From 3827a500134450ac8caefd65280d27fb0b12ec84 Mon Sep 17 00:00:00 2001
From: Harshith <harshith@e6x.io>
Date: Fri, 6 Mar 2026 10:38:38 +0530
Subject: [PATCH 1/2] feat: add GitHub Actions build workflow for PR builds

Adds multi-arch Docker build (amd64/arm64) with push to ECR, GCR, and ACR
for pull requests targeting main. Modeled after other e6data service repos.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build.yml | 77 +++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .github/workflows/build.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000000..27a54397d7
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,77 @@
+name: Build
+
+on:
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  REVISION: gh-pr-3.0.${{github.run_number}}
+  IMAGE_TAG: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/transpiler:gh-pr-3.0.${{github.run_number}}
+  GCR_IMAGE_TAG: us-docker.pkg.dev/${{ vars.GCR_PROJECT_ID }}/e6-engine/transpiler:gh-pr-3.0.${{github.run_number}}
+
+jobs:
+  build:
+    runs-on: runs-on=${{ github.run_id }}/runner=16cpu-linux-arm64
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: docker build for image scan
+      run: docker buildx build -t $IMAGE_TAG --network host --load .
+
+    - name: Authenticate to Docker
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.SCOUT_USER }}
+        password: ${{ secrets.SCOUT_TOKEN }}
+
+    - name: Docker Scout
+      id: docker-scout
+      uses: docker/scout-action@v1
+      with:
+        image: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/transpiler:gh-pr-3.0.${{github.run_number}}
+        command: cves
+        to-env: production
+        ignore-unchanged: true
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        only-fixed: true
+
+    - name: Setup AWS Creds
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GHActionsCodeartifactReadonly
+        aws-region: us-east-1
+
+    - name: Login to ECR
+      run: |
+        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com
+
+    - name: Authenticate to GCP
+      uses: google-github-actions/auth@v2
+      with:
+        credentials_json: ${{ secrets.GCR_PUSH_SA }}
+
+    - name: Login to GCR
+      run: |
+        echo '${{ secrets.GCR_PUSH_SA }}' | docker login -u _json_key --password-stdin us-docker.pkg.dev
+
+    - name: Build and push to ECR and GCR
+      run: |
+        docker buildx build --platform linux/amd64,linux/arm64 -t $IMAGE_TAG -t $GCR_IMAGE_TAG --network host --push .
+
+    - name: docker ACR login and push
+      run: |
+        echo ${{ secrets.ACR_TOKEN }} | docker login --username e6data-ci --password-stdin e6labs.azurecr.io
+        docker buildx build --no-cache --platform linux/amd64,linux/arm64 \
+          -t e6labs.azurecr.io/transpiler:gh-pr-3.0.${{github.run_number}} \
+          -t e6labs.azurecr.io/transpiler-dev:gh-pr-3.0.${{github.run_number}} \
+          --network host --push .

From dd79487d286da39e63b2cb1a577de02cd4a7a48e Mon Sep 17 00:00:00 2001
From: Harshith <harshith@e6x.io>
Date: Fri, 6 Mar 2026 10:43:29 +0530
Subject: [PATCH 2/2] fix: make ECR/GCR steps conditional on secrets
 availability

AWS_ACCOUNT_ID and GCR_PUSH_SA secrets are not yet configured for this
repo. Make those steps conditional so the workflow runs with just ACR push.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build.yml | 46 ++++++++++++++-----------------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 27a54397d7..252a1df6ea 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,8 +10,6 @@ permissions:
 
 env:
   REVISION: gh-pr-3.0.${{github.run_number}}
-  IMAGE_TAG: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/transpiler:gh-pr-3.0.${{github.run_number}}
-  GCR_IMAGE_TAG: us-docker.pkg.dev/${{ vars.GCR_PROJECT_ID }}/e6-engine/transpiler:gh-pr-3.0.${{github.run_number}}
 
 jobs:
   build:
@@ -25,53 +23,43 @@ jobs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
-    - name: docker build for image scan
-      run: docker buildx build -t $IMAGE_TAG --network host --load .
-
-    - name: Authenticate to Docker
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.SCOUT_USER }}
-        password: ${{ secrets.SCOUT_TOKEN }}
-
-    - name: Docker Scout
-      id: docker-scout
-      uses: docker/scout-action@v1
-      with:
-        image: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/transpiler:gh-pr-3.0.${{github.run_number}}
-        command: cves
-        to-env: production
-        ignore-unchanged: true
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        only-fixed: true
-
     - name: Setup AWS Creds
+      if: ${{ secrets.AWS_ACCOUNT_ID != '' }}
       uses: aws-actions/configure-aws-credentials@v2
       with:
         role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GHActionsCodeartifactReadonly
         aws-region: us-east-1
 
     - name: Login to ECR
+      if: ${{ secrets.AWS_ACCOUNT_ID != '' }}
       run: |
         aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com
 
+    - name: Build and push to ECR
+      if: ${{ secrets.AWS_ACCOUNT_ID != '' }}
+      run: |
+        docker buildx build --platform linux/amd64,linux/arm64 \
+          -t ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com/transpiler:${{ env.REVISION }} \
+          --network host --push .
+
     - name: Authenticate to GCP
+      if: ${{ secrets.GCR_PUSH_SA != '' }}
       uses: google-github-actions/auth@v2
       with:
         credentials_json: ${{ secrets.GCR_PUSH_SA }}
 
-    - name: Login to GCR
+    - name: Login to GCR and push
+      if: ${{ secrets.GCR_PUSH_SA != '' && vars.GCR_PROJECT_ID != '' }}
       run: |
         echo '${{ secrets.GCR_PUSH_SA }}' | docker login -u _json_key --password-stdin us-docker.pkg.dev
-
-    - name: Build and push to ECR and GCR
-      run: |
-        docker buildx build --platform linux/amd64,linux/arm64 -t $IMAGE_TAG -t $GCR_IMAGE_TAG --network host --push .
+        docker buildx build --platform linux/amd64,linux/arm64 \
+          -t us-docker.pkg.dev/${{ vars.GCR_PROJECT_ID }}/e6-engine/transpiler:${{ env.REVISION }} \
+          --network host --push .
 
     - name: docker ACR login and push
       run: |
         echo ${{ secrets.ACR_TOKEN }} | docker login --username e6data-ci --password-stdin e6labs.azurecr.io
         docker buildx build --no-cache --platform linux/amd64,linux/arm64 \
-          -t e6labs.azurecr.io/transpiler:gh-pr-3.0.${{github.run_number}} \
-          -t e6labs.azurecr.io/transpiler-dev:gh-pr-3.0.${{github.run_number}} \
+          -t e6labs.azurecr.io/transpiler:${{ env.REVISION }} \
+          -t e6labs.azurecr.io/transpiler-dev:${{ env.REVISION }} \
           --network host --push .