aws · skmcgrail · Nov 14, 2025 · Nov 13, 2025
@@ -17,7 +17,7 @@
 from util.iam_policies import (
     code_build_publish_metrics_in_json,
 )
-from util.metadata import AMAZONLINUX_ECR_REPO, ANDROID_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, UBUNTU_ECR_REPO, VERIFICATION_ECR_REPO, WINDOWS_ECR_REPO, WINDOWS_X86_ECR_REPO
+from util.metadata import ECR_REPOS, IMAGE_STAGING_REPO, LINUX_AARCH_ECR_REPO, LINUX_X86_ECR_REPO, WINDOWS_X86_ECR_REPO
 
 class AwsLcGitHubActionsStack(AwsLcBaseCiStack):
     """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners."""
@@ -32,19 +32,19 @@ def __init__(
         super().__init__(scope, id, env=env, timeout=180, **kwargs)
 
         # TODO: First 3 indices ordering is important for now as they are referenced directly for now.
-        repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO, UBUNTU_ECR_REPO,
-                      AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO, FEDORA_ECR_REPO, WINDOWS_ECR_REPO, VERIFICATION_ECR_REPO,
-                      ANDROID_ECR_REPO]
+        repo_names = [LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO]
+        repo_names.extend(ECR_REPOS)
         ecr_repos = [ecr.Repository.from_repository_name(self, x.replace('/', '-'), repository_name=x)
                      for x in repo_names]
+
+        self.staging_repo = ecr.Repository(self, IMAGE_STAGING_REPO.replace('/', '-'),
+                                           repository_name=IMAGE_STAGING_REPO,
+                                           image_tag_mutability=ecr.TagMutability.IMMUTABLE,
+                                           lifecycle_rules=[ecr.LifecycleRule(
+                                               max_image_age=Duration.days(1),
+                                           )])
 
-        staging_repo = ecr.Repository(self, "aws-lc-ecr-staging",
-                              image_tag_mutability=ecr.TagMutability.IMMUTABLE,
-                              lifecycle_rules=[ecr.LifecycleRule(
-                                  max_image_age=Duration.days(1),
-                              )])
-
-        ecr_repos.append(staging_repo)
+        ecr_repos.append(self.staging_repo)
 
         pull_through_caches = [ecr.Repository.from_repository_name(self, "quay-io", "quay.io/*")]
 
@@ -145,7 +145,7 @@ def __init__(
                         value=ecr_repos[2].repository_uri
                     ),
                     "ECR_REGISTRY_URL": codebuild.BuildEnvironmentVariable(value=ecr_repos[0].registry_uri),
-                    "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=staging_repo.repository_uri),
+                    "ECR_STAGING_REPO": codebuild.BuildEnvironmentVariable(value=self.staging_repo.repository_uri),
                 },
             ),
         )

@@ -12,7 +12,7 @@
 from constructs import Construct
 
 from util.metadata import (
-    ECR_REPOS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, AWS_LC_METRIC_NS)
+    ECR_REPOS, GITHUB_REPO_OWNER, GITHUB_REPO_NAME, AWS_LC_METRIC_NS, IMAGE_STAGING_REPO)
 from util.iam_policies import (
     device_farm_access_policy_in_json
 )
@@ -93,6 +93,9 @@ def create_docker_image_build_role(scope: Construct, id: str,
 
     pull_through_caches = [ecr.Repository.from_repository_name(
         scope, "quay-io", "quay.io/*")]
+
+    staging_repo = ecr.Repository.from_repository_name(
+        scope, IMAGE_STAGING_REPO.replace('/', '-'), IMAGE_STAGING_REPO)
 
     role = iam.Role(scope, id, role_name=id,
                     assumed_by=iam.SessionTagsPrincipal(principal),
@@ -132,7 +135,7 @@ def create_docker_image_build_role(scope: Construct, id: str,
                                     ],
                                     resources=[x for x in itertools.chain([
                                         x.repository_arn for x in repos
-                                    ], [x.repository_arn for x in pull_through_caches])],
+                                    ], [x.repository_arn for x in pull_through_caches], [staging_repo.repository_arn])],
                                 ),
                                 iam.PolicyStatement(
                                     effect=iam.Effect.ALLOW,
@@ -142,8 +145,8 @@ def create_docker_image_build_role(scope: Construct, id: str,
                                         "ecr:PutImage",
                                         "ecr:UploadLayerPart",
                                     ],
-                                    resources=[
-                                        x.repository_arn for x in repos],
+                                    resources=[x for x in itertools.chain([
+                                        x.repository_arn for x in repos], [staging_repo.repository_arn])],
                                 ),
                                 iam.PolicyStatement(
                                     effect=iam.Effect.ALLOW,

@@ -36,15 +36,15 @@ def __init__(
 
         self.odic_stack = AwsLcGitHubOidcStack(
             self, "aws-lc-github-oidc", env=deploy_environment, **kwargs)
-
+        
         self.actions_stack = AwsLcGitHubActionsStack(
             self,
             "aws-lc-ci-github-actions",
             env=deploy_environment,
             ignore_failure=False,
             stack_name="aws-lc-ci-github-actions",
         )
-
+        
     @property
     def stacks(self):
         return [child for child in self.node.children if isinstance(child, Stack)]

@@ -40,9 +40,11 @@
 WINDOWS_ECR_REPO = "aws-lc/windows"
 VERIFICATION_ECR_REPO = "aws-lc/verification"
 ANDROID_ECR_REPO = "aws-lc/android"
+IMAGE_STAGING_REPO = "aws-lc/staging"
 
 ECR_REPOS = [UBUNTU_ECR_REPO, AMAZONLINUX_ECR_REPO, CENTOS_ECR_REPO,
-             FEDORA_ECR_REPO, WINDOWS_ECR_REPO, VERIFICATION_ECR_REPO, ANDROID_ECR_REPO]
+             FEDORA_ECR_REPO, WINDOWS_ECR_REPO, VERIFICATION_ECR_REPO,
+             ANDROID_ECR_REPO]
 
 AWS_LC_METRIC_NS = "AWS-LC"
 AWS_LC_FUZZ_METRIC_NS = "AWS-LC-Fuzz"