aws
diff --git a/‎.github/actions/build-and-push-container-image/action.yml‎
Lines changed: 128 additions & 0 deletions b/‎.github/actions/build-and-push-container-image/action.yml‎
Lines changed: 128 additions & 0 deletions
diff --git a/‎.github/workflows/ecr-publish-on-release.yml‎
Lines changed: 107 additions & 0 deletions b/‎.github/workflows/ecr-publish-on-release.yml‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎.github/workflows/pypi-publish-on-release.yml‎
Lines changed: 8 additions & 0 deletions b/‎.github/workflows/pypi-publish-on-release.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 27 additions & 55 deletions b/‎Dockerfile‎
Lines changed: 27 additions & 55 deletions
@@ -0,0 +1,128 @@
+---
+# This local action builds an image and pushes it to registries
+name: "Build and push image"
+author: "MCP Proxy for AWS"
+description: "Builds an image and pushes it to registries"
+
+inputs:
+  image:
+    description: 'The image'
+    type: string
+    required: true
+  version:
+    default: ''
+    description: 'The version to associate to the image'
+    type: string
+    required: false
+  public-ecr-role-to-assume:
+    description: 'The public ECR role to use to push the image'
+    type: string
+    required: true
+  public-ecr-registry-alias:
+    description: 'The registry alias'
+    type: string
+    required: true
+  public-ecr-aws-region:
+    default: 'us-east-1'
+    description: 'The region to login'
+    type: string
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+      with:
+        images: |
+          public.ecr.aws/${{ inputs.public-ecr-registry-alias }}/${{ inputs.image }}
+        # Disable all but the raw and sha
+        tags: |
+          type=schedule,enable=false
+          type=semver,pattern={{raw}},enable=false
+          type=pep440,pattern={{raw}},enable=false
+          type=match,pattern=(.*),group=1,enable=false
+          type=edge,enable=false
+          type=ref,event=branch,enable=false
+          type=ref,event=tag,enable=false
+          type=ref,event=pr,enable=false
+          type=sha,format=long,enable=true
+          type=raw,value=latest,enable=true
+          type=raw,value=${{ inputs.version || github.sha }},enable=${{ (inputs.version && true) || 'false' }}
+        labels: |
+          maintainer=MCP Proxy for AWS
+          org.opencontainers.image.description=MCP Proxy for AWS
+          org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/${{ inputs.image }}
+          org.opencontainers.image.title=aws.${{ inputs.image }}
+          org.opencontainers.image.url=https://github.com/${{ github.repository_owner }}/${{ inputs.image }}
+          org.opencontainers.image.version=${{ inputs.version || github.sha }}
+          org.opencontainers.image.vendor=Amazon Web Services, Inc.
+
+    - name: Setup AWS Credentials
+      id: setup-aws-credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        role-to-assume: ${{ inputs.public-ecr-role-to-assume }}
+        aws-region: ${{ inputs.public-ecr-aws-region }}
+        role-duration-seconds: 7200
+        role-session-name: GitHubActions${{ github.run_id }}
+        mask-aws-account-id: true
+
+    - name: Login to Public ECR
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      with:
+        registry: public.ecr.aws
+
+    - name: Set up QEMU
+      id: setup-qemu
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+    - name: Set up Docker Buildx
+      id: setup-buildx
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      with:
+        buildkitd-flags: --debug
+
+    - name: Build and push by digest
+      id: build
+      uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+      with:
+        platforms: 'linux/amd64,linux/arm64'
+        labels: ${{ steps.meta.outputs.labels }}
+        tags: public.ecr.aws/${{ inputs.public-ecr-registry-alias }}/${{ inputs.image }}
+        context: .
+        file: ./Dockerfile
+        push: true
+        outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        sbom: true
+
+    - name: Export digest
+      run: |
+        mkdir -p ${{ runner.temp }}/digests/${{ inputs.image }}
+        digest="${{ steps.build.outputs.digest }}"
+        touch "${{ runner.temp }}/digests/${{ inputs.image }}/${digest#sha256:}"
+      shell: bash
+
+    - name: Create manifest list and push
+      working-directory: ${{ runner.temp }}/digests/${{ inputs.image }}
+      env:
+        IMAGE: ${{ inputs.image }}
+        ALIAS: ${{ inputs.public-ecr-registry-alias }}
+        DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta.outputs.json }}
+      run: |
+        echo "DOCKER_METADATA_OUTPUT_JSON=$DOCKER_METADATA_OUTPUT_JSON"
+        docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          $(printf 'public.ecr.aws/'$ALIAS'/'$IMAGE'@sha256:%s ' *)
+      shell: bash
+
+    - name: Inspect image
+      env:
+        IMAGE: ${{ inputs.image }}
+        ALIAS: ${{ inputs.public-ecr-registry-alias }}
+        VERSION: ${{ steps.meta.outputs.version }}
+      run: |
+        docker buildx imagetools inspect public.ecr.aws/$ALIAS/$IMAGE:$VERSION
+      shell: bash
@@ -0,0 +1,107 @@
+name: Publish to ECR
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      version: ${{ steps.get-package-version.outputs.version }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Get version from package
+        id: get-package-version
+        run: |
+          set -euo pipefail
+
+          # Get version from uv
+          VERSION="$(uv tree 2>/dev/null | grep mcp-proxy-for-aws | sed -e 's/^.*[[:space:]]v\(.*\)/\1/g' | head -1)"
+
+          if [[ -z "$VERSION" ]]; then
+            echo "::error::Failed to extract version from package" >&2
+            exit 1
+          fi
+
+          # Validate version format
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::Invalid version format: $VERSION" >&2
+            exit 1
+          fi
+
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "::debug::Package version: $VERSION"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build and export to Docker
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        with:
+          context: .
+          file: ./Dockerfile
+          load: true
+          tags: mcp-proxy-for-aws:${{ steps.get-package-version.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate CycloneDX SBOM with Syft
+        uses: anchore/sbom-action@v0
+        with:
+          image: mcp-proxy-for-aws:${{ steps.get-package-version.outputs.version }}
+          format: cyclonedx-json
+          output-file: sbom.cyclonedx.json
+
+      - name: Install CycloneDX CLI
+        run: |
+          wget -q https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64 -O cyclonedx
+          chmod +x cyclonedx
+          sudo mv cyclonedx /usr/local/bin/
+
+      - name: Convert SBOM to CSV
+        run: |
+          cyclonedx convert --input-file sbom.cyclonedx.json --input-format json --output-format csv --output-file SBOM-${{ steps.get-package-version.outputs.version }}.csv
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ steps.get-package-version.outputs.version }}
+          path: SBOM-${{ steps.get-package-version.outputs.version }}.csv
+          retention-days: 90
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: ecr
+      url: https://gallery.ecr.aws/mcp-proxy-for-aws/mcp-proxy-for-aws
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Build and Publish Container
+        id: build-and-publish
+        uses: ./.github/actions/build-and-push-container-image
+        with:
+          image: mcp-proxy-for-aws
+          version: ${{ needs.build.outputs.version }}
+          public-ecr-role-to-assume: ${{ secrets.PublishPublicECRArn }}
+          public-ecr-registry-alias: mcp-proxy-for-aws
+          public-ecr-aws-region: us-east-1
@@ -59,6 +59,7 @@ jobs:
       url: https://pypi.org/p/mcp-proxy-for-aws
     permissions:
       id-token: write
+      contents: read
     steps:
       - name: Download distribution packages
         uses: actions/download-artifact@v5
@@ -71,3 +72,10 @@ jobs:
 
