build-push-pipeline.yml

name: CI - build, test & push

on:
  workflow_dispatch:
#  push:
#    branches: [main]

env:
  ECR_REPOSITORY: ${{ secrets.AWS_REPO }}
  IMAGE_TAG: ${{ github.event.repository.name }}

jobs:

  build: 
    name: CI pipeline
    runs-on: ubuntu-latest

    steps:
    - name: checkout code
      uses: actions/checkout@v3
      with:
        fetch-depth: 0
      
    - name: gitleaks scan
      uses: gitleaks/gitleaks-action@v2
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Checkout code 
      uses: actions/checkout@v3

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v3
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
        aws-region: eu-west-1

    - name: Login to AWS ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v2

    - name: Build image
      run: docker build . --file Dockerfile --tag $ECR_REPOSITORY:$IMAGE_TAG

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: image
        image-ref: ${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
        format: 'json'
        output: 'trivy-results.json'

    - name: Push image
      run: docker push $ECR_REPOSITORY:$IMAGE_TAG