SSE-2732: Allow dockerfile and docker path to be different

The dockerfile doesn't necessarily always reside in the docker path; use the docker build command args accordingly.

Allow the SAM template file to be different than the base build dir - the path from which SAM resources are resolved is not always the same as the template file, which is the default, therefore the --base-dir param must be used.

Set default working dirs in the script
The "." default value doesn't get carried to the script env vars. Handle default value of null in the script itself.

Author: CharlesIC

action.yaml

@@ -7,15 +7,13 @@ inputs:
   container-sign-kms-key-arn:
     description: "The secret with the ARN of the key to sign container images e.g. secrets.CONTAINER_SIGN_KMS_KEY"
     required: false
-    default: "none"
   template-file:
     description: "The name of the CF template for the application. This defaults to template.yaml"
     required: false
     default: template.yaml
-  working-directory:
-    description: "The working directory containing the app"
+  sam-base-directory:
+    description: "The base directory to use when building the SAM app; defaults to the template file's location"
     required: false
-    default: .
   artifact-bucket-name:
     description: "The secret with the name of the artifact S3 bucket (required) eg secrets.ARTIFACT_SOURCE_BUCKET_NAME"
     required: true
@@ -56,8 +54,11 @@ runs:
     - name: Login to Amazon ECR
       id: login-ecr
       uses: aws-actions/amazon-ecr-login@v1
+      with:
+        mask-password: true
 
     - name: Install Cosign
+      if: ${{ inputs.container-sign-kms-key-arn != null }}
       uses: sigstore/cosign-installer@main
       with:
         cosign-release: 'v1.9.0'
@@ -67,8 +68,8 @@ runs:
         ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
         CONTAINER_SIGN_KMS_KEY_ARN: ${{ inputs.container-sign-kms-key-arn }}
         GITHUB_SHA: ${{ github.sha }}
-        WORKING_DIRECTORY: ${{ inputs.working-directory }}
         TEMPLATE_FILE: ${{ inputs.template-file }}
+        SAM_BASE_DIR: ${{ inputs.sam-base-directory }}
         ECR_REPO_NAME: ${{ inputs.ecr-repo-name }}
         ARTIFACT_BUCKET_NAME: ${{ inputs.artifact-bucket-name }}
         DOCKERFILE: ${{ inputs.dockerfile }}

scripts/build-tag-push-ecr.sh

@@ -2,22 +2,19 @@
 
 set -eu
 
-if [ -z $DOCKER_BUILD_PATH ]; then
-    DOCKER_BUILD_PATH=$WORKING_DIRECTORY
-fi
+: "${DOCKER_BUILD_PATH:=.}"
 
 echo "Building image"
 
-docker build -t "$ECR_REGISTRY/$ECR_REPO_NAME:$GITHUB_SHA" -f "$DOCKER_BUILD_PATH"/"$DOCKERFILE" "$DOCKER_BUILD_PATH"
+docker build -t "$ECR_REGISTRY/$ECR_REPO_NAME:$GITHUB_SHA" -f "$DOCKERFILE" "$DOCKER_BUILD_PATH"
 docker push "$ECR_REGISTRY/$ECR_REPO_NAME:$GITHUB_SHA"
 
-if [ ${CONTAINER_SIGN_KMS_KEY_ARN} != "none" ]; then
+if [[ $CONTAINER_SIGN_KMS_KEY_ARN ]]; then
     cosign sign --key "awskms:///${CONTAINER_SIGN_KMS_KEY_ARN}" "$ECR_REGISTRY/$ECR_REPO_NAME:$GITHUB_SHA"
 fi
 
 echo "Running sam build on template file"
-cd $WORKING_DIRECTORY
-sam build --template-file="$TEMPLATE_FILE"
+sam build --template-file="$TEMPLATE_FILE" ${SAM_BASE_DIR:+--base-dir=$SAM_BASE_DIR}
 mv .aws-sam/build/template.yaml cf-template.yaml
 
 if grep -q "CONTAINER-IMAGE-PLACEHOLDER" cf-template.yaml; then