       - name: Publish to PyPI
         run: uv publish
+
+  trigger-ecr-publish:
+    needs: [build, deploy]
+    permissions:
+      contents: read
+    uses: ./.github/workflows/ecr-publish-on-release.yml
+    secrets: inherit
@@ -12,66 +12,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# dependabot should continue to update this to the latest hash.
-FROM public.ecr.aws/docker/library/python:3.14.0-alpine3.22@sha256:8373231e1e906ddfb457748bfc032c4c06ada8c759b7b62d9c73ec2a3c56e710 AS uv
-
-# Install the project into `/app`
-WORKDIR /app
-
-# Enable bytecode compilation
-ENV UV_COMPILE_BYTECODE=1
-
-# Copy from the cache instead of linking since it's a mounted volume
-ENV UV_LINK_MODE=copy
-
-# Prefer the system python
-ENV UV_PYTHON_PREFERENCE=only-system
-
-# Run without updating the uv.lock file like running with `--frozen`
-ENV UV_FROZEN=true
-
-# Copy the required files first
-COPY pyproject.toml uv.lock ./
-
-# Install the project's dependencies using the lockfile and settings
-RUN --mount=type=cache,target=/root/.cache/uv \
-    pip install uv && \
-    uv sync --frozen --no-install-project --no-dev --no-editable
-
-# Then, add the rest of the project source code and install it
-# Installing separately from its dependencies allows optimal layer caching
-COPY . /app
-RUN --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-dev --no-editable
-
-# Make the directory just in case it doesn't exist
-RUN mkdir -p /root/.local
-
-# dependabot should continue to update this to the latest hash.
-FROM public.ecr.aws/docker/library/python:3.14.0-alpine3.22@sha256:8373231e1e906ddfb457748bfc032c4c06ada8c759b7b62d9c73ec2a3c56e710
-
-# Place executables in the environment at the front of the path and include other binaries
-ENV PATH="/app/.venv/bin:$PATH:/usr/sbin"
-
-# Install lsof for the healthcheck
-# Install other tools as needed for the MCP server
-# Add non-root user and ability to change directory into /root
-RUN apk update && \
-    apk --no-cache add lsof && \
-    addgroup -S app && \
-    adduser -S app -G app -h /app && \
-    chmod o+x /root
-
-# Get the project from the uv layer
-COPY --from=uv --chown=app:app /root/.local /root/.local
-COPY --from=uv --chown=app:app /app/.venv /app/.venv
+# Using Amazon Linux for consistency and compliance
+FROM public.ecr.aws/amazonlinux/amazonlinux:latest
+
+# Python optimization
+ENV PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+
+# Install runtime dependencies and create application user
+RUN yum update -y && \
+    yum install -y \
+        python3.13 \
+        python3.13-pip \
+        ca-certificates \
+        shadow-utils \
+        lsof && \
+    yum clean all && \
+    update-ca-trust && \
+    groupadd -r app && \
+    useradd -r -g app -d /app app
+
+# Install mcp-proxy-for-aws from PyPI
+RUN python3.13 -m pip install mcp-proxy-for-aws
 
 # Get healthcheck script
 COPY ./docker-healthcheck.sh /usr/local/bin/docker-healthcheck.sh
 
 # Run as non-root
 USER app
 
-# When running the container, add --db-path and a bind mount to the host's db file
-HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "docker-healthcheck.sh" ]
+# Health check to monitor container status
+HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 CMD ["docker-healthcheck.sh"]
+
+# Application entrypoint
 ENTRYPOINT ["mcp-proxy-for-aws"]