add workflow to push to github

anthony-nhs · anthony-nhs · commit 44746cc1138c · 2025-11-25T10:34:20.000Z
diff --git a/.gitallowed b/.gitallowed
@@ -1,3 +1,4 @@
 token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
 .*\.gitallowed.*
 id-token: write
+password: \${{ secrets\.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish_nhsd_git_secrets_to_github.yml b/.github/workflows/publish_nhsd_git_secrets_to_github.yml
@@ -0,0 +1,95 @@
+#
+name: Create and publish a Docker image
+
+on:
+  workflow_call:
+    secrets:
+      PUSH_IMAGE_ROLE:
+        required: true
+    inputs:
+      ecr_name:
+        type: string
+        description: "The name of the ECR repository to push the dev container image to."
+        required: true
+      container_image_tag:
+        type: string
+        description: "The tag of an existing image to publish to github."
+        required: true
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      #
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
+        id: connect-aws-deploy
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.PUSH_IMAGE_ROLE }}
+          role-session-name: dev-container-build-x64
+          output-credentials: true
+      - name: Retrieve AWS Account ID
+        id: retrieve-deploy-account-id
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          echo "account_id=$ACCOUNT_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Login to Amazon ECR
+        run: |
+          aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin ${{ steps.retrieve-deploy-account-id.outputs.account_id }}.dkr.ecr.eu-west-2.amazonaws.com
+
+      - name: pull image
+        run: |
+          docker pull "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64"
+          docker pull "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64"
+        env:
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+          ECR_REPOSITORY: ${{ inputs.ecr_name }}
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Tag and push amd64 image
+        run: |
+          docker tag "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-amd64" "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}-amd64"
+          docker push "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}-amd64"
+        env:
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+          ECR_REPOSITORY: ${{ inputs.ecr_name }}
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
+
+      - name: Tag and push arm64 image
+        run: |
+          docker tag "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}-arm64" "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}-arm64"
+          docker push "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}-arm64"
+        env:
+          ACCOUNT_ID: ${{ steps.retrieve-deploy-account-id.outputs.account_id }}
+          ECR_REPOSITORY: ${{ inputs.ecr_name }}
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
+
+      - name: Create and push multi-arch manifest
+        run: |
+          docker manifest create "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}" \
+            --amend "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}-amd64" \
+            --amend "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}-arm64"
+          docker manifest push "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${IMAGE_TAG}"
+        env:
+          IMAGE_TAG: ${{ inputs.container_image_tag }}
