feat(release): release with AWS OIDC

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Set up Python
+      - name: Setup Python
         uses: actions/setup-python@v5
 
       - name: Install uv
@@ -38,5 +38,12 @@ jobs:
       - name: Build
         run: uv run task build
 
+      - name: Setup AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-session-name: github-actions-release-ecr
+
       - name: Release (ECR)
         run: uv run task release-ecr-no-build

Taskfile.yml

@@ -7,8 +7,10 @@ vars:
   DOCKER_IMAGE_TAG:
     sh: ./scripts/get-version.sh
   DOCKER_IMAGE: "{{.DOCKER_IMAGE_NAME}}:{{.DOCKER_IMAGE_TAG}}"
-  ECR_REPOSITORY_URL:
-    sh: echo $ECR_REPOSITORY_URL
+  AWS_ACCOUNT_ID:
+    sh: aws sts get-caller-identity --query "Account" --output text || echo ""
+  AWS_REGION:
+    sh: aws configure get region || echo ""
 
 tasks:
   default:
@@ -44,7 +46,7 @@ tasks:
   build:
     run: once
     cmds:
-      - ./scripts/build-image.sh
+      - ./scripts/build-image.sh {{.DOCKER_IMAGE_NAME}}
 
   unit-test:
     run: once
@@ -85,10 +87,10 @@ tasks:
     deps:
       - build
     cmds:
-      - ./scripts/release-ecr.sh {{.ECR_REPOSITORY_URL}}
+      - ./scripts/release-ecr.sh {{.DOCKER_IMAGE_NAME}} {{.AWS_ACCOUNT_ID}} {{.AWS_REGION}}
 
   release-ecr-no-build:
     desc: Release the Docker image to ECR without building it first
     run: once
     cmds:
-      - ./scripts/release-ecr.sh {{.ECR_REPOSITORY_URL}}
+      - ./scripts/release-ecr.sh {{.DOCKER_IMAGE_NAME}} {{.AWS_ACCOUNT_ID}} {{.AWS_REGION}}

scripts/build-image.sh

@@ -3,32 +3,33 @@
 set -euo pipefail
 
 # Arguments
-AWS_ACCOUNT_ID="${1:-}"
-AWS_REGION="${2:-}"
+IMAGE_NAME="${1:-${IMAGE_NAME:-}}"
+: "${IMAGE_NAME:?IMAGE_NAME is required. Pass as first arg or set IMAGE_NAME env var.}"
+
+AWS_ACCOUNT_ID="${2:-${AWS_ACCOUNT_ID:-}}"
+AWS_REGION="${3:-${AWS_REGION:-}}"
 
 # Derived variables
-APP_NAME="lambda-application"
-APP_VERSION=$(uv run ./scripts/get-version.sh)
+IMAGE_VERSION=$(uv run ./scripts/get-version.sh)
 SHA=$(git rev-parse --short HEAD)
 BRANCH=$(git rev-parse --abbrev-ref HEAD)
 DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 
-
 function build() {
     echo "Building Lambda deployment package..."
     docker build \
-        --build-arg APP_NAME="$APP_NAME" \
-        --build-arg APP_VERSION="$APP_VERSION" \
+        --build-arg IMAGE_NAME="$IMAGE_NAME" \
+        --build-arg IMAGE_VERSION="$IMAGE_VERSION" \
         --build-arg COMMIT_SHA="$SHA" \
         --build-arg BRANCH="$BRANCH" \
         --build-arg BUILD_DATE="$DATE" \
-        -t "$APP_NAME:$APP_VERSION" .
+        -t "$IMAGE_NAME:$IMAGE_VERSION" .
     echo "Build completed successfully."
 }
 
 function tag_ecr() {
     echo "Tagging image..."
-    docker tag "$APP_NAME:$APP_VERSION" "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/$APP_NAME:$APP_VERSION"
+    docker tag "$IMAGE_NAME:$IMAGE_VERSION" "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/$IMAGE_NAME:$IMAGE_VERSION"
     echo "Tagging completed successfully."
 }
 

scripts/release-ecr.sh

@@ -2,37 +2,36 @@
 
 set -euo pipefail
 
-ECR_REPOSITORY_URL="$1"
-
-IMAGE_NAME="$(echo "$ECR_REPOSITORY_URL" | cut -d '/' -f 2)"
-IMAGE_TAG="$(./scripts/get-version.sh)"
-AWS_ACCOUNT_ID="$(echo "$ECR_REPOSITORY_URL" | cut -d '.' -f 1)"
-AWS_ECR_REGION="$(echo "$ECR_REPOSITORY_URL" | cut -d '.' -f 4)"
-
-function ensure_parameters() {
-    if [ -z "$ECR_REPOSITORY_URL" ]; then
-        echo "ECR_REPOSITORY_URL is not set"
-        exit 1
-    fi
-}
+# Arguments
+IMAGE_NAME="${1:-${IMAGE_NAME:-}}"
+: "${IMAGE_NAME:?IMAGE_NAME is required. Pass as first arg or set IMAGE_NAME env var.}"
+
+AWS_ACCOUNT_ID="${2:-${AWS_ACCOUNT_ID:-}}"
+: "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required. Pass as second arg or set AWS_ACCOUNT_ID env var.}"
+
+AWS_REGION="${3:-${AWS_REGION:-}}"
+: "${AWS_REGION:?AWS_REGION is required. Pass as third arg or set AWS_REGION env var.}"
+
+# Derived variables
+IMAGE_VERSION=$(uv run ./scripts/get-version.sh)
+ECR_REPOSITORY_URL="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$IMAGE_NAME"
 
 function ecr_login() {
-    aws ecr get-login-password --region "$AWS_ECR_REGION" | \
+    aws ecr get-login-password --region "$AWS_REGION" | \
         docker login --username AWS --password-stdin "$ECR_REPOSITORY_URL"
 }
 
 function ecr_tag() {
-    echo "Tagging image: $ECR_REPOSITORY_URL:$IMAGE_TAG"
-    docker tag "$IMAGE_NAME:$IMAGE_TAG" "$ECR_REPOSITORY_URL:$IMAGE_TAG"
+    echo "Tagging image: $ECR_REPOSITORY_URL:$IMAGE_VERSION"
+    docker tag "$IMAGE_NAME:$IMAGE_VERSION" "$ECR_REPOSITORY_URL:$IMAGE_VERSION"
 }
 
 function ecr_push() {
-    echo "Pushing image to ECR: $ECR_REPOSITORY_URL:$IMAGE_TAG"
-    docker push "$ECR_REPOSITORY_URL:$IMAGE_TAG"
+    echo "Pushing image to ECR: $ECR_REPOSITORY_URL:$IMAGE_VERSION"
+    docker push "$ECR_REPOSITORY_URL:$IMAGE_VERSION"
 }
 
 function main() {
-    ensure_parameters
     ecr_login
     ecr_tag
     ecr_push