feat: support ECR image digest for deterministic Lambda deployments

- Add ImageDigest parameter with conditional logic
- Enable AutoPublishAlias for function versioning
- Improve deployment reproducibility

docker/Dockerfile

@@ -5,8 +5,8 @@ WORKDIR /app
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
-# Build with optional lambda.norpc tag
-RUN go build -tags lambda.norpc -o main ./cmd/lambda
+# Build with optional lambda.norpc tag for arm64 architecture
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -tags lambda.norpc -o main ./cmd/lambda
 # Copy artifacts to a clean image
 FROM public.ecr.aws/lambda/provided:al2023
 # Install git and zip using dnf (Amazon Linux 2023)

infra/cfn/template-lambda-function.yaml

@@ -22,6 +22,14 @@ Parameters:
     Default: main
     Description: Git repository branch
 
+  ImageDigest:
+    Type: String
+    Default: ""
+    Description: "ECR image digest (e.g., sha256:abc123...). If empty, uses 'latest' tag. Use digest for deterministic deployments."
+
+Conditions:
+  UseDigest: !Not [!Equals [!Ref ImageDigest, ""]]
+
 Resources:
 
   MyLambdaRole:
@@ -71,15 +79,20 @@ Resources:
     Properties:
       FunctionName: blog-deployment-webhook-handler
       PackageType: Image
-      ImageUri:
-        !Join
-          - ":"
-          - - !ImportValue BlogDeployment-RepositoryUri
-            - "latest"
+      ImageUri: !If
+        - UseDigest
+        - !Sub
+          - "${RepoUri}@${Digest}"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
+            Digest: !Ref ImageDigest
+        - !Sub
+          - "${RepoUri}:latest"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
       Timeout: 300
       MemorySize: 512
       Architectures:
         - arm64
+      AutoPublishAlias: live
       Environment:
         Variables:
           REPO_URL: !Ref RepoURL