.github/workflows/build.yml

name: Build Image
permissions: 
  contents: read 
  id-token: write 
on:
  workflow_dispatch:
    inputs:
      fail_on_trivy_scan:
        type: boolean
        description: fail the build if vulnerabilities are found
        required: true 
        default: false
jobs:
  build:
    name: Build Image
    runs-on: ubuntu-latest
    env:
        ECR_REPOSITORY: bento-frontend
    steps:

    - name: Check out code
      uses: actions/checkout@v2

    - name: Set Image Tag
      run: |
        # Get all tags for the repo and find the latest tag for the branch being built
        git fetch --tags --force --quiet
        tag=$(git tag -l $GITHUB_REF_NAME* | tail -1 | cut -d "-" -f2-)

        if  [ ! -z "$tag" ];
        then
          # Increment the build number if a tag is found
          build_num=$(echo "${tag##*.}")
          build_num=$((build_num+1))
          echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV
        else
          # If no tag is found create a new tag name
          build_num=1
          echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV
        fi
    
    - name: Build
      run: |
        docker build -t $ECR_REPOSITORY:$IMAGE_TAG .
        
    - name: Set Trivy exit code
      run: |
        if  [[ ${{ inputs.fail_on_trivy_scan }} == true ]];
        then
          echo 'TRIVY_EXIT_CODE=1' >> $GITHUB_ENV
        else
          echo 'TRIVY_EXIT_CODE=0' >> $GITHUB_ENV
        fi
    
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.20.0
      with:
        image-ref: '${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}'
        format: 'table'
        exit-code: '${{ env.TRIVY_EXIT_CODE }}'
        ignore-unfixed: true
        severity: 'CRITICAL,HIGH'

    - name: AWS OIDC Authentication
      id: auth 
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
        aws-region: ${{ secrets.AWS_REGION }}
        role-session-name: ${{ github.actor }}

    - name: Login to Amazon ECR
      id: login-aws-ecr
      uses: aws-actions/amazon-ecr-login@v1
    
    - name: Push to Amazon ECR
      env:
        ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }}
      run: |
        docker tag  $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG