ci_container_build_and_push_img.yml

name: Build container and push CI

on:
  push:
    branches:
      - main

env:
  GITHUB_SHA: ${{ github.sha }}
  REPOSITORY: aws-sentinel-connector
  REGISTRY: public.ecr.aws/cds-snc

permissions:
  id-token: write
  contents: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Audit DNS requests
        uses: cds-snc/dns-proxy-action@main
        env:
          DNS_PROXY_FORWARDTOSENTINEL: "true"
          DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
          DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}

      - name: Checkout
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

      - name: Configure aws credentials using OIDC
        uses: aws-actions/configure-aws-credentials@master
        with:
          role-to-assume: arn:aws:iam::283582579564:role/aws-sentinel-connector-layer-apply
          role-session-name: SentinelGitHubActions
          aws-region: "us-east-1"

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
        with:
          registry-type: public

      - name: Build docker image
        working-directory: ./layer
        run: |
          docker build -t $REGISTRY/$REPOSITORY:$GITHUB_SHA .

      - name: Push docker image to AWS ECR
        run: |
          docker push $REGISTRY/$REPOSITORY:$GITHUB_SHA

      - name: Generate $REPOSITORY/docker SBOM
        uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
        with:
          docker_image: "${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.GITHUB_SHA }}"
          dockerfile_path: "layer/Dockerfile"
          sbom_name: "aws-sentinel-conector-layer"
          token: "${{ secrets.GITHUB_TOKEN }}"