diff --git a/.github/scripts/lint_secret_pattern_drift.py b/.github/scripts/lint_secret_pattern_drift.py index 076d2719..c630094f 100644 --- a/.github/scripts/lint_secret_pattern_drift.py +++ b/.github/scripts/lint_secret_pattern_drift.py @@ -37,7 +37,7 @@ CANONICAL_FILE = Path(".github/workflows/secret-scan.yml") CONSUMERS: list[tuple[str, str]] = [ ( "molecule-ai-workspace-runtime/molecule_runtime/scripts/pre-commit-checks.sh", - "https://raw.githubusercontent.com/Molecule-AI/molecule-ai-workspace-runtime/main/molecule_runtime/scripts/pre-commit-checks.sh", + "https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime/raw/branch/main/molecule_runtime/scripts/pre-commit-checks.sh", ), ] diff --git a/docker-compose.yml b/docker-compose.yml index 00a5a397..00e5804e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -212,8 +212,8 @@ services: # docker compose pull canvas && docker compose up -d canvas # First-time local setup or testing unreleased changes — build from source: # docker compose build canvas && docker compose up -d canvas - # Note: GHCR images are private — `docker login ghcr.io` required before pull. - image: ghcr.io/molecule-ai/canvas:latest + # Note: ECR images require AWS auth — `aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 153263036946.dkr.ecr.us-east-2.amazonaws.com` before pull. + image: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/canvas:latest build: context: ./canvas dockerfile: Dockerfile diff --git a/scripts/demo-freeze.sh b/scripts/demo-freeze.sh index be7b176b..e8617223 100755 --- a/scripts/demo-freeze.sh +++ b/scripts/demo-freeze.sh @@ -10,11 +10,11 @@ # → PyPI auto-bumps molecule-ai-workspace-runtime patch version # → repository_dispatch fans out to 8 workspace-template-* repos # → each template repo rebuilds and re-tags -# ghcr.io/molecule-ai/workspace-template-:latest +# 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/workspace-template-:latest # # PATH 2: any merge to a workspace-template-* repo's main branch # → that repo's publish-image.yml fires -# → ghcr.io/molecule-ai/workspace-template-:latest +# → 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/workspace-template-:latest # gets re-tagged # # provisioner.go:296 RuntimeImages[runtime] reads `:latest` at every diff --git a/scripts/refresh-workspace-images.sh b/scripts/refresh-workspace-images.sh index ec9ea0ba..82b18dc7 100755 --- a/scripts/refresh-workspace-images.sh +++ b/scripts/refresh-workspace-images.sh @@ -51,7 +51,7 @@ log "pulling latest images for: ${RUNTIMES[*]}" PULLED=() FAILED=() for rt in "${RUNTIMES[@]}"; do - IMG="ghcr.io/molecule-ai/workspace-template-$rt:latest" + IMG="153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/workspace-template-$rt:latest" if docker pull "$IMG" >/dev/null 2>&1; then log " ✓ $rt" PULLED+=("$rt") diff --git a/scripts/rollback-latest.sh b/scripts/rollback-latest.sh index 62c77377..64c117b9 100755 --- a/scripts/rollback-latest.sh +++ b/scripts/rollback-latest.sh @@ -1,9 +1,10 @@ #!/bin/bash -# rollback-latest.sh — moves the :latest tag on ghcr.io/molecule-ai/platform -# (and the matching tenant image) back to a prior :staging- digest -# without rebuilding anything. Prod tenants auto-pull :latest every 5 -# min, so this is the fast path when a canary-verified image turns out -# to have a runtime regression that canary didn't catch. +# rollback-latest.sh — moves the :latest tag on the platform image +# (and the matching tenant image) on AWS ECR back to a prior +# :staging- digest without rebuilding anything. Prod tenants +# auto-pull :latest every 5 min, so this is the fast path when a +# canary-verified image turns out to have a runtime regression that +# canary didn't catch. # # Usage: # scripts/rollback-latest.sh @@ -12,12 +13,14 @@ # Prereqs: # - crane on $PATH (brew install crane OR download from # https://github.com/google/go-containerregistry/releases) -# - GHCR token exported as GITHUB_TOKEN with write:packages scope +# - aws CLI authenticated for region us-east-2 with ECR pull/push +# access to the molecule-ai/platform + platform-tenant repositories. +# `aws sts get-caller-identity` should succeed. # # What it does (per image — platform + tenant): -# crane digest ghcr.io/…: # verify the target sha exists -# crane tag ghcr.io/…: latest # retag remotely, single API call -# crane digest ghcr.io/…:latest # confirm the move +# crane digest : # verify the target sha exists +# crane tag : latest # retag remotely, single API call +# crane digest :latest # confirm the move # # Exit codes: 0 = both retagged, 1 = tag missing / crane error, 2 = bad args. @@ -30,21 +33,23 @@ if [ "${1:-}" = "" ]; then fi TARGET_SHA="$1" -PLATFORM=ghcr.io/molecule-ai/platform -TENANT=ghcr.io/molecule-ai/platform-tenant +ECR_HOST=153263036946.dkr.ecr.us-east-2.amazonaws.com +PLATFORM=$ECR_HOST/molecule-ai/platform +TENANT=$ECR_HOST/molecule-ai/platform-tenant if ! command -v crane >/dev/null; then echo "ERROR: crane not installed. brew install crane" >&2 exit 1 fi -if [ -z "${GITHUB_TOKEN:-}" ]; then - echo "ERROR: GITHUB_TOKEN unset. export it with write:packages scope." >&2 +if ! command -v aws >/dev/null; then + echo "ERROR: aws CLI not installed. brew install awscli" >&2 exit 1 fi -# Log in once. crane stores creds in a config file keyed by registry; -# re-running is cheap. -printf '%s\n' "$GITHUB_TOKEN" | crane auth login ghcr.io -u "${GITHUB_ACTOR:-$(whoami)}" --password-stdin >/dev/null +# Log in once. ECR auth is via short-lived password from `aws ecr +# get-login-password`. crane stores creds in a config file keyed by +# registry; re-running is cheap. +aws ecr get-login-password --region us-east-2 | crane auth login "$ECR_HOST" -u AWS --password-stdin >/dev/null roll() { local image="$1" diff --git a/tools/check-template-parity.sh b/tools/check-template-parity.sh index 0cfc497f..a164ba92 100755 --- a/tools/check-template-parity.sh +++ b/tools/check-template-parity.sh @@ -18,7 +18,7 @@ # # Or inline via curl: # -# bash <(curl -fsSL https://raw.githubusercontent.com/Molecule-AI/molecule-core/main/tools/check-template-parity.sh) \ +# bash <(curl -fsSL https://git.moleculesai.app/molecule-ai/molecule-core/raw/branch/main/tools/check-template-parity.sh) \ # install.sh start.sh # # Exit codes: