fix(ci): login to both registries before build, push both tags in one step

Madan Shah · Madan Shah · commit 8346a2e9838f · 2026-04-20T13:03:33.000+05:45
imagetools create failed because AWS env vars were pointing at the public ECR
role when it tried to pull from private ECR. Fix by authenticating to both
registries upfront (docker login creds persist in config.json regardless of
AWS env var changes), then pass both --tag flags to the single buildx build
so private and public ECR are written in one push.
diff --git a/.github/workflows/docker-publish-ecr.yml b/.github/workflows/docker-publish-ecr.yml
@@ -124,26 +124,9 @@ jobs:
           role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Login to ECR
-        run: |
-          aws ecr get-login-password --region "${AWS_REGION}" \
-            | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
-      - name: Build and push Mosaic image to private ECR
-        run: |
-          set -euo pipefail
-          docker buildx build \
-            --platform "${DOCKER_PLATFORMS}" \
-            --file docker/Dockerfile \
-            --cache-from "type=gha,scope=mosaic" \
-            --cache-to "type=gha,scope=mosaic,mode=max" \
-            --tag "${IMAGE_REF}" \
-            --push \
-            .
-
       - name: Configure public ECR credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
@@ -155,12 +138,29 @@ jobs:
           aws ecr-public get-login-password --region "${PUBLIC_ECR_REGION}" \
             | docker login --username AWS --password-stdin "${PUBLIC_ECR_REGISTRY}"
 
-      - name: Push Mosaic image to public ECR
+      - name: Reconfigure private AWS credentials for build
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to private ECR for build
+        run: |
+          aws ecr get-login-password --region "${AWS_REGION}" \
+            | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
+
+      - name: Build and push Mosaic image
         run: |
           set -euo pipefail
-          docker buildx imagetools create \
+          docker buildx build \
+            --platform "${DOCKER_PLATFORMS}" \
+            --file docker/Dockerfile \
+            --cache-from "type=gha,scope=mosaic" \
+            --cache-to "type=gha,scope=mosaic,mode=max" \
+            --tag "${IMAGE_REF}" \
             --tag "${PUBLIC_IMAGE_REF}" \
-            "${IMAGE_REF}"
+            --push \
+            .
 
       - name: Reconfigure private AWS credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
