This repository was archived by the owner on Jun 16, 2026. It is now read-only.
ci: adopt docker/actions/build-push-image-ecr#11
Merged
Conversation
Replace the hand-rolled Docker Hub login / Buildx / configure-aws-credentials / ECR login / build-push steps with the shared build-push-image-ecr action. The previous workflow assumed the IAM role CicdEnvoy-... in account 710015040892, but that role's Terraform was removed (infra-terraform envoyproxy#9725) in favor of the self-serve shared-ECR setup. The action derives the live release-envoy role and pushes to the shared ECR (676043725699/images/envoy/envoy), which is the onboarded path for this repo. This also fixes a latent bug: the old build-push step had push disabled (# push: true commented out), so the "release" never actually published. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Use the release version prefix with the short commit SHA for the image tag (e.g. 1.38.2-3ab6c79) instead of the bare full SHA. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The
Build and Releasepipeline was failing at Configure AWS Credentials withNot authorized to perform sts:AssumeRoleWithWebIdentity. Root cause: the workflow assumedarn:aws:iam::710015040892:role/CicdEnvoy-..., but that role's Terraform was removed (infra-terraform envoyproxy#9725 — "used the self-serve setup in order to use our docker/build-push-ecr action. Removing this unused role"). So the workflow was assuming a deleted role in the wrong account.This adopts the intended mechanism: the shared
docker/actions/build-push-image-ecrcomposite action.How the action grants ECR access
It derives everything from
github.repository:arn:aws:iam::676043725699:role/release-envoy(assumed via OIDC)images/envoy/envoy(auto-created)release-envoyis provisioned by the self-serve onboarding (ecr-shared-connect-githubindocker/platform-self-service), which this repo is already onboarded to. The action also handles ECR login, Docker Hub login for cloud build, Buildx (build cloud), provenance + SBOM, and tag-immutability checks.Changes
Replaces the hand-rolled Docker Hub login → Buildx → Configure AWS Credentials → ECR login → build-push-action steps with a single action call.
image_name: envoy,image_version: <git sha>target: envoy-distroless(final Dockerfile stage)platforms: linux/amd64(preserves current single-arch behavior)dockerpublicbot/DOCKERPUBLICBOT_READ_PAT(carried over from ci: use dockerpublicbot PAT for Docker Hub login (stopgap) #10)permissions: id-token: writeretained (from ci: grant id-token write permission for AWS OIDC #8) — required for the action's OIDCBehavioral notes
676043725699.dkr.ecr.us-east-1.amazonaws.com/images/envoy/envoy(the onboarded shared-ECR path) from the old710015040892/infra-routing/envoy.build-push-actionhad# push: truecommented out, so it built but never published. The action pushes onmain.Supersedes / folds in
This replaces the changed steps from #8 (OIDC permission — kept) and #10 (Docker Hub stopgap — carried into the action inputs). #9 (build-image pin) is independent and still applies.
🤖 Generated with Claude Code