chore(deploy): add backend ECR deployment flow

.gitea/workflows/build-production-docker.yml

@@ -0,0 +1,94 @@
+name: Build production Docker image
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build-backend-image:
+    runs-on: wsl2-docker-host
+    env:
+      IMAGE_NAME: eryao-backend
+      IMAGE_SIZE_LIMIT_BYTES: 500000000
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Validate ECR configuration
+        run: |
+          set -euo pipefail
+          test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
+          test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          test -n "${{ secrets.AWS_REGION }}"
+          test -n "${{ secrets.AWS_ACCOUNT_ID }}"
+          test -n "${{ secrets.ECR_REPOSITORY }}"
+
+      - name: Build backend production image
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --provenance=false \
+            --load \
+            --file backend/Dockerfile \
+            --tag ${IMAGE_NAME}:prod-${GITHUB_SHA} \
+            --tag ${IMAGE_NAME}:prod-latest \
+            .
+
+      - name: Check image size budget
+        run: |
+          set -euo pipefail
+          image_size_bytes="$(docker image inspect ${IMAGE_NAME}:prod-${GITHUB_SHA} --format '{{.Size}}')"
+          echo "Image size: ${image_size_bytes} bytes"
+          if [ "${image_size_bytes}" -gt "${IMAGE_SIZE_LIMIT_BYTES}" ]; then
+            echo "Image exceeds ${IMAGE_SIZE_LIMIT_BYTES} bytes" >&2
+            exit 1
+          fi
+
+      - name: Smoke test backend image
+        run: |
+          set -euo pipefail
+          docker run --rm \
+            -e ERYAO_RUNTIME__ENVIRONMENT=prod \
+            -e ERYAO_SUPABASE__PUBLIC_URL=http://localhost:8001 \
+            -e ERYAO_POINTS_POLICY__REGISTER_BONUS_HMAC_KEY=ci-smoke-test-key \
+            --entrypoint python \
+            ${IMAGE_NAME}:prod-${GITHUB_SHA} \
+            -c "import app; print(app.app.title)"
+
+      - name: Push backend image to ECR
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
+        run: |
+          set -euo pipefail
+          caller_account_id="$(aws sts get-caller-identity --query Account --output text)"
+          if [ "${caller_account_id}" != "${AWS_ACCOUNT_ID}" ]; then
+            echo "AWS_ACCOUNT_ID does not match caller identity" >&2
+            exit 1
+          fi
+
+          ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+          ecr_image="${ecr_registry}/${ECR_REPOSITORY}"
+
+          aws ecr describe-repositories \
+            --region "${AWS_REGION}" \
+            --repository-names "${ECR_REPOSITORY}" >/dev/null 2>&1 \
+            || aws ecr create-repository \
+              --region "${AWS_REGION}" \
+              --repository-name "${ECR_REPOSITORY}" \
+              --image-scanning-configuration scanOnPush=true \
+              --encryption-configuration encryptionType=AES256 >/dev/null
+
+          aws ecr get-login-password --region "${AWS_REGION}" \
+            | docker login --username AWS --password-stdin "${ecr_registry}"
+
+          docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:${GITHUB_SHA}"
+          docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest"
+          docker push "${ecr_image}:${GITHUB_SHA}"
+          docker push "${ecr_image}:latest"