Draft
Conversation
…rdering - Switch DOCKER_PLATFORMS from linux/amd64,linux/arm64 to linux/amd64 only; mosaic node group uses c6id.2xlarge (Intel x86_64), ARM64 via QEMU was causing OOM/timeout after 73 minutes - Add --cache-from/--cache-to type=gha to the buildx build step so Rust compile layers are reused across runs - Split build into two steps: build+push to private ECR first (with private credentials active), then configure public ECR credentials and re-tag via imagetools create -- fixes credential overwrite bug - Fix concurrency group key (was hardcoded SHA, now uses github.ref)
… step imagetools create failed because AWS env vars were pointing at the public ECR role when it tried to pull from private ECR. Fix by authenticating to both registries upfront (docker login creds persist in config.json regardless of AWS env var changes), then pass both --tag flags to the single buildx build so private and public ECR are written in one push.
buildx --push with two --tag flags fails with 403 on public ECR because the buildx container builder does not share the host docker config where public ECR login is stored. Fix: push to private ECR only during build, then use imagetools create to copy the manifest to public ECR after authenticating with the public ECR role.
PUBLIC_ECR_NAMESPACE was set to z5c7y9u9 (wrong); all public ECR repos in this account use r1l9t0r6. Also created the public.ecr.aws/r1l9t0r6/mosaic repository which did not exist, causing 403 on every push attempt.
r1l9t0r6 belongs to account 888577024788; the PUBLIC_AWS_ROLE_TO_ASSUME (github-actions-ecr-push) lives in account 496607027995 whose public ECR alias is z5c7y9u9 -- same as strata-bridge.
buildx --push does not load the image into the local Docker daemon. Trivy runs inside its own container and cannot access host docker login credentials to pull from private ECR. Pulling explicitly first puts the image in the local daemon so Trivy resolves it via the docker socket.
…pdated actions - Remove push trigger on feature branch; workflow_dispatch only - Remove hardcoded DEFAULT_BUILD_REF; fall back to github.sha - Login to both private and public ECR upfront before build so credentials are stable throughout — eliminates mid-workflow credential swap - Remove continue-on-error from public ECR steps; failures are now fatal - Remove redundant Reconfigure + Login to ECR for follow-up steps - Bump timeout from 180m to 30m - Upgrade actions to Node.js 24 compatible versions: configure-aws-credentials v4.0.2 -> v6.1.0 setup-buildx-action v3.12.0 -> v4.0.0 upload-artifact v4.6.2 -> v7.0.1
…ctive imagetools create uses the ECR credential helper which re-authenticates using AWS env vars — it ignores cached docker login tokens. Moving the public ECR credential configure + login steps to immediately before the copy step, then restoring private credentials afterward for digest lookup, pull, and Trivy scan.
…ic ECR imagetools create uses BuildKit's credential helper which re-authenticates via AWS env vars and fails cross-account. strata-bridge uses docker tag + docker push which reads the stored docker login token from config.json and works reliably. Pull the image into the local daemon after the private ECR push, then tag and push to public ECR while public credentials are active. Image is already in daemon for Trivy so the separate pull step is removed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add a manual GitHub Actions workflow to build and publish the Mosaic Docker image to both private ECR and public ECR.
The workflow:
refandimage_taginputsdocker/Dockerfileforlinux/amd64888577024788.dkr.ecr.us-east-1.amazonaws.com/tn1/mosaic:${IMAGE_TAG}public.ecr.aws/z5c7y9u9/mosaic:${IMAGE_TAG}Type of Change
Notes to Reviewers
.github/workflows/docker-publish-ecr.yml.build_and_publishjob.arn:aws:iam::888577024788:role/github-actions-mosaic-ecr-publish.AWS_REGION,AWS_ROLE_TO_ASSUME,ECR_REGISTRY,ECR_REPOSITORY, andPUBLIC_AWS_ROLE_TO_ASSUME.--exit-code 0; it does not block publication.workflow_dispatchstill requires the workflow file to be present on the default branch.Validation
actionlint .github/workflows/docker-publish-ecr.ymlChecklist
Related Issues