feat(bake-oci-manifests): add teleport-token + kustomization-path inputs

[GureevLeonid]

Summary

Two new optional inputs on the `bake-oci-manifests` composite action so monorepos can use it too:

• `teleport-token` — override the derived `image-push-github-actions-` default. Needed for `campaigns` (inside `maestra-io/Mindbox.MTA`) where the Teleport bot is `image-push-github-actions-mindbox-mta`.
• `kustomization-path` — override the `./kustomization` default. Needed for the same monorepo case where each service's manifests live under `kustomization//`.

Both are backward-compatible: the 1 production caller (db-migrator) keeps working unchanged.

Test plan

• Defaults unchanged for single-service repos.
• After merge: campaigns migration (in maestra-io/Mindbox.MTA) uses both new inputs.

🤖 Generated with Claude Code

Changes

Added two optional inputs to the bake-oci-manifests composite action to support monorepo setups:

• teleport-token: Allows overriding the derived default Teleport join token (defaults to image-push-github-actions-<service> if not provided). Useful in monorepos where the Teleport bot name differs from the service name (e.g., for campaigns service in a monorepo, the bot may be named image-push-github-actions-mindbox-mta).

• kustomization-path: Allows overriding the default Kustomization manifest root path (defaults to ./kustomization). Useful in monorepos that store each service's manifests under subdirectories like kustomization/<service>/.

Updated components:

• bake-oci-manifests/action.yml: Added input definitions and integrated them into the Teleport JWT minting and placeholder substitution steps.
• README.md: Updated documentation with examples and clarifications for the new inputs.

Additional new action files added:

• octopus-package-release/action.yml: New composite action for packaging releases.
• push-to-aws-ecr-repository/action.yml: New composite action for ECR operations.
• push-to-aws-ecr-repository/ecr-policy.json: IAM policy configuration for ECR access.

Backward compatibility: Both new inputs to bake-oci-manifests are optional with sensible defaults. Existing single-service repos and current production callers continue to work unchanged.

No breaking changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

Extended the bake-oci-manifests GitHub composite action to support configurable kustomization paths and dynamic Teleport token derivation. The action now accepts kustomization-path and teleport-token inputs, derives the token from the service name if not provided, and applies placeholder substitution and packaging to the specified kustomization directory. Documentation and monorepo examples were updated accordingly.

Changes

Bake OCI manifests enhancements

Layer / File(s)	Summary
Action input interface updates bake-oci-manifests/action.yml	Added kustomization-path input (default ./kustomization), updated service description to clarify ECR repo derivation, and clarified teleport-token default behavior (derives from service if unset).
Teleport token resolution logic bake-oci-manifests/action.yml	Teleport JWT minting step now computes TELEPORT_TOKEN from inputs.teleport-token with a fallback to image-push-github-actions-<service>, then writes the resolved value into /tmp/tbot.yaml.
Kustomization path propagation bake-oci-manifests/action.yml	Placeholder substitution and OCI artifact packaging steps now use $KUSTOMIZATION_PATH instead of hardcoded kustomization/ directory, ensuring the same substituted content is packaged.
Documentation and examples README.md	Updated input descriptions for service and teleport-token, and added monorepo example workflow showing teleport-token and kustomization-path usage for the campaigns service.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• maestra-io/github-actions#5: Both PRs modify the bake-oci-manifests/action.yml composite action's Teleport JWT minting/token-default logic and its kustomization YAML substitution/push behavior (including deriving token from service and applying placeholder substitution under a specified kustomization path).

Poem

🐰 A path that bends, a token that flows,
From service names the default grows,
Kustomization bows to your will,
Manifests baked just how you like—chill! 🎂

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding two new inputs (teleport-token and kustomization-path) to the bake-oci-manifests action, which aligns with the file-level and PR objective summaries.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch extend-bake-oci-manifests-inputs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

README.md (1)

182-182: ⚡ Quick win

Consider clarifying that the bot name must match the teleport-token value.

The prerequisite describes the default bot naming convention but doesn't mention that monorepo users overriding teleport-token need a bot provisioned with the overridden name instead. While technically accurate for the default case, adding a brief note would help monorepo users understand they need teleport-token-matching bots.

📝 Optional clarification

-2. A Teleport bot named `image-push-github-actions-<service>` is provisioned on `teleport.maestra.io` with permission to mint workload-identity JWTs for the `image-push` selector against `sts.amazonaws.com`.
+2. A Teleport bot matching the `teleport-token` value (default: `image-push-github-actions-<service>`) is provisioned on `teleport.maestra.io` with permission to mint workload-identity JWTs for the `image-push` selector against `sts.amazonaws.com`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 182, Update the README prerequisite to explicitly state
that the Teleport bot name must match the configured teleport-token value when
users override it; mention the default bot `image-push-github-actions-<service>`
is only correct for the default teleport-token, and if a monorepo user sets a
different `teleport-token` they must provision a bot with that exact name (the
bot must still have permission to mint workload-identity JWTs for the
`image-push` selector against `sts.amazonaws.com`).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@README.md`:
- Line 182: Update the README prerequisite to explicitly state that the Teleport
bot name must match the configured teleport-token value when users override it;
mention the default bot `image-push-github-actions-<service>` is only correct
for the default teleport-token, and if a monorepo user sets a different
`teleport-token` they must provision a bot with that exact name (the bot must
still have permission to mint workload-identity JWTs for the `image-push`
selector against `sts.amazonaws.com`).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 24983f48-7c53-481a-97e1-7e0a9021bbbc

📥 Commits

Reviewing files that changed from the base of the PR and between 63a5e00 and 301eedc.

📒 Files selected for processing (2)

• README.md
• bake-oci-manifests/action.yml