From 235218f11c81a2da7bbb1cd3de07b9ccc05e2582 Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Sun, 4 Jan 2026 14:08:07 +0900
Subject: [PATCH 1/2] build: add explicit arm64 cross-compilation flags to
 Dockerfile

---
 docker/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index eaee8ea..b05e5a2 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -5,8 +5,8 @@ WORKDIR /app
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
-# Build with optional lambda.norpc tag
-RUN go build -tags lambda.norpc -o main ./cmd/lambda
+# Build with optional lambda.norpc tag for arm64 architecture
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -tags lambda.norpc -o main ./cmd/lambda
 # Copy artifacts to a clean image
 FROM public.ecr.aws/lambda/provided:al2023
 # Install git and zip using dnf (Amazon Linux 2023)

From 04237038fe66fa9cbbe967f693cd5a805cec5fb8 Mon Sep 17 00:00:00 2001
From: Daisuke <nakada0907@outlook.com>
Date: Sun, 4 Jan 2026 14:08:45 +0900
Subject: [PATCH 2/2] feat: support ECR image digest for deterministic Lambda
 deployments

- Add ImageDigest parameter with conditional logic
- Enable AutoPublishAlias for function versioning
- Improve deployment reproducibility
---
 infra/cfn/template-lambda-function.yaml | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/infra/cfn/template-lambda-function.yaml b/infra/cfn/template-lambda-function.yaml
index 4ba2527..280563a 100644
--- a/infra/cfn/template-lambda-function.yaml
+++ b/infra/cfn/template-lambda-function.yaml
@@ -22,6 +22,14 @@ Parameters:
     Default: main
     Description: Git repository branch
 
+  ImageDigest:
+    Type: String
+    Default: ""
+    Description: "ECR image digest (e.g., sha256:abc123...). If empty, uses 'latest' tag. Use digest for deterministic deployments."
+
+Conditions:
+  UseDigest: !Not [!Equals [!Ref ImageDigest, ""]]
+
 Resources:
 
   MyLambdaRole:
@@ -71,15 +79,20 @@ Resources:
     Properties:
       FunctionName: blog-deployment-webhook-handler
       PackageType: Image
-      ImageUri:
-        !Join
-          - ":"
-          - - !ImportValue BlogDeployment-RepositoryUri
-            - "latest"
+      ImageUri: !If
+        - UseDigest
+        - !Sub
+          - "${RepoUri}@${Digest}"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
+            Digest: !Ref ImageDigest
+        - !Sub
+          - "${RepoUri}:latest"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
       Timeout: 300
       MemorySize: 512
       Architectures:
         - arm64
+      AutoPublishAlias: live
       Environment:
         Variables:
           REPO_URL: !Ref RepoURL