta/html-pdf-export:${{ github.event_name == 'push' && 'branch-' || '' }}${{env.GITHUB_REF_NAME_SLUG}}
+            ${{ github.event_name == 'release' && format('{0}/scienta/html-pdf-export:{1}', env.ECR_REPO_URL, env.GITHUB_REF_NAME_SLUG) || '' }}
+          cache-from: type=registry,ref=${{ env.DEV_ECR_REPO_URL }}/scienta/html-pdf-export:cache
+          cache-to: image-manifest=true,oci-mediatypes=true,type=registry,mode=max,ref=${{ env.DEV_ECR_REPO_URL }}/scienta/html-pdf-export:cache