diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml.disabled similarity index 100% rename from .github/workflows/build-release.yml rename to .github/workflows/build-release.yml.disabled diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml.disabled similarity index 100% rename from .github/workflows/docker-build.yaml rename to .github/workflows/docker-build.yaml.disabled diff --git a/.github/workflows/format-backend.yaml b/.github/workflows/format-backend.yaml.disabled similarity index 100% rename from .github/workflows/format-backend.yaml rename to .github/workflows/format-backend.yaml.disabled diff --git a/.github/workflows/format-build-frontend.yaml b/.github/workflows/format-build-frontend.yaml.disabled similarity index 100% rename from .github/workflows/format-build-frontend.yaml rename to .github/workflows/format-build-frontend.yaml.disabled diff --git a/.github/workflows/publish-flex-image.yml b/.github/workflows/publish-flex-image.yml new file mode 100644 index 00000000000..b61d725cff5 --- /dev/null +++ b/.github/workflows/publish-flex-image.yml @@ -0,0 +1,83 @@ +name: Publish flex image to ECR + +on: + workflow_dispatch: + inputs: + version: + description: 'Version tag for ECR (e.g. v0.9.6). Use the upstream release tag verbatim — keep the 0. prefix.' + required: true + type: string + environment: + description: 'Target environment' + required: true + type: choice + options: + - dev + - prod + default: dev + +permissions: + id-token: write + contents: read + +jobs: + publish: + name: Build flex@${{ github.sha }} → open-webui-${{ inputs.environment }}:${{ inputs.version }} + # ARM-native runner — matches Fargate ARM target, no QEMU emulation needed. + runs-on: ubuntu-24.04-arm + env: + AWS_REGION: ${{ secrets.AWS_REGION }} + REPOSITORY: open-webui-${{ inputs.environment }} + steps: + - uses: actions/checkout@v5 + + - uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ inputs.environment == 'prod' && secrets.AWS_ROLE_ARN_PROD || secrets.AWS_ROLE_ARN_DEV }} + aws-region: ${{ env.AWS_REGION }} + + - uses: docker/setup-buildx-action@v3 + + - id: ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Refuse to overwrite an existing tag + run: | + if aws ecr describe-images \ + --repository-name "$REPOSITORY" \ + --region "$AWS_REGION" \ + --image-ids imageTag="${{ inputs.version }}" \ + >/dev/null 2>&1; then + echo "::error title=Tag exists::${REPOSITORY}:${{ inputs.version }} already exists in ECR. Promotion is intentionally not idempotent — delete the existing tag manually or pick a different version." + exit 1 + fi + + - name: Build and push (linux/arm64) + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/arm64 + push: true + tags: ${{ steps.ecr.outputs.registry }}/${{ env.REPOSITORY }}:${{ inputs.version }} + build-args: | + BUILD_HASH=${{ github.sha }} + USE_PERMISSION_HARDENING=false + + - name: Show pushed image + run: | + aws ecr describe-images \ + --repository-name "$REPOSITORY" \ + --region "$AWS_REGION" \ + --image-ids imageTag="${{ inputs.version }}" \ + --query 'imageDetails[0].{Digest:imageDigest,Tags:imageTags,Pushed:imagePushedAt,SizeBytes:imageSizeInBytes}' \ + --output table + + - name: Next-step reminder + run: | + cat <