.github/workflows/build_and_push.yml

name: Build and Push Container to ECR, deploy to lambda

on:
  workflow_dispatch:
  push:
    branches: [main]

env:
  AWS_REGION: ca-central-1
  GITHUB_SHA: ${{ github.sha }}
  REGISTRY: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/list-manager

permissions:
  id-token: write
  contents: read

jobs:
  changes:
    runs-on: ubuntu-latest
    outputs:
      images: ${{ steps.filter.outputs.changes }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: filter
        with:
          filters: |
            api: 'api/**'

  build-push-and-deploy:
    if: needs.changes.outputs.images != '[]'
    runs-on: ubuntu-latest
    needs: changes
    strategy:
      fail-fast: false
      matrix:
        image: ${{ fromJSON(needs.changes.outputs.images) }}

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Build container
        working-directory: ./${{ matrix.image }}
        run: |
          docker build \
          --build-arg git_sha=$GITHUB_SHA \
          -t $REGISTRY/${{ matrix.image }}:$GITHUB_SHA \
          -t $REGISTRY/${{ matrix.image }}:latest .

      - name: Configure AWS credentials using OIDC
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/list-manager-apply
          role-session-name: ECRPush
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1

      - name: Push containers to ECR
        run: |
          docker push $REGISTRY/${{ matrix.image }}:$GITHUB_SHA
          docker push $REGISTRY/${{ matrix.image }}:latest

      - name: Deploy lambda
        if: matrix.image == 'api' || contains(matrix.image, 'scanners')
        run: |
          FNAME=$(sed 's/\//-/g' <<< "${{ matrix.image }}")
          aws lambda update-function-code \
            --function-name "$FNAME" \
            --image-uri $REGISTRY/${{ matrix.image }}:latest > /dev/null 2>&1

      - name: Migrate Database
        if: matrix.image == 'api'
        run: |
          source .github/workflows/scripts/migrate.sh
          migrate

      - name: Docker generate SBOM
        uses: cds-snc/security-tools/.github/actions/generate-sbom@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
        env:
          TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
        with:
          docker_image: "${{ env.REGISTRY }}/${{ matrix.image }}:latest"
          dockerfile_path: "${{ matrix.image }}/Dockerfile"
          sbom_name: "${{ matrix.image }}"
          token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Logout of Amazon ECR
        run: docker logout ${{ steps.login-ecr.outputs.registry }}