GitHub Actions ‐ Workflow - Campus-Castolo/m300 GitHub Wiki
- Trigger on push to the
mainbranch. - Build and push a Docker image to AWS ECR.
- Securely store secrets in GitHub.
- Add and run scripts within the workflow.
🔹 1. Automate GitHub Workflow - Push Docker Image to AWS ECR on Push to Main
Example deploy.yml Workflow
Create this file under .github/workflows/deploy.yml in your repository.
name: Build and Push Docker Image to ECR
on:
push:
branches:
- main # Triggers on push to main branch
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1 # Change to your AWS region
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build, Tag, and Push Docker Image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: your-ecr-repository-name
IMAGE_TAG: latest
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
🔹 2. How to Securely Store Secrets in GitHub
Steps to Store Secrets
- Go to your GitHub Repository.
- Navigate to:
Settings→Secrets and Variables→Actions.
- Click on
New repository secret. - Add:
AWS_ACCESS_KEY_ID(from AWS IAM)AWS_SECRET_ACCESS_KEY(from AWS IAM)- (Optional) Other secrets like database credentials, tokens, etc.
Example Secrets
| Secret Name | Description |
|---|---|
| AWS_ACCESS_KEY_ID | Your AWS Access Key ID |
| AWS_SECRET_ACCESS_KEY | Your AWS Secret Access Key |
| OTHER_API_KEY | Any other API key or token you might need |
🔹 3. How to Add and Run Scripts in GitHub Workflow
You can run scripts (bash, Python, etc.) directly in your workflow using run, or reference external scripts from your repo.
Example 1 - Inline Shell Script
- name: Run Custom Commands
run: |
echo "Running pre-deployment checks..."
./scripts/predeploy.sh # Runs a script from repo
echo "All checks passed!"
Example 2 - Python Script
- name: Run Python Script
run: python ./scripts/checks.py
Example 3 - Add Script to Run After Push
#!/bin/bash
# scripts/predeploy.sh
echo "Pre-deployment checks running..."
# Add any commands you want to check, e.g., linting or tests
exit 0
Make sure the script has execution permissions:
chmod +x scripts/predeploy.sh
Example Directory Structure
.github/workflows/deploy.yml
scripts/
predeploy.sh
checks.py
Dockerfile
app/
main.py
🔹 Summary Workflow Example (Combining All)
name: Full Pipeline with Scripts
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Pre-Deploy Check Script
run: ./scripts/predeploy.sh
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build, Tag, and Push Docker Image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-app-repo
IMAGE_TAG: ${{ github.sha }} # Use commit hash as tag
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
🔹 Best Practices for Secrets
✅ Never hardcode credentials in workflows.
✅ Use GitHub Secrets for all sensitive data.
✅ If using AWS, create a dedicated IAM User with minimal permissions needed (push to ECR only).
✅ Rotate credentials periodically.
✅ Use OIDC for even better security if your organization supports it.
🔹 Key Takeaways
| Action | How |
|---|---|
| Trigger Workflow | on: push to main |
| Store Secrets | GitHub Repository Settings |
| Login to AWS ECR | aws-actions/amazon-ecr-login@v2 |
| Build & Push Docker Image | docker build and docker push |
| Run External Scripts | run: ./scripts/script.sh |