Rework Docker & CI #404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

irvingpop merged 12 commits into master from irving/rework_docker

Jan 25, 2026

+941 −394

.bandit

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1,2 +1,2 @@
  
    [bandit]

    exclude: ./src/tests/*

    exclude=src/tests/*,.venv,__pycache__,*.pyc,migrations/*

.flake8

This file was deleted.

.github/SETUP.md

-Original file line number
+Diff line change
@@ -0,0 +1,79 @@
+    # GitHub Actions Environment Variables Setup
+    This is a quick reference guide. For complete setup instructions, see [`OPS.md`](../OPS.md#github-actions-aws-oidc-setup).
+    ## Required Secret
+    The workflow requires one GitHub repository secret:
+    - **`AWS_ROLE_ARN`**: The ARN of the IAM role that GitHub Actions will assume to push Docker images to ECR
+    ## Setup Steps
+    ### 1. Create AWS IAM Role
+    **Follow the complete instructions in [`OPS.md`](../OPS.md#github-actions-aws-oidc-setup)** which includes:
+    - Creating the OIDC identity provider
+    - Creating the IAM role with trust policy
+    - Attaching ECR permissions policy
+    After completing the AWS setup, you'll have an IAM role ARN (typically: `arn:aws:iam::633607774026:role/GitHubActions-ECR-Push`)
+    ### 2. Add GitHub Secret
+    Add the IAM role ARN as a GitHub repository secret using the GitHub CLI:
+    ```bash
+    # Ensure you're authenticated with GitHub CLI
+    # If not already authenticated, run: gh auth login
+    # Set the secret (replace with your actual role ARN if different)
+    gh secret set AWS_ROLE_ARN --body "arn:aws:iam::633607774026:role/GitHubActions-ECR-Push"
+    ```
+    **Note**: Make sure you're in the repository directory or specify the repo with `--repo operationcode/back-end`.
+    ### 3. Verify Setup
+    After adding the secret, the workflow will automatically:
+    - Authenticate to AWS using OIDC (no credentials stored)
+    - Build Docker images for ARM64 platform
+    - Push to ECR with appropriate tags:
+      - `:staging` for non-master branches
+      - `:prod` for master branch (after CI passes)
+    ## Testing
+    To test the setup:
+. **Test staging build**: Push to any branch except `master`
+       - Should trigger Docker build and push to `:staging` tag
+       - Check ECR repository to verify image was pushed
+. **Test production build**: Merge to `master` branch
+       - Should run lint, test, security checks first
+       - If all pass, should build and push to `:prod` tag
+       - Check ECR repository to verify image was pushed
+    ## Troubleshooting
+    ### Build fails with "Error assuming role"
+    - Verify the `AWS_ROLE_ARN` secret is set correctly
+    - Check that the IAM role exists and has the correct trust policy
+    - Ensure the OIDC identity provider is configured
+    ### Build fails with "AccessDenied" to ECR
+    - Verify the IAM role has the ECR push policy attached
+    - Check that the policy allows access to the correct ECR repository
+    - Ensure the repository path matches: `633607774026.dkr.ecr.us-east-2.amazonaws.com/back-end`
+    ### Production build runs even when tests fail
+    - This shouldn't happen - production builds depend on `ci-success` job
+    - Check that `ci-success` job is properly failing when tests fail
+    - Verify branch protection rules if using them
+    ## Additional Resources
+    - Full AWS OIDC setup: See [`OPS.md`](../OPS.md#github-actions-aws-oidc-setup)
+    - GitHub Actions secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
+    - AWS OIDC with GitHub: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Rework Docker & CI #404

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!