[codex] update publish-image workflow#48
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the publish-image GitHub Actions workflow to authenticate to Artifactory using credentials fetched from AWS Secrets Manager (via OIDC-assumed AWS credentials), and adjusts triggers to support branch-scoped workflow testing.
Changes:
- Add AWS OIDC permissions +
configure-aws-credentialsto enable Secrets Manager access during publish. - Replace static GitHub secrets usage for Artifactory login with a bash +
jqSecrets Manager lookup step. - Change push triggers to a test branch (and include the workflow file in
paths), and update ECS render step to deploy the SHA-tagged image.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This reverts commit 3f7be2d.
There was a problem hiding this comment.
Pull request overview
Updates the publish-image GitHub Actions workflow to fetch Artifactory credentials from AWS Secrets Manager (using jq in bash) and to support branch-scoped workflow testing via a dedicated test branch trigger.
Changes:
- Configure AWS OIDC credentials in the publish job and fetch Artifactory Docker credentials from AWS Secrets Manager in bash.
- Update workflow triggers to support branch-based testing and include workflow-file changes in the push path filter.
- Change ECS render step to deploy the SHA-tagged image instead of the
latesttag.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the publish-image GitHub Actions workflow to source Artifactory credentials from AWS Secrets Manager (via AWS OIDC auth) and to make branch-scoped workflow testing easier before merging to the default branch.
Changes:
- Adjust
pushtrigger to run fromcodex/publish-image-workflow-testand include the workflow file in the path filter; keepworkflow_dispatchenabled for manual runs. - Add AWS credential configuration (OIDC role assume) in the publish job and fetch Artifactory Docker credentials from Secrets Manager using
aws+jq. - Switch Artifactory
docker/login-actionto use the fetched credentials outputs instead of GitHub Secrets.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Updates the Docker image publishing workflow to authenticate to Artifactory using credentials fetched from AWS Secrets Manager (via bash + jq), and adjusts triggers to support branch-scoped workflow testing before merging.
Changes:
- Configure AWS credentials (OIDC) in the publish job and fetch Artifactory credentials from Secrets Manager for Docker login.
- Allow workflow testing via manual dispatch and pushes from
codex/publish-image-workflow-test, including workflow-file changes. - Switch Docker base images to pull via the Artifactory Docker remote.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Dockerfile | Use Artifactory remote images for build/runtime stages; changes Alpine base version. |
| AGENTS.md | Adds explicit runner-label requirements when editing workflow files. |
| .github/workflows/publish-image.yml | Adds AWS credential configuration + Secrets Manager fetch for Artifactory login; adjusts triggers/paths. |
| .github/AGENTS.md | Adds .github/-scoped agent guidance for workflow runner selection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Updates the Docker image publishing workflow to authenticate to Artifactory using credentials stored in AWS Secrets Manager (via OIDC-configured AWS credentials), and makes it easier to test workflow changes from a dedicated branch before merging.
Changes:
- Switch Artifactory Docker login to use username/password fetched from AWS Secrets Manager (parsed with
jq) after configuring AWS credentials via OIDC. - Adjust workflow triggers to support branch-scoped testing (
codex/publish-image-workflow-test) and include workflow file changes in the path filter. - Update Docker base images to pull from the Artifactory remote registry; add/extend agent guidance for workflow runner policy.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Dockerfile | Pull base images (golang/alpine) from the Artifactory remote registry instead of Docker Hub. |
| AGENTS.md | Document/clarify the required CodeBuild runner label policy for workflow edits. |
| .github/workflows/publish-image.yml | Add AWS credential configuration + Secrets Manager fetch for Artifactory creds; adjust triggers for branch testing; deploy uses SHA-tagged image output. |
| .github/AGENTS.md | Add .github/-scoped agent guidance, including the runner label requirement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| use the exact label `codebuild-emmy-github-runner-emmy-api-${{ | ||
| github.run_id }}-${{ github.run_attempt }}` |
There was a problem hiding this comment.
Pull request overview
Updates the image publishing workflow to source Artifactory credentials from AWS Secrets Manager (via OIDC) and makes it easier to test workflow changes from a dedicated branch, while also shifting Docker base images to be pulled via the Artifactory remote.
Changes:
- Configure AWS credentials in the publish/deploy jobs and fetch Artifactory Docker credentials from AWS Secrets Manager using
jq. - Update the publish workflow triggers for branch-scoped testing and include workflow-file path filtering.
