Github Action for ECR Auth/Login

.devcontainer/devcontainer.json

@@ -71,5 +71,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): eb7c79fa # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): b93e7b48 # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.py

@@ -5,8 +5,8 @@
 import subprocess
 import sys
 
-UV_VERSION = "0.10.9"
-COPIER_VERSION = "9.12.0"
+UV_VERSION = "0.10.10"
+COPIER_VERSION = "9.14.0"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3"
 PRE_COMMIT_VERSION = "4.5.1"
 GITHUB_WINDOWS_RUNNER_BIN_PATH = r"C:\Users\runneradmin\.local\bin"

AGENTS.md

@@ -12,7 +12,7 @@
 - Test coverage requirements are usually at 100%, so when running a subset of tests, always disable test coverage to avoid the test run failing for insufficient coverage.
 - Avoid magic values in comparisons in tests in all languages (like ruff rule PLR2004 specifies)
 - Prefer using random values in tests rather than arbitrary ones (e.g. the faker library, uuids, random.randint) when possible.
-- Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element.
+- Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element. When verifying a condition across all items in a collection, collect the violations into a list and assert it's empty (e.g., assert [x for x in items if bad_condition(x)] == []).
 - Key `data-testid` selectors off unique IDs (e.g. UUIDs), not human-readable names which may collide or change.
 
 ### Python Testing

extensions/context.py

@@ -11,10 +11,10 @@ class ContextUpdater(ContextHook):
     @override
     def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         # These are duplicated in the install-ci-tooling.py script in this repository
-        context["uv_version"] = "0.10.9"
+        context["uv_version"] = "0.10.10"
         context["pre_commit_version"] = "4.5.1"
         # These also in pyproject.toml
-        context["copier_version"] = "==9.12.0"
+        context["copier_version"] = "==9.14.0"
         context["copier_template_extensions_version"] = "==0.3.3"
         #######
         context["pnpm_version"] = "10.32.1"
@@ -40,15 +40,15 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["strawberry_graphql_version"] = ">=0.298.0"
         context["fastapi_version"] = ">=0.135.1"
         context["fastapi_offline_version"] = ">=1.7.4"
-        context["uvicorn_version"] = ">=0.41.0"
+        context["uvicorn_version"] = ">=0.42.0"
         context["lab_auto_pulumi_version"] = ">=0.1.18"
         context["ariadne_codegen_version"] = ">=0.17.0"
         context["pytest_mock_version"] = ">=3.15.1"
         context["uuid_utils_version"] = ">=0.14.0"
         context["syrupy_version"] = ">=5.1.0"
         context["structlog_version"] = ">=25.5.0"
         context["httpx_version"] = ">=0.28.1"
-        context["python_kiota_bundle_version"] = ">=1.9.8"
+        context["python_kiota_bundle_version"] = ">=1.9.10"
         context["vcrpy_version"] = ">=8.1.1"
         context["pytest_recording_version"] = ">=0.13.4"
         context["pytest_asyncio_version"] = ">=1.3.0"
@@ -85,7 +85,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["nuxt_test_utils_version"] = "3.19.1"
         context["vue_eslint_parser_version"] = "^10.4.0"
         context["happy_dom_version"] = "^20.8.3"
-        context["node_kiota_bundle_version"] = "1.0.0-preview.99"
+        context["node_kiota_bundle_version"] = "1.0.0-preview.100"
         #######
         # These are duplicated in the CI files for this repository
         context["gha_checkout"] = "v6.0.2"
@@ -99,9 +99,9 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["gha_setup_buildx"] = "v3.11.1"
         context["buildx_version"] = "v0.27.0"
         context["gha_docker_build_push"] = "v6.18.0"
-        context["gha_configure_aws_credentials"] = "v5.1.1"
-        context["gha_amazon_ecr_login"] = "v2.0.1"
-        context["gha_setup_node"] = "v6.2.0"
+        context["gha_configure_aws_credentials"] = "v6.0.0"
+        context["gha_amazon_ecr_login"] = "v2.0.2"
+        context["gha_setup_node"] = "v6.3.0"
         context["gha_action_gh_release"] = "v2.2.1"
         context["gha_mutex"] = "1ebad517141198e08d47cf72f3c0975316620a65 # v1.0.0-alpha.10"
         context["gha_pypi_publish"] = "v1.13.0"

pyproject.toml

@@ -10,6 +10,6 @@ dependencies = [
     "pytest-randomly>=4.0.1",
     "pyright[nodejs]>=1.1.408",
     "ty>=0.0.23",
-    "copier==9.12.0",
+    "copier==9.14.0",
     "copier-template-extensions==0.3.3"
 ]

template/.github/reusable_workflows/build-docker-image.yaml.jinja-base

@@ -72,9 +72,9 @@ jobs:
 
       - name: OIDC Auth for ECR
         if: ${{ inputs.push-role-name != 'no-push' }}
-        uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
+        uses: ./.github/actions/ecr-auth
         with:
-          role-to-assume: arn:aws:iam::${{ steps.parse_ecr_url.outputs.aws_account_id }}:role/${{ inputs.push-role-name }}
+          role-arn: arn:aws:iam::${{ steps.parse_ecr_url.outputs.aws_account_id }}:role/${{ inputs.push-role-name }}
           aws-region: ${{ steps.parse_ecr_url.outputs.aws_region }}
 
       - name: Calculate hash of files in build context
@@ -111,11 +111,6 @@ jobs:
             echo "status=notfound" >> $GITHUB_OUTPUT
           fi
 
-      - name: Login to Amazon ECR
-        if: ${{ inputs.push-role-name != 'no-push' && (steps.check-if-exists.outputs.status == 'notfound' || inputs.save-as-artifact ) }}
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@{% endraw %}{{ gha_amazon_ecr_login }}{% raw %}
-
       - name: Pull existing image to package as artifact
         if: ${{ inputs.save-as-artifact && steps.check-if-exists.outputs.status == 'found' }}
         run: |

template/template/.github/actions/ecr-auth/action.yml.jinja

@@ -0,0 +1,23 @@
+{% raw %}name: AWS ECR Auth
+description: 'Use OIDC to Authenticate and login to an AWS ECR.'
+
+inputs:
+  aws-region:
+    description: AWS region to use for ECR authentication
+    required: false
+    default: '{% endraw %}{{ aws_org_home_region }}{% raw %}'
+  role-arn:
+    description: AWS IAM Role ARN to assume for ECR authentication
+    required: false
+    default: 'arn:aws:iam::{% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}:role/{% endraw %}{{ core_infra_base_access_profile_name }}{% raw %}'
+
+runs:
+  using: composite
+  steps:
+    - name: OIDC Auth for ECR
+      uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
+      with:
+        role-to-assume: ${{ inputs.role-arn }}
+        aws-region: ${{ inputs.aws-region }}
+    - name: Login to Amazon ECR
+      uses: aws-actions/amazon-ecr-login@{% endraw %}{{ gha_amazon_ecr_login }}