Skip to content

Github Action for ECR Auth/Login#135

Merged
ejfine merged 10 commits intomainfrom
better-agents
Mar 16, 2026
Merged

Github Action for ECR Auth/Login#135
ejfine merged 10 commits intomainfrom
better-agents

Conversation

@ejfine
Copy link
Contributor

@ejfine ejfine commented Mar 16, 2026
edited by coderabbitai bot
Loading

Why is this change necessary?

Needed to DRY up a bunch of code in workflows in this template and other ones created in child templates

How does this change address the issue?

Adds action

What side effects does this change have?

N/A

How is this change tested?

Downstream repo

Other

Bumped some versions of things

Summary by CodeRabbit

  • Chores

    • Bumped several tool and dependency versions for updated tooling and CI.
    • Streamlined Docker image build authentication in deployment workflows.

  • Documentation

    • Expanded testing guidance to recommend collecting and asserting batch violations alongside per-item checks.

@ejfine ejfine self-assigned this Mar 16, 2026
@coderabbitai
Copy link

coderabbitai bot commented Mar 16, 2026
edited
Loading

Warning

Rate limit exceeded

@ejfine has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 31763429-1861-47a5-bbc2-c10fcc76a89f

📥 Commits

Reviewing files that changed from the base of the PR and between d5681b6 and 69f8eeb.

📒 Files selected for processing (2)
  • AGENTS.md
  • template/template/.github/actions/ecr-auth/action.yml.jinja
📝 Walkthrough

Walkthrough

Bumps multiple tooling/dependency versions, adds guidance for batch collection assertions in AGENTS.md, and refactors GitHub Actions ECR authentication by introducing a reusable composite action and removing the separate ECR login step. (47 words)

Changes

Cohort / File(s) Summary
Devcontainer & installer
\.devcontainer/devcontainer.json, \.devcontainer/install-ci-tooling.py		 Updated devcontainer context hash and bumped UV/Copier version constants used by the devcontainer installer.
Context & project deps
extensions/context.py, pyproject.toml		 Bumped multiple context versions and copier dependency (e.g., copier 9.12.0→9.14.0, uvicorn >=0.41.0→>=0.42.0, kiota bundles, gha action versions).
Testing guidance
AGENTS.md		 Added recommendation to collect violations into a list and assert it is empty when verifying conditions across collections (complements per-item assertions).
GitHub Actions — ECR auth refactor
template/.github/reusable_workflows/build-docker-image.yaml.jinja-base, template/template/.github/actions/ecr-auth/action.yml.jinja		 Extracted ECR authentication into a new composite action (.github/actions/ecr-auth): workflow now calls the composite action (role-arn input) and the explicit separate ECR login step was removed. New composite action composes OIDC auth + ECR login steps.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Workflow as "Reusable Workflow"
participant EcrAuth as "ecr-auth composite action"
participant Configure as "aws-actions/configure-aws-credentials"
participant EcrLogin as "aws-actions/amazon-ecr-login"
participant ECR as "Amazon ECR"

Workflow->>EcrAuth: invoke (aws-region, role-arn)
EcrAuth->>Configure: OIDC auth (role-to-assume, aws-region)
Configure-->>EcrAuth: credentials
EcrAuth->>EcrLogin: login using credentials
EcrLogin-->>EcrAuth: auth result
EcrAuth->>Workflow: success / auth output

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • idonaldson
  • zendern
🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: a GitHub Action for ECR authentication/login, which aligns with the creation of the new ecr-auth action and modifications to build-docker-image.yaml to use it.
Description check ✅ Passed The PR description follows the provided template with all main sections completed (Why necessary, How addressed, Side effects, Testing, Other). While some sections are brief, they provide sufficient context for the changeset.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 16, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@template/template/.github/actions/ecr-auth/action.yml.jinja`:
- Line 6: Remove the unsupported `type` attribute from the composite action
inputs in the action metadata: locate the `inputs` blocks (the `inputs.*.type`
fields) in the composite action template and delete the `type: string` lines
(also remove the duplicate `type` at the other noted occurrence). Leave only the
supported keys (`description`, `required`, `default`, `deprecationMessage`) for
each input so the generated action.yml is valid for composite actions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9669de0d-e1db-413c-ad15-b05ac2ae68e3

📥 Commits

Reviewing files that changed from the base of the PR and between 95e0e70 and 0c9552e.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (6)
  • .devcontainer/devcontainer.json
  • AGENTS.md
  • extensions/context.py
  • pyproject.toml
  • template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
  • template/template/.github/actions/ecr-auth/action.yml.jinja

@ejfine ejfine requested a review from Copilot March 16, 2026 14:09
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a reusable GitHub composite action to centralize AWS ECR OIDC auth + login, and updates the Docker image build reusable workflow to consume it, alongside routine version bumps in template/tooling dependencies.

Changes:

  • Introduce an ecr-auth composite action intended to handle configure-aws-credentials + amazon-ecr-login.
  • Refactor the reusable Docker build workflow to use the local ecr-auth action and remove the standalone ECR login step.
  • Bump versions for copier/uv and multiple template-pinned GitHub Action versions; update related docs and devcontainer tooling pins.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
template/template/.github/actions/ecr-auth/action.yml.jinja Adds new composite action for ECR auth/login (currently has template path/suffix issues).
template/.github/reusable_workflows/build-docker-image.yaml.jinja-base Switches ECR auth/login steps to use the new local composite action.
extensions/context.py Bumps pinned tool and GitHub Action versions used across templates.
pyproject.toml Updates copier dependency pin.
uv.lock Updates locked copier version/artifacts.
.devcontainer/install-ci-tooling.py Updates pinned UV and copier versions for CI/devcontainer setup.
.devcontainer/devcontainer.json Updates generated devcontainer context hash comment.
AGENTS.md Expands testing guidance (minor markdown formatting issue introduced).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

template/template/.github/actions/ecr-auth/action.yml.jinja
Comment on lines +1 to +3
{% raw %}name: AWS ECR Auth
description: 'Use OIDC to Authenticate and login to an AWS ECR.'

template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
- name: OIDC Auth for ECR
if: ${{ inputs.push-role-name != 'no-push' }}
uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
uses: ./.github/actions/ecr-auth
template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
Comment on lines 73 to 76
- name: OIDC Auth for ECR
if: ${{ inputs.push-role-name != 'no-push' }}
uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
uses: ./.github/actions/ecr-auth
with:
template/template/.github/actions/ecr-auth/action.yml.jinja Outdated
runs:
using: composite
steps:
- name: OIDC Auth for ECR to pull Data Hub images
Copy link
Contributor Author

@ejfine ejfine Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

d92f57e

AGENTS.md Outdated
- Avoid magic values in comparisons in tests in all languages (like ruff rule PLR2004 specifies)
- Prefer using random values in tests rather than arbitrary ones (e.g. the faker library, uuids, random.randint) when possible.
- Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element.
- Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element. When verifying a condition across all items in a collection, collect the violations into a list and assert it's empty (e.g., assert [x for x in items if bad_condition(x)] == []).
Copy link
Contributor Author

@ejfine ejfine Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

69f8eeb

@ejfine ejfine marked this pull request as ready for review March 16, 2026 14:17
@ejfine ejfine requested a review from zendern March 16, 2026 14:17
@ejfine ejfine merged commit cc8f05b into main Mar 16, 2026
7 checks passed
@ejfine ejfine deleted the better-agents branch March 16, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@zendern zendern zendern approved these changes

Assignees

@ejfine ejfine

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ejfine @zendern