From d9590cb7110b2971c0f9b2392aff3501938e1d36 Mon Sep 17 00:00:00 2001
From: Brice Ruth <bruth@flexion.us>
Date: Mon, 18 May 2026 22:09:36 -0500
Subject: [PATCH 1/2] chore(ci): disable inherited upstream workflows on flex
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These five workflows were inherited from upstream open-webui/open-webui
and were not producing artifacts on flex (none of them triggered on the
flex branch). Renaming to .disabled mirrors the existing convention
(codespell.disabled, lint-*.disabled) and keeps the diff vs upstream
minimal while remaining reversible.

- build-release.yml — upstream release pipeline, not relevant
- docker-build.yaml — publishes to ghcr.io, replaced by publish-flex-image
- format-backend.yaml — autoformat, not part of flex CI
- format-build-frontend.yaml — autoformat, not part of flex CI
- release-pypi.yml — upstream PyPI release, not relevant
---
 .../workflows/{build-release.yml => build-release.yml.disabled}   | 0
 .../workflows/{docker-build.yaml => docker-build.yaml.disabled}   | 0
 .../{format-backend.yaml => format-backend.yaml.disabled}         | 0
 ...at-build-frontend.yaml => format-build-frontend.yaml.disabled} | 0
 .github/workflows/{release-pypi.yml => release-pypi.yml.disabled} | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 rename .github/workflows/{build-release.yml => build-release.yml.disabled} (100%)
 rename .github/workflows/{docker-build.yaml => docker-build.yaml.disabled} (100%)
 rename .github/workflows/{format-backend.yaml => format-backend.yaml.disabled} (100%)
 rename .github/workflows/{format-build-frontend.yaml => format-build-frontend.yaml.disabled} (100%)
 rename .github/workflows/{release-pypi.yml => release-pypi.yml.disabled} (100%)

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml.disabled
similarity index 100%
rename from .github/workflows/build-release.yml
rename to .github/workflows/build-release.yml.disabled
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml.disabled
similarity index 100%
rename from .github/workflows/docker-build.yaml
rename to .github/workflows/docker-build.yaml.disabled
diff --git a/.github/workflows/format-backend.yaml b/.github/workflows/format-backend.yaml.disabled
similarity index 100%
rename from .github/workflows/format-backend.yaml
rename to .github/workflows/format-backend.yaml.disabled
diff --git a/.github/workflows/format-build-frontend.yaml b/.github/workflows/format-build-frontend.yaml.disabled
similarity index 100%
rename from .github/workflows/format-build-frontend.yaml
rename to .github/workflows/format-build-frontend.yaml.disabled
diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml.disabled
similarity index 100%
rename from .github/workflows/release-pypi.yml
rename to .github/workflows/release-pypi.yml.disabled

From 99302401376f4c76d287974668ddba8f8d6cc726 Mon Sep 17 00:00:00 2001
From: Brice Ruth <bruth@flexion.us>
Date: Mon, 18 May 2026 22:09:37 -0500
Subject: [PATCH 2/2] feat(ci): add publish-flex-image workflow for ECR
 publishes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual workflow (workflow_dispatch only) that builds the Flexion-customized
Docker image for linux/arm64 and pushes it to AWS ECR under the chosen
environment's repository (open-webui-dev or open-webui-prod) with the
caller-supplied version tag.

Design notes:
- ARM-native runner (ubuntu-24.04-arm) matches the Fargate ARM deploy
  target — no QEMU overhead.
- Only linux/arm64 is built. Multi-arch would double build time for no
  current benefit; can be extended later if x86 deploys are needed.
- AWS auth via OIDC: assumes GitHubActionsOpenWebUIDev for environment=dev
  and GitHubActionsOpenWebUIProd for environment=prod. The prod role's
  trust policy was extended in flexion/flexion-open-webui-infra#461 to
  accept tokens from this repo's flex branch.
- Tag overwrite guard: refuses to push if the tag already exists in ECR.
  Prevents accidental republishes that would mask source-of-truth
  provenance. Operator must delete the existing tag manually to retag.
- ECR tag = upstream release tag verbatim (e.g. v0.9.5, not v9.5) — the
  0. prefix is preserved end-to-end through to the CDK pin in the infra
  repo.
---
 .github/workflows/publish-flex-image.yml | 83 ++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 .github/workflows/publish-flex-image.yml

diff --git a/.github/workflows/publish-flex-image.yml b/.github/workflows/publish-flex-image.yml
new file mode 100644
index 00000000000..b61d725cff5
--- /dev/null
+++ b/.github/workflows/publish-flex-image.yml
@@ -0,0 +1,83 @@
+name: Publish flex image to ECR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version tag for ECR (e.g. v0.9.6). Use the upstream release tag verbatim — keep the 0. prefix.'
+        required: true
+        type: string
+      environment:
+        description: 'Target environment'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+        default: dev
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  publish:
+    name: Build flex@${{ github.sha }} → open-webui-${{ inputs.environment }}:${{ inputs.version }}
+    # ARM-native runner — matches Fargate ARM target, no QEMU emulation needed.
+    runs-on: ubuntu-24.04-arm
+    env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      REPOSITORY: open-webui-${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.environment == 'prod' && secrets.AWS_ROLE_ARN_PROD || secrets.AWS_ROLE_ARN_DEV }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - uses: docker/setup-buildx-action@v3
+
+      - id: ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Refuse to overwrite an existing tag
+        run: |
+          if aws ecr describe-images \
+              --repository-name "$REPOSITORY" \
+              --region "$AWS_REGION" \
+              --image-ids imageTag="${{ inputs.version }}" \
+              >/dev/null 2>&1; then
+            echo "::error title=Tag exists::${REPOSITORY}:${{ inputs.version }} already exists in ECR. Promotion is intentionally not idempotent — delete the existing tag manually or pick a different version."
+            exit 1
+          fi
+
+      - name: Build and push (linux/arm64)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/arm64
+          push: true
+          tags: ${{ steps.ecr.outputs.registry }}/${{ env.REPOSITORY }}:${{ inputs.version }}
+          build-args: |
+            BUILD_HASH=${{ github.sha }}
+            USE_PERMISSION_HARDENING=false
+
+      - name: Show pushed image
+        run: |
+          aws ecr describe-images \
+            --repository-name "$REPOSITORY" \
+            --region "$AWS_REGION" \
+            --image-ids imageTag="${{ inputs.version }}" \
+            --query 'imageDetails[0].{Digest:imageDigest,Tags:imageTags,Pushed:imagePushedAt,SizeBytes:imageSizeInBytes}' \
+            --output table
+
+      - name: Next-step reminder
+        run: |
+          cat <<EOF
+          ::notice title=Next step::Image is in ECR but not deployed yet. Open a PR
+          in flexion/flexion-open-webui-infra changing imageTag in
+          cdk-infra/lib/cdk-infra-stack.ts to '${{ inputs.version }}' (and update
+          the matching assertion in cdk-infra/test/cdk-infra.test.ts). Merge to deploy.
+          See docs/UPGRADING.md in the infra repo.
+          EOF