[sc-38541] zxcvbn to ECR

.github/workflows/build.yml

@@ -4,6 +4,12 @@ on:
     types: [ released ]
   push:
     branches: ['**']
+permissions:
+  id-token: write
+  contents: read
+env:
+  ECR_REPO_URL: ${{ secrets.AWS_RELEASE_ECR_REPO }}
+  DEV_ECR_REPO_URL: ${{ secrets.AWS_DEVELOPMENT_ECR_REPO }}
 jobs:
   build-zxcvbn-i18n-api-container:
     name: Build zxcvbn-i18n-api container
@@ -19,43 +25,47 @@ jobs:
         uses: ScientaNL/github-actions-env-toolkit@1.1.0
 
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: DockerHub Login
-        uses: docker/login-action@v2
+      - name: Configure AWS Credentials for release
+        uses: aws-actions/configure-aws-credentials@v4
+        if: github.event_name == 'release'
         with:
-          username: ${{ secrets.DOCKERHUB_PUBLIC_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PUBLIC_TOKEN }}
+          aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_RELEASE_ECR_ROLE }}
+          role-session-name: "GithubActions-Release"
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Login to Amazon ECR Operations
+        id: login-ecr-ops
+        if: github.event_name == 'release'
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registries: ${{ secrets.AWS_OPERATIONS_ACCOUNT_ID }}
 
-      - name: Cache Docker layers
-        uses: actions/cache@v3
+      - name: Configure AWS Credentials for development
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-
-      - name: Build & push Docker image for branch
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v3
+          aws-region: eu-west-3
+          role-to-assume: ${{ secrets.AWS_DEVELOPMENT_ECR_ROLE }}
+          role-session-name: "GithubActions-DEV"
+
+      - name: Login to Amazon ECR Development
+        id: login-ecr-dev
+        uses: aws-actions/amazon-ecr-login@v2
         with:
-          push: true
-          tags: scienta/zxcvbn-i18n-api:branch-${{env.GITHUB_REF_NAME_SLUG}}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
-          build-args: |
-            - API_VERSION=${{env.GITHUB_REF_NAME_SLUG}}-${{env.GITHUB_SHA_SHORT}}
+          registries: ${{ secrets.AWS_DEVELOPMENT_ACCOUNT_ID }}
 
-      - name: Build & push Docker image for release
-        if: github.event_name == 'release'
-        uses: docker/build-push-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build & push Docker image
+        uses: docker/build-push-action@v6
         with:
           push: true
-          tags: scienta/zxcvbn-i18n-api:${{env.GITHUB_REF_NAME_SLUG}}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          tags: |
+            ${{ env.DEV_ECR_REPO_URL }}/scienta/zxcvbn-i18n-api:${{ github.event_name == 'push' && 'branch-' || '' }}${{env.GITHUB_REF_NAME_SLUG}}
+            ${{ github.event_name == 'release' && format('{0}/scienta/zxcvbn-i18n-api:{1}', env.ECR_REPO_URL, env.GITHUB_REF_NAME_SLUG) || '' }}
           build-args: |
-            - API_VERSION=${{env.GITHUB_REF_NAME_SLUG}}
+            - API_VERSION=${{ github.event_name == 'push' && format('{0}-{1}', env.GITHUB_REF_NAME_SLUG, env.GITHUB_SHA_SHORT) || env.GITHUB_REF_NAME_SLUG }}
+          cache-from: type=registry,ref=${{ env.DEV_ECR_REPO_URL }}/scienta/zxcvbn-i18n-api:cache
+          cache-to: image-manifest=true,oci-mediatypes=true,type=registry,mode=max,ref=${{ env.DEV_ECR_REPO_URL }}/scienta/zxcvbn-i18n-api:cache