ecr-build-push

ECR build & push

Build one Docker image with buildx (GitHub Actions layer cache) and push it to ECR under the app’s mutable branch tag. Assumes the ECR push role via OIDC – pass the DEPLOY_ECR_* repo variables (set by infra). The calling job needs permissions: id-token: write. Run actions/checkout first; if the Dockerfile mounts BuildKit secrets (CodeArtifact auth), run codeartifact-login first and pass the credential through secret-envs / secret-files.

Inputs

Input

Required

Default

Description

role-arn

yes

DEPLOY_ECR_PUSH_ROLE_ARN – the image-push IAM role to assume via OIDC.

region

yes

Region the registry lives in (the app’s primary region).

registry

yes

DEPLOY_ECR_REGISTRY – the .dkr.ecr..amazonaws.com host.

repository

yes

Repository within the registry (e.g. codegen-example-app/be).

tag

yes

Image tag to push (e.g. branch-main). ECS pins this tag, so pushing it is what a deploy rolls out.

context

no

.

Docker build context directory.

secret-envs

no

BuildKit env secrets, id=ENV_VAR lines (passed to docker/build-push-action). E.g. uv_index_url=UV_INDEX_URL after codeartifact-login exported it.

secret-files

no

BuildKit file secrets, id=path lines (passed to docker/build-push-action). E.g. npmrc=/home/runner/.npmrc after codeartifact-login wrote it.

Usage

- uses: actions/checkout@v6
- uses: FSHTech/github-actions/ecr-build-push@v1
  with:
    role-arn: ...
    region: ...
    registry: ...
    repository: ...
    tag: ...