Model/.github/workflows/_build_image.yml

name: Build Docker image

on:
  workflow_call:
    inputs:
      ecr_repo:
        description: "ECR repository name"
        required: true
        type: string

      dockerfile_path:
        description: "Path to Dockerfile"
        required: true
        type: string

      build_context:
        description: "Docker build context directory"
        required: false
        default: "."
        type: string

    outputs:
      image_digest:
        description: "Pushed image digest (sha256:...)"
        value: ${{ jobs.build.outputs.image_digest }}

      ecr_repo_url:
        description: "ECR repository URL (no tag, no digest)"
        value: ${{ jobs.build.outputs.ecr_repo_url }}

    secrets:
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      AWS_REGION:
        required: true

jobs:
  build:
    runs-on: ubuntu-latest

    outputs:
      image_digest: ${{ steps.digest.outputs.image_digest }}
      ecr_repo_url: ${{ steps.repo.outputs.ecr_repo_url }}

    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to ECR
        uses: aws-actions/amazon-ecr-login@v2

      - name: Resolve ECR repo URL
        id: repo
        run: |
          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
          ECR_REPO_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ inputs.ecr_repo }}"
          echo "ecr_repo_url=$ECR_REPO_URL" >> "$GITHUB_OUTPUT"

      - name: Build & push image
        run: |
          IMAGE_TAG=${GITHUB_SHA}
          IMAGE_URI="${{ steps.repo.outputs.ecr_repo_url }}:${IMAGE_TAG}"

          docker build \
            -f ${{ inputs.dockerfile_path }} \
            -t $IMAGE_URI \
            ${{ inputs.build_context }}

          docker push $IMAGE_URI

      - name: Resolve image digest
        id: digest
        run: |
          DIGEST=$(aws ecr describe-images \
            --repository-name ${{ inputs.ecr_repo }} \
            --image-ids imageTag=${GITHUB_SHA} \
            --query 'imageDetails[0].imageDigest' \
            --output text)

          echo "image_digest=$DIGEST" >> "$GITHUB_OUTPUT"