.github/workflows/build.yml

name: Build Image
permissions: 
  contents: write
  id-token: write
on:
  workflow_dispatch:
    inputs:
      environment:
        description: 'Which account the ECR repository is in'
        type: environment
      fail_on_trivy_scan:
        type: boolean
        description: fail the build if vulnerabilities are found
        required: true 
        default: false
jobs:
  build:
    name: Build Image
    runs-on: ubuntu-latest
    env:
        ECR_REPOSITORY: bento-frontend
        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
    steps:

    - name: Check out code
      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5

    - name: Set Image Tag
      env:
        BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
      run: |
        # Get all tags for the repo and find the latest tag for the branch being built
        git fetch --tags --force --quiet
        tag=$(git tag -l $BRANCH_NAME* | tail -1)
        if  [ ! -z "$tag" ];
        then
          # Increment the build number if a tag is found
          build_num=$(echo "${tag##*.}")
          build_num=$((build_num+1))
          echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV
        else
          # If no tag is found create a new tag name
          build_num=1
          echo "IMAGE_TAG=$GITHUB_REF_NAME.$build_num" >> $GITHUB_ENV
        fi
    
    - name: Build
      id: build-image
      run: |
        docker build -t $ECR_REPOSITORY:$IMAGE_TAG .
        
    - name: Set Trivy exit code
      run: |
        if  [[ ${{ inputs.fail_on_trivy_scan }} == true ]];
        then
          echo 'TRIVY_EXIT_CODE=1' >> $GITHUB_ENV
        else
          echo 'TRIVY_EXIT_CODE=0' >> $GITHUB_ENV
        fi
    
    - name: Run Trivy vulnerability scanner
      id: trivy-scan
      uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561
      with:
        image-ref: '${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}'
        format: 'table'
        exit-code: '${{ env.TRIVY_EXIT_CODE }}'
        ignore-unfixed: true
        severity: 'CRITICAL,HIGH'

    - name: Create Git tag for Image
      run: |
        git config user.name "GitHub Actions"
        git config user.email "github-actions@users.noreply.github.com"
        git tag ${{ env.IMAGE_TAG }}
        git push origin ${{ env.IMAGE_TAG }}

    - name: AWS OIDC Authentication
      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
        aws-region: ${{ secrets.AWS_REGION }}
        role-session-name: ${{ github.actor }}

    - name: Login to Amazon ECR
      id: login-aws-ecr
      uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7
    
    - name: Push to Amazon ECR
      id: push-image
      env:
        ECR_REGISTRY: ${{ steps.login-aws-ecr.outputs.registry }}
      run: |
        docker tag  $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

    - name: Slack Notification
      uses: act10ns/slack@87c73aef9f8838eb6feae81589a6b1487a4a9e08
      with:
        status: ${{ job.status }}
        steps: ${{ toJson(steps) }}
      if: always()