From 9adf99f90a924f41ff93a7426598561ef413f4a4 Mon Sep 17 00:00:00 2001
From: batbattur <bat@ifixit.com>
Date: Tue, 5 Dec 2023 09:36:12 -0800
Subject: [PATCH 1/3] Add build-image.yml deployment workflow for the docker
 image

This is almost the same deployment workflow we use in data-pipelines
repository to build, tag and push the image to ECR:
https://github.com/iFixit/data-pipelines/blob/main/.github/workflows/build-image.yml

Saved the `role-to-assume` value in repository variables in the repo.
---
 .github/workflows/build-image.yml | 41 +++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/build-image.yml

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
new file mode 100644
index 0000000..ebebdc2
--- /dev/null
+++ b/.github/workflows/build-image.yml
@@ -0,0 +1,41 @@
+name: Build Vigilo image and push to ECR
+on:
+   push:
+      branches:
+        - main
+    # Allow running this workflow manually from the Actions tab
+    workflow_dispatch:
+
+jobs:
+   build_image:
+      name: Build Vigilo image and push to ECR
+      runs-on: ubuntu-latest
+      permissions:
+        id-token: write
+        contents: read
+
+      steps:
+       - name: Checkout
+         uses: actions/checkout@v3
+
+       - name: Configure AWS credentials
+         uses: aws-actions/configure-aws-credentials@v2
+         with:
+            role-to-assume: ${{ env.DEPLOY_IAM_ROLE }}
+            aws-region: us-east-1
+
+       - name: Login to Amazon ECR
+         id: login-ecr
+         uses: aws-actions/amazon-ecr-login@v1
+
+       - name: Build, Tag, and Push Image to Amazon ECR
+         env:
+           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+           REPOSITORY: vigilo
+           DOCKER_TAG: ${{ github.sha }}
+         run: |
+           docker build -t $REGISTRY/$REPOSITORY:$DOCKER_TAG -f Dockerfile .
+           docker tag $REGISTRY/$REPOSITORY:$DOCKER_TAG $REGISTRY/$REPOSITORY:latest
+
+           docker push $REGISTRY/$REPOSITORY:$DOCKER_TAG
+           docker push $REGISTRY/$REPOSITORY:latest

From 861ddfa093410c4d369b20fb2171e0160116ee43 Mon Sep 17 00:00:00 2001
From: Bat Battur <58952979+batbattur@users.noreply.github.com>
Date: Tue, 5 Dec 2023 10:35:06 -0800
Subject: [PATCH 2/3] Use DEPLOY_IAM_ROLE as secret

---
 .github/workflows/build-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index ebebdc2..5ca930e 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -21,7 +21,7 @@ jobs:
        - name: Configure AWS credentials
          uses: aws-actions/configure-aws-credentials@v2
          with:
-            role-to-assume: ${{ env.DEPLOY_IAM_ROLE }}
+            role-to-assume: ${{ secrets.DEPLOY_IAM_ROLE }}
             aws-region: us-east-1
 
        - name: Login to Amazon ECR

From acf505f76ae0affc5f4d7fbbd8d30273cdd68ee0 Mon Sep 17 00:00:00 2001
From: Bat Battur <58952979+batbattur@users.noreply.github.com>
Date: Tue, 5 Dec 2023 10:42:36 -0800
Subject: [PATCH 3/3] Remove `workflow_dispatch` event from deployment

We don't want to trigger the deployment workflow for security reasons.
---
 .github/workflows/build-image.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index 5ca930e..179079a 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -3,8 +3,6 @@ on:
    push:
       branches:
         - main
-    # Allow running this workflow manually from the Actions tab
-    workflow_dispatch:
 
 jobs:
    build_image: