Skip to content

chore(ci): disable inherited upstream workflows, add publish-flex-image#24

Merged
bdruth merged 2 commits into
flexfrom
chore/flex-ci-setup
May 19, 2026
Merged

chore(ci): disable inherited upstream workflows, add publish-flex-image#24
bdruth merged 2 commits into
flexfrom
chore/flex-ci-setup

Conversation

@bdruth
Copy link
Copy Markdown

@bdruth bdruth commented May 19, 2026

Summary

PR A of the flex-CI-setup plan. Two coherent changes:

  1. Disable five inherited upstream workflows by renaming to `.disabled`. These came from `open-webui/open-webui` and don't trigger on `flex` — they were producing no artifacts.
  2. Add `publish-flex-image.yml` — manual workflow that builds the Flexion-customized image and pushes to `open-webui-{dev,prod}` ECR in us-east-2 under a caller-supplied version tag.

Why now

Today's container image promotion is a manual `docker push` from someone's laptop. This PR replaces that with auditable CI:

  • Single source of truth (the `flex` branch's HEAD commit at build time)
  • Tag overwrite guard prevents accidentally republishing the same version
  • OIDC-authenticated push (no static AWS credentials anywhere)

What's in `publish-flex-image.yml`

  • `workflow_dispatch` only — inputs: `version` (required, e.g. `v0.9.6`) and `environment` (`dev` or `prod`)
  • ARM-native build on `ubuntu-24.04-arm` → `linux/arm64` (matches Fargate ARM target)
  • Assumes `GitHubActionsOpenWebUIDev` or `GitHubActionsOpenWebUIProd` via OIDC (trust extended in flexion/flexion-open-webui-infra#461, merged 2026-05-19)
  • Refuses to overwrite an existing tag — caller must delete first
  • Emits a `::notice::` reminding the operator to bump the CDK pin in the infra repo

Required prerequisites (all complete)

  • ✅ OIDC trust extended to `repo:flexion/open-webui:*` (dev) and `repo:flexion/open-webui:ref:refs/heads/flex` (prod) — infra PR reduce docker final image size open-webui/open-webui#461 merged
  • ✅ Repo secrets set: `AWS_ROLE_ARN_DEV`, `AWS_ROLE_ARN_PROD`, `AWS_REGION` (`us-east-2`)
  • ✅ Actions enabled on this repo

Test plan

After merge:

  • Smoke test 1 — refuse-overwrite guard:
    ```
    gh workflow run publish-flex-image.yml -f version=v0.9.5 -f environment=dev
    ```
    Expect: fails at "Refuse to overwrite an existing tag" (dev:v0.9.5 already exists).
  • Smoke test 2 — clean dev publish:
    ```
    gh workflow run publish-flex-image.yml -f version=flex-smoke-$(date +%s) -f environment=dev
    ```
    Expect: success. Then `aws ecr batch-delete-image --image-ids imageTag=`.
  • Prod backfill (inaugural real use): `version=v0.9.5 environment=prod` — closes the prod ECR gap that exists today (prod has no `v0.9.5` tag, only `v9.5`).

Follow-ups

  • PR B in this same series: add `upstream-sync.yml` and rewrite `README_FLEXION.md` Option A.
  • After this PR merges: switch the repo's default branch from `main` to `flex` and add branch protection on `flex`.

bdruth added 2 commits May 18, 2026 22:09
@bdruth
chore(ci): disable inherited upstream workflows on flex
d9590cb 
These five workflows were inherited from upstream open-webui/open-webui
and were not producing artifacts on flex (none of them triggered on the
flex branch). Renaming to .disabled mirrors the existing convention
(codespell.disabled, lint-*.disabled) and keeps the diff vs upstream
minimal while remaining reversible.

- build-release.yml — upstream release pipeline, not relevant
- docker-build.yaml — publishes to ghcr.io, replaced by publish-flex-image
- format-backend.yaml — autoformat, not part of flex CI
- format-build-frontend.yaml — autoformat, not part of flex CI
- release-pypi.yml — upstream PyPI release, not relevant
@bdruth
feat(ci): add publish-flex-image workflow for ECR publishes
9930240 
Manual workflow (workflow_dispatch only) that builds the Flexion-customized
Docker image for linux/arm64 and pushes it to AWS ECR under the chosen
environment's repository (open-webui-dev or open-webui-prod) with the
caller-supplied version tag.

Design notes:
- ARM-native runner (ubuntu-24.04-arm) matches the Fargate ARM deploy
  target — no QEMU overhead.
- Only linux/arm64 is built. Multi-arch would double build time for no
  current benefit; can be extended later if x86 deploys are needed.
- AWS auth via OIDC: assumes GitHubActionsOpenWebUIDev for environment=dev
  and GitHubActionsOpenWebUIProd for environment=prod. The prod role's
  trust policy was extended in flexion/flexion-open-webui-infra#461 to
  accept tokens from this repo's flex branch.
- Tag overwrite guard: refuses to push if the tag already exists in ECR.
  Prevents accidental republishes that would mask source-of-truth
  provenance. Operator must delete the existing tag manually to retag.
- ECR tag = upstream release tag verbatim (e.g. v0.9.5, not v9.5) — the
  0. prefix is preserved end-to-end through to the CDK pin in the infra
  repo.
bdruth
bdruth commented May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@bdruth bdruth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed.

@bdruth
Copy link
Copy Markdown
Author

bdruth commented May 19, 2026

@copilot review this PR

Copy link
Copy Markdown

Copilot AI commented May 19, 2026

@copilot review this PR

Completed review on commit 9930240. No additional code changes are needed in this PR. I also checked Actions: current failures on flex are pre-existing formatting-check failures unrelated to these CI workflow changes.

@bdruth bdruth merged commit 83be98b into flex May 19, 2026
1 check failed
@bdruth bdruth deleted the chore/flex-ci-setup branch May 19, 2026 03:16
Copilot stopped work on behalf of bdruth due to an error May 19, 2026 03:16
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdruth