ecr

.github/workflows/docker-build.yaml

@@ -20,6 +20,7 @@ jobs:
       pk: ${{ secrets.CZI_GITHUB_HELPER_PK }}
     with:
       env: rdev
+      ecr_root_path: ./.infra/ecr
       images: |
         [
           {

.infra/ecr/lifecycle-policy.json

@@ -0,0 +1,16 @@
+{
+  "rules": [
+      {
+          "rulePriority": 1,
+          "description": "Keep at most 1000 images",
+          "selection": {
+              "tagStatus": "any",
+              "countType": "imageCountMoreThan",
+              "countNumber": 1000
+          },
+          "action": {
+              "type": "expire"
+          }
+      }
+  ]
+}

.infra/ecr/repository-policy.json

@@ -0,0 +1,29 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "OrganizationReadOnlyAccess",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:BatchGetImage",
+        "ecr:DescribeImageScanFindings",
+        "ecr:DescribeImages",
+        "ecr:DescribeRepositories",
+        "ecr:GetAuthorizationToken",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:GetLifecyclePolicy",
+        "ecr:GetLifecyclePolicyPreview",
+        "ecr:GetRepositoryPolicy",
+        "ecr:ListImages",
+        "ecr:ListTagsForResource"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "aws:PrincipalOrgID": "o-56v5gp5fcu"
+        }
+      }
+    }
+  ]
+}