.github/workflows/build-push-images.yml

name: Publish Images

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
      - "release"
    tags:
      - "v*"
  pull_request:
    branches:
      - "main"

permissions:
  contents: read
  packages: write

jobs:
  push-to-ecr:
    name: Deploy AWS CDK Stack
    runs-on: ubuntu-latest
    outputs:
      ecr-tags: ${{ steps.meta.outputs.tags }}
    timeout-minutes: 10
    permissions:
      id-token: write # This line allows GitHub Actions to request an OIDC token
      contents: read
    steps:
      - name: Checkout tracecat repo 🛎️
        uses: actions/checkout@v4
        with:
          repository: TracecatHQ/tracecat
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Get SHA
        id: get-sha
        run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT=

      - name: Set AWS Credentials for ECR Admin
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
          role-to-assume: ${{ secrets.AWS_ECR__ROLE_TO_ASSUME }} # Full ARN
          role-session-name: GitHubActionECR
          role-duration-seconds: 600
          mask-aws-account-id: true

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ secrets.AWS_ECR__REPOSITORY_URI }}

      - name: Build and push API Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      - name: Set job output
        id: ecr-tags
        run: echo "tags=${{ steps.meta.outputs.tags }}" >> $GITHUB_OUTPUT

  push-to-ghcr:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Log in to the Container registry
        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
        with:
          images: ghcr.io/tracecat

      - name: Build and push Docker image
        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}