Architecture - Designing a CI/CD using Github + Node.js + ECR + Sonarcloud (Part 1)

The idea behind this architecture is for those who wants a slightly more lean design with regards to not using Jenkins.

When a developer checks in the code into github, github-action-ruuner will build the image and push to AWS ECR. At the same time you have 2 options, either configure Sonarcloud to run automatically on each build or using the script below where the SonarQube Scan which you can see the result in the Sonarcloud. If you have Github Enterprise, you can integrate the scan analysis into Security tab

name: Build (Main)

on:
  push:
    branches:
      - main
  workflow_dispatch:
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          submodules: 'true'
          token: ${{ secrets.READ_GITHUB_REPOS_TOKEN }}

      - name: SonarQube Scan
        uses: sonarsource/sonarcloud-github-action@v3.0.0
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

      - name: Set short sha
        id: vars
        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

      - name: Build docker image
        run: docker build -t nodejs-server ./app

      - name: Login to Amazon ECR
        uses: docker/login-action@v3
        with:
          registry: ${{ vars.ECR_NON_PROD_SHARED_URL }}
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Tag and publish container image
        run: |
          docker tag docker.io/library/nodejs-server ${{ vars.ECR_NON_PROD_SHARED_URL }}/nodejs-server:PROD-$(git rev-parse --short HEAD)
          docker push ${{ vars.ECR_NON_PROD_SHARED_URL }}/nodejs-server:PROD-$(git rev-parse --short HEAD)