add extra step to add permissions #2836

	name: Build and Push To ECR

	on:
	push:
	branches-ignore:
	- 'develop'
	- 'master'

	permissions:
	id-token: write
	contents: read

	jobs:
	build-push:
	runs-on: ubuntu-latest

	outputs:
	image: ${{ steps.build-push.outputs.imageid }}

	steps:
	- uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ secrets.AWS_OIDC_ROLE_TO_ASSUME }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v2

	- name: Cache Docker layers
	uses: actions/cache@v4
	id: cache
	with:
	path: /tmp/.buildx-cache
	key: ${{ runner.os }}-buildx-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-buildx-

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- id: set-vars
	run: \|
	BRANCH=$(echo "${GITHUB_REF#refs//}" \| sed 's/.\///')
	echo "ECR_TAG_SHA=${{ steps.login-ecr.outputs.registry }}/${{ github.event.repository.name }}:${{ github.sha }}" >> "$GITHUB_OUTPUT"
	echo "ECR_TAG_BRANCH=${{ steps.login-ecr.outputs.registry }}/${{ github.event.repository.name }}:"${BRANCH} >> "$GITHUB_OUTPUT"

	- name: Build and push
	uses: docker/build-push-action@v6
	id: build-push
	with:
	context: .
	file: production/Dockerfile
	push: true
	tags: ${{ steps.set-vars.outputs.ECR_TAG_SHA }},${{ steps.set-vars.outputs.ECR_TAG_BRANCH }}
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache-new
	outputs: type=image,push=true

	- name: Reset cache
	id: reset-cache
	run: \|
	rm -rf /tmp/.buildx-cache
	mv /tmp/.buildx-cache-new /tmp/.buildx-cache

Provide feedback