chore(ci): disable inherited upstream workflows, add publish-flex-image

.github/workflows/publish-flex-image.yml

@@ -0,0 +1,83 @@
+name: Publish flex image to ECR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version tag for ECR (e.g. v0.9.6). Use the upstream release tag verbatim — keep the 0. prefix.'
+        required: true
+        type: string
+      environment:
+        description: 'Target environment'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+        default: dev
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  publish:
+    name: Build flex@${{ github.sha }} → open-webui-${{ inputs.environment }}:${{ inputs.version }}
+    # ARM-native runner — matches Fargate ARM target, no QEMU emulation needed.
+    runs-on: ubuntu-24.04-arm
+    env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      REPOSITORY: open-webui-${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.environment == 'prod' && secrets.AWS_ROLE_ARN_PROD || secrets.AWS_ROLE_ARN_DEV }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - uses: docker/setup-buildx-action@v3
+
+      - id: ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Refuse to overwrite an existing tag
+        run: |
+          if aws ecr describe-images \
+              --repository-name "$REPOSITORY" \
+              --region "$AWS_REGION" \
+              --image-ids imageTag="${{ inputs.version }}" \
+              >/dev/null 2>&1; then
+            echo "::error title=Tag exists::${REPOSITORY}:${{ inputs.version }} already exists in ECR. Promotion is intentionally not idempotent — delete the existing tag manually or pick a different version."
+            exit 1
+          fi
+
+      - name: Build and push (linux/arm64)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/arm64
+          push: true
+          tags: ${{ steps.ecr.outputs.registry }}/${{ env.REPOSITORY }}:${{ inputs.version }}
+          build-args: |
+            BUILD_HASH=${{ github.sha }}
+            USE_PERMISSION_HARDENING=false
+
+      - name: Show pushed image
+        run: |
+          aws ecr describe-images \
+            --repository-name "$REPOSITORY" \
+            --region "$AWS_REGION" \
+            --image-ids imageTag="${{ inputs.version }}" \
+            --query 'imageDetails[0].{Digest:imageDigest,Tags:imageTags,Pushed:imagePushedAt,SizeBytes:imageSizeInBytes}' \
+            --output table
+
+      - name: Next-step reminder
+        run: |
+          cat <<EOF
+          ::notice title=Next step::Image is in ECR but not deployed yet. Open a PR
+          in flexion/flexion-open-webui-infra changing imageTag in
+          cdk-infra/lib/cdk-infra-stack.ts to '${{ inputs.version }}' (and update
+          the matching assertion in cdk-infra/test/cdk-infra.test.ts). Merge to deploy.
+          See docs/UPGRADING.md in the infra repo.
+          EOF