- Switch Docker base images to Artifactory-hosted
docker-remoteimages.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
Dockerfile |
Switch base images from public registries to Artifactory remote images. |
AGENTS.md |
Document workflow runner-label policy for .github/workflows/*.yml. |
.github/workflows/publish-image.yml |
Add AWS OIDC auth + Secrets Manager credential fetch; adjust triggers; add Artifactory reachability check; update deploy image reference. |
.github/AGENTS.md |
Add scoped .github/ agent guidance, including runner-label requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id: image-metadata | ||
| shell: bash | ||
| run: | | ||
| echo "image_tag=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT" | ||
| echo "image_uri=${IMAGE_REPOSITORY}:${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT" | ||
| echo "latest_image_uri=${IMAGE_REPOSITORY}:latest" >> "$GITHUB_OUTPUT" | ||
| { |
| echo "image_tag=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT" | ||
| echo "image_uri=${IMAGE_REPOSITORY}:${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT" | ||
| echo "latest_image_uri=${IMAGE_REPOSITORY}:latest" >> "$GITHUB_OUTPUT" | ||
| { |
| FROM --platform=$BUILDPLATFORM artifactory.cloud.cms.gov/docker-remote/library/golang:1.25-alpine AS builder | ||
|
|
| - Any workflow job in `.github/workflows/*.yml` that declares `runs-on` must | ||
| use the exact label `codebuild-emmy-github-runner-emmy-api-${{ | ||
| github.run_id }}-${{ github.run_attempt }}` |
There was a problem hiding this comment.
Pull request overview
Updates the container publish workflow to authenticate to Artifactory using credentials retrieved from AWS Secrets Manager (via OIDC + aws/jq), and adjusts the workflow triggers to support branch-scoped testing.
Changes:
- Update
publish-imageworkflow to configure AWS credentials, fetch Artifactory credentials from Secrets Manager, and use them for Docker registry login. - Add workflow trigger support for branch-based testing and include workflow-file changes in the trigger paths.
- Switch Docker base images to be pulled via the Artifactory remote registry.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
Dockerfile |
Pull Go/Alpine base images from Artifactory remote instead of public registries. |
AGENTS.md |
Documents workflow runner-label policy for agents editing workflows. |
.github/workflows/publish-image.yml |
Adds AWS OIDC auth + Secrets Manager credential fetch; updates Buildx setup and triggers; uses fetched creds for Artifactory login. |
.github/AGENTS.md |
Adds .github/-scoped agent guidance, including runner-label requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| docker buildx ls | ||
| docker buildx inspect --bootstrap | ||
| docker ps --filter name=buildx_buildkit | ||
| docker inspect $(docker ps -q --filter name=buildx_buildkit) \ | ||
| --format '{{.Name}} NetworkMode={{.HostConfig.NetworkMode}}' |
| curl -vk --connect-timeout 10 https://artifactory.cloud.cms.gov/v2/ | ||
| docker run --rm curlimages/curl:latest -vk --connect-timeout 10 https://artifactory.cloud.cms.gov/v2/ |
There was a problem hiding this comment.
Pull request overview
Updates the Docker image publishing workflow to authenticate to Artifactory using credentials fetched from AWS Secrets Manager (via OIDC-configured AWS credentials), and adjusts workflow triggers to support branch-scoped testing.
Changes:
- Configure AWS credentials in the publish job and fetch Artifactory Docker login credentials from AWS Secrets Manager using
jq. - Update the publish workflow triggers to enable branch-based workflow testing (including workflow-file changes).
- Switch Dockerfile base images to pull via the Artifactory
docker-remoteregistry.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Dockerfile | Moves golang/alpine base images to Artifactory docker-remote URLs. |
| AGENTS.md | Documents workflow runner label policy for .github/workflows/*.yml. |
| .github/workflows/publish-image.yml | Adds OIDC-based AWS credential setup and Secrets Manager-backed Artifactory login; updates triggers for branch testing. |
| .github/AGENTS.md | Adds .github/-scoped agent guidance emphasizing the workflow runner label policy. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,4 +1,4 @@ | |||
| FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder | |||
| FROM --platform=$BUILDPLATFORM artifactory.cloud.cms.gov/docker-remote/library/golang:1.25-alpine AS builder | |||
There was a problem hiding this comment.
Pull request overview
Updates the container publish pipeline to authenticate to Artifactory via AWS Secrets Manager (bash + jq) and makes it easier to test workflow changes on a dedicated branch before merging.
Changes:
- Switch Docker base images to be pulled via the Artifactory remote registry.
- Update
publish-imageworkflow to assume an AWS role via OIDC, fetch Artifactory creds from Secrets Manager, and use them for Docker login/build/push. - Document workflow runner label requirements in
AGENTS.mdand add scoped.github/AGENTS.mdguidance.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| Dockerfile | Pulls Golang/Alpine base images from Artifactory remote instead of public registries. |
| AGENTS.md | Adds explicit workflow runner label policy guidance for agents. |
| .github/workflows/publish-image.yml | Adds AWS credential configuration, Secrets Manager Artifactory creds fetch, and buildx changes; adjusts triggers for branch testing. |
| .github/AGENTS.md | Adds .github/-scoped workflow runner policy documentation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - Any workflow job in `.github/workflows/*.yml` that declares `runs-on` must | ||
| use the exact label `codebuild-emmy-github-runner-emmy-api-${{ | ||
| github.run_id }}-${{ github.run_attempt }}` |
| @@ -13,7 +13,7 @@ COPY . . | |||
| ENV CGO_ENABLED=0 | |||
| RUN GOOS="${TARGETOS:-linux}" GOARCH="$TARGETARCH" go build -ldflags="-s -w" -a -o apiserver . | |||
|
|
|||
| FROM alpine:3.23 | |||
| FROM artifactory.cloud.cms.gov/docker-remote/library/alpine:3.23 | |||
| docker run --rm --network host curlimages/curl:latest \ | ||
| --noproxy '*' -vk --connect-timeout 10 \ | ||
| --resolve "artifactory.cloud.cms.gov:443:$ip" \ | ||
| https://artifactory.cloud.cms.gov/v2/ | ||
| echo "::endgroup::" |
There was a problem hiding this comment.
