From 8fe89e9763db88961d798cf5c335ee3ad0e40bc2 Mon Sep 17 00:00:00 2001
From: Jack Sullivan <jack@divergent.codes>
Date: Sat, 23 Aug 2025 23:45:16 -0700
Subject: [PATCH 1/3] fix(release): align env vars

---
 Taskfile.yml           | 12 +++++++-----
 scripts/build-image.sh | 19 ++++++++++---------
 scripts/release-ecr.sh | 37 ++++++++++++++++++-------------------
 3 files changed, 35 insertions(+), 33 deletions(-)

diff --git a/Taskfile.yml b/Taskfile.yml
index 029d313..68950b5 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -7,8 +7,10 @@ vars:
   DOCKER_IMAGE_TAG:
     sh: ./scripts/get-version.sh
   DOCKER_IMAGE: "{{.DOCKER_IMAGE_NAME}}:{{.DOCKER_IMAGE_TAG}}"
-  ECR_REPOSITORY_URL:
-    sh: echo $ECR_REPOSITORY_URL
+  AWS_ACCOUNT_ID:
+    sh: aws sts get-caller-identity --query "Account" --output text
+  AWS_REGION:
+    sh: aws configure get region
 
 tasks:
   default:
@@ -44,7 +46,7 @@ tasks:
   build:
     run: once
     cmds:
-      - ./scripts/build-image.sh
+      - ./scripts/build-image.sh {{.DOCKER_IMAGE_NAME}}
 
   unit-test:
     run: once
@@ -85,10 +87,10 @@ tasks:
     deps:
       - build
     cmds:
-      - ./scripts/release-ecr.sh {{.ECR_REPOSITORY_URL}}
+      - ./scripts/release-ecr.sh {{.DOCKER_IMAGE_NAME}} {{.AWS_ACCOUNT_ID}} {{.AWS_REGION}}
 
   release-ecr-no-build:
     desc: Release the Docker image to ECR without building it first
     run: once
     cmds:
-      - ./scripts/release-ecr.sh {{.ECR_REPOSITORY_URL}}
+      - ./scripts/release-ecr.sh {{.DOCKER_IMAGE_NAME}} {{.AWS_ACCOUNT_ID}} {{.AWS_REGION}}
diff --git a/scripts/build-image.sh b/scripts/build-image.sh
index 718144c..c2c2f0f 100755
--- a/scripts/build-image.sh
+++ b/scripts/build-image.sh
@@ -3,32 +3,33 @@
 set -euo pipefail
 
 # Arguments
-AWS_ACCOUNT_ID="${1:-}"
-AWS_REGION="${2:-}"
+IMAGE_NAME="${1:-${IMAGE_NAME:-}}"
+: "${IMAGE_NAME:?IMAGE_NAME is required. Pass as first arg or set IMAGE_NAME env var.}"
+
+AWS_ACCOUNT_ID="${2:-${AWS_ACCOUNT_ID:-}}"
+AWS_REGION="${3:-${AWS_REGION:-}}"
 
 # Derived variables
-APP_NAME="lambda-application"
-APP_VERSION=$(uv run ./scripts/get-version.sh)
+IMAGE_VERSION=$(uv run ./scripts/get-version.sh)
 SHA=$(git rev-parse --short HEAD)
 BRANCH=$(git rev-parse --abbrev-ref HEAD)
 DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
 
-
 function build() {
     echo "Building Lambda deployment package..."
     docker build \
-        --build-arg APP_NAME="$APP_NAME" \
-        --build-arg APP_VERSION="$APP_VERSION" \
+        --build-arg IMAGE_NAME="$IMAGE_NAME" \
+        --build-arg IMAGE_VERSION="$IMAGE_VERSION" \
         --build-arg COMMIT_SHA="$SHA" \
         --build-arg BRANCH="$BRANCH" \
         --build-arg BUILD_DATE="$DATE" \
-        -t "$APP_NAME:$APP_VERSION" .
+        -t "$IMAGE_NAME:$IMAGE_VERSION" .
     echo "Build completed successfully."
 }
 
 function tag_ecr() {
     echo "Tagging image..."
-    docker tag "$APP_NAME:$APP_VERSION" "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/$APP_NAME:$APP_VERSION"
+    docker tag "$IMAGE_NAME:$IMAGE_VERSION" "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/$IMAGE_NAME:$IMAGE_VERSION"
     echo "Tagging completed successfully."
 }
 
diff --git a/scripts/release-ecr.sh b/scripts/release-ecr.sh
index 6cee999..a5ce1d8 100755
--- a/scripts/release-ecr.sh
+++ b/scripts/release-ecr.sh
@@ -2,37 +2,36 @@
 
