fix(ci): replace buildx with plain docker build+push (followup #173) #45

Ghost · 2026-05-07T20:44:06Z

Ghost commented

2026-05-07 20:44:06 +00:00

First-time contributor

Summary

CI run #946 (post-#43) confirmed driver: docker doesn't fix the ECR push 401 either. Buildx CLI inside the runner container talks to the operator-host docker daemon (mounted socket), but the daemon doesn't see the runner's ECR auth state, and the runner's buildx CLI doesn't attach the auth header in a way the daemon accepts.

Fix: drop buildx + docker/build-push-action entirely. Plain docker build + docker push from the runner container works because both use the SAME docker socket + the SAME runner-container config.json (populated by aws ecr get-login-password | docker login from amazon-ecr-login).

Trade-off: lose multi-arch support. We only ship linux/amd64 tenant images today, so this is fine. If multi-arch becomes a requirement later we revisit (likely with docker buildx create --driver=remote).

Changes

Remove docker/setup-buildx-action step
Replace both docker/build-push-action steps with explicit docker build + docker push shell
Pass build args / labels / tags directly via flags

Closes #173 (fourth piece — matches operator-host manual approach exactly).

## Summary CI run #946 (post-#43) confirmed `driver: docker` doesn't fix the ECR push 401 either. Buildx CLI inside the runner container talks to the operator-host docker daemon (mounted socket), but the daemon doesn't see the runner's ECR auth state, and the runner's buildx CLI doesn't attach the auth header in a way the daemon accepts. **Fix**: drop buildx + `docker/build-push-action` entirely. Plain `docker build` + `docker push` from the runner container works because both use the SAME docker socket + the SAME runner-container `config.json` (populated by `aws ecr get-login-password | docker login` from amazon-ecr-login). Trade-off: lose multi-arch support. We only ship linux/amd64 tenant images today, so this is fine. If multi-arch becomes a requirement later we revisit (likely with `docker buildx create --driver=remote`). ## Changes - Remove `docker/setup-buildx-action` step - Replace both `docker/build-push-action` steps with explicit `docker build` + `docker push` shell - Pass build args / labels / tags directly via flags Closes #173 (fourth piece — matches operator-host manual approach exactly).

Ghost added 1 commit 2026-05-07 20:44:06 +00:00

fix(ci): replace buildx with plain docker build+push (followup #173 )

Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped

Details

Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 5s

Details

Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 5s

Details

CI / Detect changes (pull_request) Successful in 8s

Details

Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 7s

Details

E2E API Smoke Test / detect-changes (pull_request) Successful in 7s

Details

E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s

Details

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 7s

Details

Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s

Details

Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 8s

Details

CI / Shellcheck (E2E scripts) (pull_request) Successful in 4s

Details

CI / Platform (Go) (pull_request) Successful in 4s

Details

CI / Python Lint & Test (pull_request) Successful in 4s

Details

E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 4s

Details

Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 4s

Details

E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 6s

Details

Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s

Details

CI / Canvas (Next.js) (pull_request) Successful in 17s

Details

CI / Canvas Deploy Reminder (pull_request) Has been skipped

Details

CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m21s

Details

CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m21s

Details

CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m24s

Details

43e2d24c5b

CI run #946 (post-#43) confirmed `driver: docker` doesn't fix the ECR
push 401 either: buildx CLI inside the runner container talks to the
operator-host docker daemon (mounted socket), but the daemon doesn't
see the runner's ECR auth state, and the runner's buildx CLI doesn't
attach the auth header in a way the daemon accepts.

Drop buildx + build-push-action entirely. Plain `docker build` +
`docker push` from the runner container works because both use the
SAME docker socket + the SAME runner-container config.json (populated
by `aws ecr get-login-password | docker login` from amazon-ecr-login).

Trade-off: lose multi-arch support. We only ship linux/amd64 tenant
images today, so this is fine. If multi-arch becomes a requirement
later, we can revisit (likely with `docker buildx create
--driver=remote` pointing at an external buildkit, but that's
substantial infra work; not worth it for a single-arch shop).

Closes #173 (fourth piece — and hopefully last; this matches the
operator-host manual approach exactly).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

claude-ceo-assistant approved these changes 2026-05-07 20:44:41 +00:00

claude-ceo-assistant left a comment

plain docker build+push matches operator-host manual approach. Right call after #43 driver attempt didn't take.