Pull request overview
Updates the container build/publish pipeline to pull Artifactory credentials from AWS Secrets Manager (using bash + jq) and use those credentials for Docker registry login during image publish, while also enabling workflow-file path triggering.
Changes:
- Switch Artifactory auth in
publish-imageworkflow from GitHub secrets to AWS Secrets Manager (assume-role via OIDC +jqparsing). - Adjust Docker Buildx setup and build/push invocation, including builder configuration and proxy settings.
- Move Docker base images to Artifactory’s
docker-remoteregistry and expandpublish-imagepush path filters to include the workflow file itself.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
Dockerfile |
Pull builder/runtime base images from Artifactory docker-remote instead of public registries. |
AGENTS.md |
Documents the runner-label requirement for workflow jobs that declare runs-on. |
.github/workflows/publish-image.yml |
Adds AWS credential configuration + Secrets Manager credential fetch; updates Buildx usage; adjusts triggers/paths and deploy image selection. |
.github/AGENTS.md |
Adds scoped .github/ workflow-runner policy guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| branches: | ||
| - main | ||
| paths: | ||
| - ".github/workflows/publish-image.yml" | ||
| - "**/*.go" |
| @@ -1,4 +1,4 @@ | |||
| FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder | |||
| FROM --platform=$BUILDPLATFORM artifactory.cloud.cms.gov/docker-remote/library/golang:1.25-alpine AS builder | |||
| use the exact label `codebuild-emmy-github-runner-emmy-api-${{ | ||
| github.run_id }}-${{ github.run_attempt }}` |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the container publishing pipeline to authenticate to Artifactory using credentials fetched from AWS Secrets Manager (via OIDC), and adjusts container builds to pull base images from the Artifactory remote mirror. Also tightens/clarifies workflow runner policy documentation for contributors/agents.
Changes:
- Add AWS OIDC credential configuration and Secrets Manager fetch logic (bash +
jq) to supply Artifactory Docker login credentials. - Update the publish workflow’s Buildx setup and build/push step configuration (including proxy-related settings and metadata output formatting).
- Switch Dockerfile base images to Artifactory-hosted
docker-remotemirrors and document workflow runner label policy in AGENTS files.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
Dockerfile |
Pull Go/Alpine base images from Artifactory remote registry instead of public registries. |
AGENTS.md |
Document the required CodeBuild runner label policy for workflow jobs. |
.github/workflows/publish-image.yml |
Fetch Artifactory creds from Secrets Manager, configure AWS credentials, and use fetched creds for Docker login/build+push. |
.github/AGENTS.md |
Add scoped guidance for .github/ pointing back to root runner policy source-of-truth. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - ".github/workflows/publish-image.yml" |
| @@ -1,4 +1,4 @@ | |||
| FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder | |||
| FROM --platform=$BUILDPLATFORM artifactory.cloud.cms.gov/docker-remote/library/golang:1.25-alpine AS builder | |||
* feat: update publish-image workflow * Try docker login cli * Revert "Try docker login cli" This reverts commit 3f7be2d. * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Tell agents to use self-hosted runners * Use artifactory for all images * try a different alphine image * try adding library to image path * fix golang is also a library/ image * Try giving buildx driver access to host network * add debug step * move debug step to a useful spot * Try some more debugging * fix syntax error * Use host network * remove debug step * remove other debug step * try disabling proxy * fix duplicate * ci: debug Artifactory build connectivity * ci: fix publish image workflow env * ci: fix Buildx no proxy option * ci: clean publish image workflow * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Summary
jqcodex/publish-image-workflow-test, including changes to the workflow file itselfWhy
The publish-image workflow was being updated to read Artifactory credentials from Secrets Manager, but the credentials step embedded Python inside a bash block. This keeps that logic in bash, makes branch-based workflow testing easier, and keeps the test run scoped to the current branch before merging.
Impact
The workflow can now be exercised from the test branch, and Artifactory authentication comes from the configured Secrets Manager secret instead of static GitHub secrets.
Validation
git diff --check -- .github/workflows/publish-image.ymlactionlint .github/workflows/publish-image.yml