Skip to content
Latchkey

How to Build and Push a Docker Image to ECR in GitHub Actions

Log in to ECR with amazon-ecr-login, then build, tag, and push the image using the registry output.

After OIDC auth, aws-actions/amazon-ecr-login exchanges credentials for a Docker login and exposes the registry URL. Build and push using that registry plus your repository name and an immutable tag.

Steps

  • Authenticate to AWS over OIDC.
  • Run amazon-ecr-login and read its registry output.
  • Build and tag the image with <registry>/<repo>:<sha>.
  • Push the tag (and optionally latest).

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  push:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gha-ecr-push
          aws-region: us-east-1
      - id: ecr
        uses: aws-actions/amazon-ecr-login@v2
      - env:
          IMAGE: ${{ steps.ecr.outputs.registry }}/web
        run: |
          docker build -t "$IMAGE:${{ github.sha }}" -t "$IMAGE:latest" .
          docker push "$IMAGE:${{ github.sha }}"
          docker push "$IMAGE:latest"

Gotchas

  • A missing repository fails the push; create it first or set the repository to be created by IaC.
  • Enable tag immutability on the repo so a SHA tag can never be silently overwritten.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →