@jaypie/constructs 1.2.50 → 1.2.51

package/dist/cjs/JaypieGitHubDeployRole.d.ts

@@ -1,9 +1,11 @@
 import { Role } from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
 export interface JaypieGitHubDeployRoleProps {
+    ecr?: boolean;
     oidcProviderArn?: string;
     output?: boolean | string;
     repoRestriction?: string;
+    sponsor?: string;
 }
 export declare class JaypieGitHubDeployRole extends Construct {
     private readonly _role;

package/dist/cjs/__tests__/JaypieGitHubDeployRole.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/cjs/index.cjs

@@ -3299,23 +3299,33 @@ class JaypieExpressLambda extends JaypieLambda {
     }
 }
 
+const ECR_PUSH_ACTIONS = [
+    "ecr:BatchCheckLayerAvailability",
+    "ecr:BatchGetImage",
+    "ecr:CompleteLayerUpload",
+    "ecr:CreateRepository",
+    "ecr:DescribeRepositories",
+    "ecr:InitiateLayerUpload",
+    "ecr:PutImage",
+    "ecr:UploadLayerPart",
+];
 class JaypieGitHubDeployRole extends constructs.Construct {
     constructor(scope, id = "GitHubDeployRole", props = {}) {
         super(scope, id);
-        const { oidcProviderArn = cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), output = true, repoRestriction: propsRepoRestriction, } = props;
+        const { ecr = true, oidcProviderArn = cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), output = true, repoRestriction: propsRepoRestriction, sponsor: propsSponsor, } = props;
         // Extract account ID from the scope
         const accountId = cdk.Stack.of(this).account;
-        // Resolve repoRestriction from props or environment variables
+        // Resolve repoRestriction and sponsor from props or environment variables
+        const envRepo = process.env.CDK_ENV_REPO || process.env.PROJECT_REPO;
+        const envRepoOrganization = envRepo ? envRepo.split("/")[0] : undefined;
         let repoRestriction = propsRepoRestriction;
         if (!repoRestriction) {
-            const envRepo = process.env.CDK_ENV_REPO || process.env.PROJECT_REPO;
-            if (!envRepo) {
+            if (!envRepoOrganization) {
                 throw new errors.ConfigurationError("No repoRestriction provided. Set repoRestriction prop, CDK_ENV_REPO, or PROJECT_REPO environment variable");
             }
-            // Extract organization from owner/repo format and create org-wide restriction
-            const organization = envRepo.split("/")[0];
-            repoRestriction = `repo:${organization}/*:*`;
+            repoRestriction = `repo:${envRepoOrganization}/*:*`;
         }
+        const sponsor = propsSponsor || process.env.PROJECT_SPONSOR || envRepoOrganization;
         // Create the IAM role
         this._role = new awsIam.Role(this, "GitHubActionsRole", {
             assumedBy: new awsIam.FederatedPrincipal(oidcProviderArn, {
@@ -3363,6 +3373,22 @@ class JaypieGitHubDeployRole extends constructs.Construct {
                 "arn:aws:iam::*:role/cdk-readOnlyRole",
             ],
         }));
+        // Grant ECR auth + push scoped to <sponsor>-* repositories
+        if (ecr) {
+            if (!sponsor) {
+                throw new errors.ConfigurationError("Cannot grant default ECR permissions without a sponsor. Set sponsor prop, PROJECT_SPONSOR, CDK_ENV_REPO, or PROJECT_REPO, or pass `ecr: false`");
+            }
+            this._role.addToPolicy(new awsIam.PolicyStatement({
+                actions: ["ecr:GetAuthorizationToken"],
+                effect: awsIam.Effect.ALLOW,
+                resources: ["*"],
+            }));
+            this._role.addToPolicy(new awsIam.PolicyStatement({
+                actions: ECR_PUSH_ACTIONS,
+                effect: awsIam.Effect.ALLOW,
+                resources: [`arn:aws:ecr:*:${accountId}:repository/${sponsor}-*`],
+            }));
+        }
         // Export the ARN of the role
         if (output !== false) {
             const outputId = typeof output === "string" ? output : "GitHubActionsRoleArn";