From 1872a7d2dfc3bf8445cbda57f5d61488f89340bd Mon Sep 17 00:00:00 2001
From: philmcmahon <philip.mcmahon@theguardian.com>
Date: Mon, 29 Jan 2024 15:12:35 +0000
Subject: [PATCH] fix

---
 .github/workflows/build-whisper-docker.yml |  2 +-
 packages/cdk/lib/repository.ts             | 32 ++++++++++++++++++----
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-whisper-docker.yml b/.github/workflows/build-whisper-docker.yml
index 9eaf2ae5..aeb6e750 100644
--- a/.github/workflows/build-whisper-docker.yml
+++ b/.github/workflows/build-whisper-docker.yml
@@ -69,4 +69,4 @@ jobs:
           docker buildx imagetools create \
             --tag ${{ secrets.TRANSCRIPTION_SERVICE_ECR_URI }}:latest \
             --tag ${{ secrets.TRANSCRIPTION_SERVICE_ECR_URI }}:$GITHUB_RUN_NUMBER \
-            transcription-service:latest    
+            ghcr.io/guardian/transcription-service:whisper-docker    
diff --git a/packages/cdk/lib/repository.ts b/packages/cdk/lib/repository.ts
index e82bc004..8d6c7450 100644
--- a/packages/cdk/lib/repository.ts
+++ b/packages/cdk/lib/repository.ts
@@ -1,20 +1,42 @@
-import type { GuStackProps} from "@guardian/cdk/lib/constructs/core";
-import {GuStack} from "@guardian/cdk/lib/constructs/core";
+import type {GuStackProps} from "@guardian/cdk/lib/constructs/core";
+import {GuStack, GuStringParameter} from "@guardian/cdk/lib/constructs/core";
 import type {App} from "aws-cdk-lib";
-import { RemovalPolicy} from "aws-cdk-lib";
+import {RemovalPolicy} from "aws-cdk-lib";
 import {Repository, TagMutability} from "aws-cdk-lib/aws-ecr";
+import {ArnPrincipal, Effect, PolicyStatement} from "aws-cdk-lib/aws-iam";
 
 export class TranscriptionServiceRepository extends GuStack {
     constructor(scope: App, id: string, props: GuStackProps) {
         super(scope, id, props);
-        new Repository(this, "TranscriptionServiceRepository", {
+        const githubActionsIAMRoleArn = new GuStringParameter(this, "GithubActionsIAMRoleArn", {
+            description: "IAM role for role used by github actions workflows"
+        })
+        const repository = new Repository(this, "TranscriptionServiceRepository", {
             repositoryName: `transcription-service`,
             lifecycleRules: [{
                 maxImageCount: 5
             }],
             imageTagMutability: TagMutability.IMMUTABLE,
             removalPolicy: RemovalPolicy.DESTROY,
-            imageScanOnPush: true
+            imageScanOnPush: true,
         })
+        repository.addToResourcePolicy(new PolicyStatement({
+            principals: [new ArnPrincipal(githubActionsIAMRoleArn.valueAsString)],
+            actions: [
+                "ecr:GetAuthorizationToken",
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:GetRepositoryPolicy",
+                "ecr:DescribeRepositories",
+                "ecr:ListImages",
+                "ecr:DescribeImages",
+                "ecr:BatchGetImage",
+                "ecr:InitiateLayerUpload",
+                "ecr:UploadLayerPart",
+                "ecr:CompleteLayerUpload",
+                "ecr:PutImage"
+            ],
+            effect: Effect.ALLOW
+        }))
     }
 }
\ No newline at end of file