action.yml

name: ECR Scan
branding:
  icon: arrow-right-circle
  color: gray-dark
description: |
  This action scans ecr scan result and reports results back to pr

inputs:
  debug-mode:
    description: Set to true for verbose execution when debugging
    required: false
    default: 'false'
  log-level:
    description: The log level to use for the execution
    required: false
    default: 'info'
  log-timestamped:
    description: Set to true in order to enable timestamps on log messages
    required: false
    default: 'true'
  role-to-assume:
    required: true
    description: 'aws role-to-assume to configure'
  role-session-name:
    required: true
    description: 'aws role-session-name to configure'
  aws-region:
    description: AWS region to run in
    required: true
  aws-account-id:
    description: AWS account ID to use for ECR repo
    required: true
  ecr-repo-name:
    description: AWS ECR Repo Name to use to view scan
    required: true
  ecr-repo-tag:
    description: AWS ECR Repo image tag to use to view scan
    required: true
  use-alpha:
    description: AWS ECR Repo Alpha image
    required: false
    default: 'true'
  pr-number:
    description: The current pull request number
    required: true
  sso-prefix:
    description: The prefix for the SSO account
    required: true
  sso-role:
    description: The role to assume in the SSO account
    required: true

runs:
  using: 'composite'
  steps:
    - name: setup
      if: github.event_name == 'pull_request'
      shell: bash
      id: setup
      run: |
        echo "scripts-path=${GITHUB_ACTION_PATH}" >>"${GITHUB_OUTPUT}"
    - name: Configure AWS credentials
      if: github.event_name == 'pull_request'
      uses: aws-actions/configure-aws-credentials@v4.0.2
      with:
        role-to-assume: ${{ inputs.role-to-assume }}
        role-session-name: ${{ inputs.role-session-name }}
        aws-region: ${{ inputs.aws-region }}
    - name: Scan ECR
      if: github.event_name == 'pull_request'
      run: '${{ steps.setup.outputs.scripts-path }}/scripts/script.sh'
      shell: bash
      env:
        DEBUG_MODE: ${{ inputs.debug-mode }}
        LOG_LEVEL: ${{ inputs.log-level }}
        LOG_TIMESTAMPED: ${{ inputs.log-timestamped }}
        AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }}
        AWS_REGION: ${{ inputs.aws-region }}
        ECR_REPO_NAME: ${{ inputs.ecr-repo-name }}
        ECR_REPO_TAG: ${{ inputs.ecr-repo-tag }}
        USE_ALPHA_REGISTRY: ${{ inputs.use-alpha }}
        PR_NUMBER: ${{ inputs.pr-number }}
        SSO_PREFIX: ${{ inputs.sso-prefix }}
        SSO_ROLE: ${{ inputs.sso-role }}