Add GH actions to publish images and deploy

.github/workflows/deploy-staging.yml

@@ -0,0 +1,64 @@
+name: Deploy to STAGING
+
+permissions:
+  id-token: write # Required for OIDC authentication
+  contents: read # Standard permission for GitHub Actions
+
+on:
+  push:
+    branches:
+      - develop
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  deploy-staging:
+    runs-on: ubuntu-latest
+    env:
+      ENVIRONMENT: staging
+      IMAGE_NAME: ${{ vars.PUBLICECR_URI }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.PUBLICECR_UPLOAD_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.PUBLICECR_UPLOAD_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.PUBLICECR_REGION }}
+
+      - name: Authenticate with AWS ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+
+      - name: Build a Docker image
+        run: |
+          docker build --build-arg DEPLOYMENT_ENV=staging -t ${{ vars.PUBLICECR_URI }}:staging .
+
+      - name: Publish To AWS ECR
+        run: |
+          docker push ${{ vars.PUBLICECR_URI }}:staging
+
+      - name: Authenticate with AWS ECS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.AWS_STAGING_ECS_REDEPLOY_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_STAGING_REGION }}
+
+      - name: Trigger new deployment
+        run: |
+          aws ecs update-service \
+            --cluster ${{ vars.AWS_STAGING_ECS_CLUSTER }} \
+            --service ${{ vars.AWS_STAGING_ECS_SERVICE }} \
+            --force-new-deployment
+
+      - name: Wait until the service is stable
+        run: |
+          aws ecs wait services-stable \
+            --cluster ${{ vars.AWS_STAGING_ECS_CLUSTER }} \
+            --service ${{ vars.AWS_STAGING_ECS_SERVICE }}

.github/workflows/publish-production-image.yml

@@ -0,0 +1,73 @@
+name: Publish PRODUCTION image
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  tag-and-publish-image:
+    runs-on: ubuntu-latest
+    env:
+      ENVIRONMENT: staging
+      IMAGE_NAME: ${{ vars.PUBLICECR_URI }}
+    steps:
+      - name: Fail if branch is not main
+        if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
+        run: |
+          echo "This workflow should not be triggered with workflow_dispatch on a branch other than main"
+          exit 1
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Get full history to check existing tags
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Determine new tag
+        id: tag
+        run: |
+          YEAR=$(date +'%Y')
+          MONTH=$(date +'%m')
+          DAY=$(date +'%d')
+          LATEST_TAG=$(git tag --sort=-v:refname | grep -E "^${YEAR}\.${MONTH}\.${DAY}\.[0-9]+$" | head -n 1 || echo "")
+
+          if [[ -z "$LATEST_TAG" ]]; then
+            COUNTER=1
+          else
+            COUNTER=$(( ${LATEST_TAG##*.} + 1 ))
+          fi
+
+          NEW_TAG="${YEAR}.${MONTH}.${DAY}.${COUNTER}"
+          echo "NEW_TAG=${NEW_TAG}" >> $GITHUB_ENV
+          echo "New tag: $NEW_TAG"
+
+      - name: Create Git Tag
+        run: |
+          git tag $NEW_TAG
+          git push origin $NEW_TAG
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.PUBLICECR_UPLOAD_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.PUBLICECR_UPLOAD_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.PUBLICECR_REGION }}
+
+      - name: Authenticate with AWS Public ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registry-type: public
+
+      - name: Build a Docker image
+        run: |
+          docker build --build-arg DEPLOYMENT_ENV=production -t ${{ vars.PUBLICECR_URI }}:${{ env.NEW_TAG }} .
+
+      - name: Publish To AWS ECR
+        run: |
+          docker push ${{ vars.PUBLICECR_URI }}:${{ env.NEW_TAG }}