skip to content
Profile picture Oscar Corner

Using github actions for Continuous deployment

/ 3 min read

Image deployment and ci using Github actions.

All the code can be find in the following repo in the infra cluster folder.

First we need to allow our Github org to push images to ECR.

To do this we can:

  • Use AWS keys (easier but less secure)
  • Use OpenID connect (harder but more secure) Info

I chose the later:

First we need to set up a GitHub org info.

Second we will need some hcl code to link both things together

First we need a ECR repository.

resource "aws_ecr_repository" "repository" {
  name =

Second we will need to give permissions to push to the repo:

data "aws_iam_policy_document" "github_actions" {
  statement {
    actions = [
    resources = [aws_ecr_repository.repository.arn]

  statement {
    actions = [
    resources = ["*"]

resource "aws_iam_policy" "github_actions" {
  name        = "github-actions-${}"
  description = "Grant Github Actions the ability to push to ${} from oscarsjlh/${}"
  policy      = data.aws_iam_policy_document.github_actions.json

resource "aws_iam_role_policy_attachment" "github_actions" {
  role       =
  policy_arn = aws_iam_policy.github_actions.arn

data "aws_iam_policy_document" "github_actions_assume_role" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type        = "Federated"
      identifiers = [var.oidc_arn]
    condition {
      test     = "StringLike"
      variable = ""
      values   = ["repo:${var.organization}/${}:*"]

And once we have that the link with AWS:

resource "aws_iam_openid_connect_provider" "github" {
  url             = ""
  client_id_list  = [""]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]

And then we can create a github action to build an push our code to the repo, and once is push we can commit that tag to our Gitops folder and it will update it automatically.

Kind of a long one but the flow would be:

  • 1st we checkout the code.

  • We authorize to AWS and get the credentials for docker.

  • Run docker build the image and tag it with the commit sha.

  • Do some regex to update the manifest.

  • Finally commit and push the changes.

name: ecr build

      - src/**
    branches: ["main"]

  AWS_REGION: "eu-west-2"
  TAGS: ""
    name: Push to ECR
    runs-on: ubuntu-latest

      id-token: write
      contents: write

      - name: checkout
          ssh-key: ${{ secrets.BOT_ACCESS_TOKEN }}
        uses: actions/checkout@v4
      - name: setup AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
          role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-oscar-todo-app-todo-app
          aws-region: ${{ env.AWS_REGION }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Build and push Docker image
        id: build
        uses: docker/build-push-action@v5
          context: "{{defaultContext}}:src"
          cache-from: type=gha
          cache-to: type=gha,mode=max
          push: true
          platforms: linux/amd64
          tags: ${{ env.TAGS }}:${{ github.sha }}
          labels: ${{ steps.meta.outputs.labels }}
      - name: Update manifest
        working-directory: ./k8s/todo-template
        run: |
          echo 'Sha digest is: ${{ }}'
          sha="${{ github.sha }}"
          sed -i "s/\(imageTag: \).*/\1$sha/" Values.yaml
          git config --global 'Img updater'
          git config --global user.emal ''
          git commit -am "Update sha to $sha"
          git push