How to Build and Push a Docker Image to ECR in GitHub Actions
Log in to ECR with amazon-ecr-login, then build, tag, and push the image using the registry output.
After OIDC auth, aws-actions/amazon-ecr-login exchanges credentials for a Docker login and exposes the registry URL. Build and push using that registry plus your repository name and an immutable tag.
Steps
- Authenticate to AWS over OIDC.
- Run
amazon-ecr-loginand read itsregistryoutput. - Build and tag the image with
<registry>/<repo>:<sha>. - Push the tag (and optionally
latest).
Workflow
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
jobs:
push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/gha-ecr-push
aws-region: us-east-1
- id: ecr
uses: aws-actions/amazon-ecr-login@v2
- env:
IMAGE: ${{ steps.ecr.outputs.registry }}/web
run: |
docker build -t "$IMAGE:${{ github.sha }}" -t "$IMAGE:latest" .
docker push "$IMAGE:${{ github.sha }}"
docker push "$IMAGE:latest"Gotchas
- A missing repository fails the push; create it first or set the repository to be created by IaC.
- Enable tag immutability on the repo so a SHA tag can never be silently overwritten.
Related guides
How to Deploy a Container Image Lambda With GitHub ActionsBuild a Lambda container image, push it to Amazon ECR from GitHub Actions, and update the function to the new…
How to Deploy to ECS Fargate With a Task Definition in GitHub ActionsRoll out a new container to Amazon ECS Fargate from GitHub Actions by rendering a fresh image into your task…