 set -euo pipefail
 
-ECR_REPOSITORY_URL="$1"
-
-IMAGE_NAME="$(echo "$ECR_REPOSITORY_URL" | cut -d '/' -f 2)"
-IMAGE_TAG="$(./scripts/get-version.sh)"
-AWS_ACCOUNT_ID="$(echo "$ECR_REPOSITORY_URL" | cut -d '.' -f 1)"
-AWS_ECR_REGION="$(echo "$ECR_REPOSITORY_URL" | cut -d '.' -f 4)"
-
-function ensure_parameters() {
-    if [ -z "$ECR_REPOSITORY_URL" ]; then
-        echo "ECR_REPOSITORY_URL is not set"
-        exit 1
-    fi
-}
+# Arguments
+IMAGE_NAME="${1:-${IMAGE_NAME:-}}"
+: "${IMAGE_NAME:?IMAGE_NAME is required. Pass as first arg or set IMAGE_NAME env var.}"
+
+AWS_ACCOUNT_ID="${2:-${AWS_ACCOUNT_ID:-}}"
+: "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required. Pass as second arg or set AWS_ACCOUNT_ID env var.}"
+
+AWS_REGION="${3:-${AWS_REGION:-}}"
+: "${AWS_REGION:?AWS_REGION is required. Pass as third arg or set AWS_REGION env var.}"
+
+# Derived variables
+IMAGE_VERSION=$(uv run ./scripts/get-version.sh)
+ECR_REPOSITORY_URL="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$IMAGE_NAME"
 
 function ecr_login() {
-    aws ecr get-login-password --region "$AWS_ECR_REGION" | \
+    aws ecr get-login-password --region "$AWS_REGION" | \
         docker login --username AWS --password-stdin "$ECR_REPOSITORY_URL"
 }
 
 function ecr_tag() {
-    echo "Tagging image: $ECR_REPOSITORY_URL:$IMAGE_TAG"
-    docker tag "$IMAGE_NAME:$IMAGE_TAG" "$ECR_REPOSITORY_URL:$IMAGE_TAG"
+    echo "Tagging image: $ECR_REPOSITORY_URL:$IMAGE_VERSION"
+    docker tag "$IMAGE_NAME:$IMAGE_VERSION" "$ECR_REPOSITORY_URL:$IMAGE_VERSION"
 }
 
 function ecr_push() {
-    echo "Pushing image to ECR: $ECR_REPOSITORY_URL:$IMAGE_TAG"
-    docker push "$ECR_REPOSITORY_URL:$IMAGE_TAG"
+    echo "Pushing image to ECR: $ECR_REPOSITORY_URL:$IMAGE_VERSION"
+    docker push "$ECR_REPOSITORY_URL:$IMAGE_VERSION"
 }
 
 function main() {
-    ensure_parameters
     ecr_login
     ecr_tag
     ecr_push

From 22336d04f888d12e07432bccb54509828c11bc57 Mon Sep 17 00:00:00 2001
From: Jack Sullivan <jack@divergent.codes>
Date: Sun, 24 Aug 2025 00:30:40 -0700
Subject: [PATCH 2/3] feat(release): OIDC authentication to AWS

---
 .github/workflows/release.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ccbe158..9e4bf30 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Set up Python
+      - name: Setup Python
         uses: actions/setup-python@v5
 
       - name: Install uv
@@ -38,5 +38,12 @@ jobs:
       - name: Build
         run: uv run task build
 
+      - name: Setup AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-session-name: github-actions-release-ecr
+
       - name: Release (ECR)
         run: uv run task release-ecr-no-build

From 29317775cec7a24eddca7c2826fbf757ba5f5622 Mon Sep 17 00:00:00 2001
From: Jack Sullivan <jack@divergent.codes>
Date: Sun, 24 Aug 2025 00:33:22 -0700
Subject: [PATCH 3/3] Taskfile default AWS params to empty

---
 Taskfile.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Taskfile.yml b/Taskfile.yml
index 68950b5..cd8b893 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -8,9 +8,9 @@ vars:
     sh: ./scripts/get-version.sh
   DOCKER_IMAGE: "{{.DOCKER_IMAGE_NAME}}:{{.DOCKER_IMAGE_TAG}}"
   AWS_ACCOUNT_ID:
-    sh: aws sts get-caller-identity --query "Account" --output text
+    sh: aws sts get-caller-identity --query "Account" --output text || echo ""
   AWS_REGION:
-    sh: aws configure get region
+    sh: aws configure get region || echo ""
 
 tasks:
   default: