Skip to content
This repository was archived by the owner on Jun 16, 2026. It is now read-only.

ci: adopt docker/actions/build-push-image-ecr#11

Merged
cybercyst merged 2 commits into
mainfrom
ci/adopt-build-push-image-ecr
Jun 15, 2026
Merged

ci: adopt docker/actions/build-push-image-ecr#11
cybercyst merged 2 commits into
mainfrom
ci/adopt-build-push-image-ecr

Conversation

@cybercyst

Copy link
Copy Markdown
Member

Why

The Build and Release pipeline was failing at Configure AWS Credentials with Not authorized to perform sts:AssumeRoleWithWebIdentity. Root cause: the workflow assumed arn:aws:iam::710015040892:role/CicdEnvoy-..., but that role's Terraform was removed (infra-terraform envoyproxy#9725"used the self-serve setup in order to use our docker/build-push-ecr action. Removing this unused role"). So the workflow was assuming a deleted role in the wrong account.

This adopts the intended mechanism: the shared docker/actions/build-push-image-ecr composite action.

How the action grants ECR access

It derives everything from github.repository:

  • IAM role → arn:aws:iam::676043725699:role/release-envoy (assumed via OIDC)
  • ECR repo → images/envoy/envoy (auto-created)

release-envoy is provisioned by the self-serve onboarding (ecr-shared-connect-github in docker/platform-self-service), which this repo is already onboarded to. The action also handles ECR login, Docker Hub login for cloud build, Buildx (build cloud), provenance + SBOM, and tag-immutability checks.

Changes

Replaces the hand-rolled Docker Hub login → Buildx → Configure AWS Credentials → ECR login → build-push-action steps with a single action call.

Behavioral notes

  • Registry moves to 676043725699.dkr.ecr.us-east-1.amazonaws.com/images/envoy/envoy (the onboarded shared-ECR path) from the old 710015040892/infra-routing/envoy.
  • Now actually pushes. The previous build-push-action had # push: true commented out, so it built but never published. The action pushes on main.

Supersedes / folds in

This replaces the changed steps from #8 (OIDC permission — kept) and #10 (Docker Hub stopgap — carried into the action inputs). #9 (build-image pin) is independent and still applies.

🤖 Generated with Claude Code

cybercyst and others added 2 commits June 15, 2026 14:05
Replace the hand-rolled Docker Hub login / Buildx / configure-aws-credentials
/ ECR login / build-push steps with the shared build-push-image-ecr action.

The previous workflow assumed the IAM role CicdEnvoy-... in account
710015040892, but that role's Terraform was removed (infra-terraform envoyproxy#9725)
in favor of the self-serve shared-ECR setup. The action derives the live
release-envoy role and pushes to the shared ECR
(676043725699/images/envoy/envoy), which is the onboarded path for this repo.

This also fixes a latent bug: the old build-push step had push disabled
(# push: true commented out), so the "release" never actually published.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Use the release version prefix with the short commit SHA for the image
tag (e.g. 1.38.2-3ab6c79) instead of the bare full SHA.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cybercyst cybercyst merged commit e23a202 into main Jun 15, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant