From 896afc5bd7290bd0c25691d91ffa21c8dca20293 Mon Sep 17 00:00:00 2001
From: core-devops <core-devops@agents.moleculesai.app>
Date: Wed, 20 May 2026 05:27:54 -0700
Subject: [PATCH] =?UTF-8?q?ci:=20SSOT-Instance-10=20=E2=80=94=20ECR=20regi?=
 =?UTF-8?q?stry=20via=20vars.ECR=5FREGISTRY=20(#333)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ECR registry triplet (account.dkr.ecr.region.amazonaws.com =
153263036946.dkr.ecr.us-east-2.amazonaws.com) is currently hardcoded
in every publish/verify workflow across 4+ repos. Switching AWS
accounts or regions means touching every workflow.

Refactor each affected workflow's env block to source the triplet
from `vars.ECR_REGISTRY` with the current prod-account literal as
a bootstrap fallback. Once the org-level variable is set, the
fallback becomes dead code and an account/region migration is a
one-line change at the org level instead of N PRs.

Pattern mirrors `vars.CP_URL || 'https://api.moleculesai.app'`
already in use in molecule-core/staging-verify.yml +
redeploy-tenants-on-main.yml — proven to work on Gitea 1.22.6.

Constraints honored:
- No cross-repo `uses:` (blocked on 1.22.6 per
  feedback_gitea_cross_repo_uses_blocked).
- No new admin-required setup (the org-level var can be set later
  by CTO without touching these workflows again).
- Zero functional change today (fallback literal == current
  hardcoded value), so the in-flight cascade (publish → ECR →
  redeploy-fleet) is unaffected.
---
 .gitea/workflows/publish-canvas-image.yml           |  8 +++++++-
 .gitea/workflows/publish-workspace-server-image.yml | 10 ++++++++--
 .gitea/workflows/staging-verify.yml                 |  8 ++++++--
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml
index 818a4cad..627466aa 100644
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@@ -42,7 +42,13 @@ permissions:
   packages: write
 
 env:
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/canvas
+  # SSOT-Instance-10 (#333): ECR registry triplet (account.dkr.ecr.region.amazonaws.com)
+  # sourced from org/repo var `ECR_REGISTRY` with the current prod-account literal as
+  # bootstrap fallback. When the org var is set, the fallback becomes dead code and
+  # switching accounts/regions is a one-line change at the org level (instead of
+  # touching every workflow). Pattern mirrors `vars.CP_URL || 'literal'` already in
+  # use below in this repo's staging-verify.yml.
+  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/canvas
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
 jobs:
diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index 3b5f0a60..4f182d5c 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -57,8 +57,14 @@ permissions:
   packages: write
 
 env:
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
-  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
+  # SSOT-Instance-10 (#333): ECR registry triplet (account.dkr.ecr.region.amazonaws.com)
+  # sourced from org/repo var `ECR_REGISTRY` with the current prod-account literal as
+  # bootstrap fallback. When the org var is set, the fallback becomes dead code and
+  # switching accounts/regions is a one-line change at the org level (instead of
+  # touching every workflow). Pattern mirrors `vars.CP_URL || 'literal'` already in
+  # use below in this repo's staging-verify.yml.
+  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform
+  TENANT_IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform-tenant
 
 jobs:
   build-and-push:
diff --git a/.gitea/workflows/staging-verify.yml b/.gitea/workflows/staging-verify.yml
index e0008f03..4c4af897 100644
--- a/.gitea/workflows/staging-verify.yml
+++ b/.gitea/workflows/staging-verify.yml
@@ -75,8 +75,12 @@ permissions:
 env:
   # ECR registry (post-2026-05-06 SSOT for tenant images).
   # publish-workspace-server-image.yml pushes here.
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
-  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
+  # SSOT-Instance-10 (#333): triplet sourced from org/repo var `ECR_REGISTRY` with
+  # the current prod-account literal as bootstrap fallback. When the org var is set,
+  # the fallback becomes dead code and switching accounts/regions is a one-line
+  # change at the org level. Pattern mirrors `vars.CP_URL || 'literal'` below.
+  IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform
+  TENANT_IMAGE_NAME: ${{ vars.ECR_REGISTRY || '153263036946.dkr.ecr.us-east-2.amazonaws.com' }}/molecule-ai/platform-tenant
   # CP endpoint for redeploy-fleet (used in promote step below).
   CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
   GITHUB_SERVER_URL: https://git.moleculesai.app