# ecr-build-push

> ECR build & push

Build one Docker image with buildx (GitHub Actions layer cache) and push it to ECR under the app's mutable branch tag. Assumes the ECR push role via OIDC -- pass the DEPLOY_ECR_* repo variables (set by infra). The calling job needs `permissions: id-token: write`. Run actions/checkout first; if the Dockerfile mounts BuildKit secrets (CodeArtifact auth), run codeartifact-login first and pass the credential through secret-envs / secret-files.

## Inputs

| Input | Required | Default | Description |
|---|---|---|---|
| `role-arn` | yes | — | DEPLOY_ECR_PUSH_ROLE_ARN -- the image-push IAM role to assume via OIDC. |
| `region` | yes | — | Region the registry lives in (the app's primary region). |
| `registry` | yes | — | DEPLOY_ECR_REGISTRY -- the <account>.dkr.ecr.<region>.amazonaws.com host. |
| `repository` | yes | — | Repository within the registry (e.g. codegen-example-app/be). |
| `tag` | yes | — | Image tag to push (e.g. branch-main). ECS pins this tag, so pushing it is what a deploy rolls out. |
| `context` | no | `.` | Docker build context directory. |
| `secret-envs` | no | — | BuildKit env secrets, `id=ENV_VAR` lines (passed to docker/build-push-action). E.g. `uv_index_url=UV_INDEX_URL` after codeartifact-login exported it. |
| `secret-files` | no | — | BuildKit file secrets, `id=path` lines (passed to docker/build-push-action). E.g. `npmrc=/home/runner/.npmrc` after codeartifact-login wrote it. |

## Usage

```yaml
- uses: actions/checkout@v6
- uses: FSHTech/github-actions/ecr-build-push@v1
  with:
    role-arn: ...
    region: ...
    registry: ...
    repository: ...
    tag: ...
```