feat(webapp): apply default repository policy on ECR repo creation

[ThullyoCunha]

Summary

Self-hosters that operate the webapp's ECR account separately from the account running the EKS workers (e.g., a shared platform account that hosts the registry plus per-team accounts that host clusters) currently hit a 403 Forbidden the first time any project is deployed:

Failed to pull image "<acct-A>.dkr.ecr.<region>.amazonaws.com/<namespace>/proj_…:…":
unexpected status from HEAD request to .../v2/.../manifests/sha256:…: 403 Forbidden

ensureEcrRepositoryExists in apps/webapp/app/v3/getDeploymentImageRef.server.ts calls CreateRepository and PutLifecyclePolicy, but never SetRepositoryPolicy — so the new repo inherits the AWS default (only the registry-owner account can read/pull). Workers in the cluster account get 403 every single deploy. The only workarounds today are running a one-off post-create script or pre-creating every repo by hand.

Proposed change

Add an optional env var:

DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY  (V4 mirror: V4_DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY)

Raw IAM policy JSON. When set, the webapp calls SetRepositoryPolicy immediately after CreateRepository so every new repo carries that policy from creation. Operators control the principal/actions; we don't bake in any opinions about cross-account boundaries.

Example value (for the typical self-host case — grant pull to the cluster account):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowClusterAccountPull",
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::<cluster-account-id>:root"},
    "Action": [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability"
    ]
  }]
}

Why env var (not a chart-level field)

• Mirrors the shape of the sibling vars (DEPLOY_REGISTRY_ECR_TAGS, DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN, etc.) which are already operator-supplied via webapp.extraEnvVars in self-host setups.
• Cloud is unaffected — the env var is optional, unset by default; existing behavior unchanged.
• Existing repos are unaffected — only newly-created repos get the policy.
• RepositoryCreationTemplate from the AWS provider isn't an alternative here: it only applies to repos created via pull-through-cache or replication, not to ecr:CreateRepository API calls.

Implementation

• apps/webapp/app/env.server.ts — declare DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY and the V4 fallback.
• apps/webapp/app/v3/registryConfig.server.ts — propagate ecrDefaultRepositoryPolicy to RegistryConfig.
• apps/webapp/app/v3/getDeploymentImageRef.server.ts — createEcrRepository accepts the policy; if set, calls SetRepositoryPolicy after PutLifecyclePolicy.
• docs/self-hosting/env/webapp.mdx — documentation row added under Deploy & Registry.

Verification

Verified end-to-end against a self-hosted Trigger.dev on EKS where the ECR account is separate from the cluster account:

• Without the env var (current main): the new project's first run pod stays in ImagePullBackOff with 403 Forbidden.
• With the env var set to a JSON granting ecr:BatchGetImage/GetDownloadUrlForLayer/BatchCheckLayerAvailability to the cluster account: a fresh trigger.dev deploy --env prod followed by a hello-world run completes in ~5s end-to-end on the first try.

Manually also confirmed that existing repos are untouched (the call only fires inside createEcrRepository, which only runs when DescribeRepositories returned RepositoryNotFoundException).

Out of scope

• Chart values surface for this — operators already pass the existing ECR vars via webapp.extraEnvVars, so this follows the same pattern. Happy to add a first-class chart field in a follow-up if that's the preferred direction.
• IAM-policy validation in the webapp — we forward the JSON verbatim to AWS and surface AWS's error messages on misuse, matching how DEPLOY_REGISTRY_ECR_TAGS is handled today.

This is a draft pending CI / CodeRabbit pass — happy to iterate on direction (e.g., split into per-action env vars, or extend the chart values schema) if any of the above choices feels off.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2299221

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

Adds optional environment variables DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY and V4_DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY (v4 falls back to v3). Extends RegistryConfig with ecrDefaultRepositoryPolicy, threads that value from getRegistryConfig through getDeploymentImageRef into ensureEcrRepositoryExists/createEcrRepository, and applies the provided raw IAM policy to newly created ECR repositories using SetRepositoryPolicyCommand. For existing repositories, the code attempts idempotent policy reconciliation and catches/logs reconciliation failures instead of throwing.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding support for applying a default ECR repository policy on repository creation.
Description check	✅ Passed	The PR description is comprehensive and detailed, covering the problem, proposed change, implementation details, and verification; required template sections are addressed with substantive content.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

[devin-ai-integration]

Devin Review found 0 new potential issues.

View 3 additional findings in Devin Review.