From 660e4f9d850194eb44e76220045b0c0338b4f652 Mon Sep 17 00:00:00 2001 From: Luke Short Date: Wed, 17 Dec 2025 13:13:39 -0800 Subject: [PATCH 1/2] add safeguards to avoid using dev docker images in sandbox/prod --- .github/workflows/docker-build.yml | 1 + .github/workflows/ecs-deploy.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index e057e4ab8..86f262be2 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -227,6 +227,7 @@ jobs: id: login-ecr-prod uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 - name: Push image to registries for prod aws account + if: ${{ !startsWith(needs.generate_docker_tag.outputs.docker_tag, 'rls-r') }} env: IMAGE_TAG: ${{ needs.generate_docker_tag.outputs.docker_tag }} REGISTRY: ${{ steps.login-ecr-prod.outputs.registry }} diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml index 81748fd00..ea1c0eb50 100644 --- a/.github/workflows/ecs-deploy.yml +++ b/.github/workflows/ecs-deploy.yml @@ -109,6 +109,13 @@ jobs: echo "image_tag=$EXPLICIT_TAG" >> "$GITHUB_OUTPUT" fi echo $image_tag + + - name: Fail if non-release image tag used for upper environments + if: ${{ (inputs.env == 'sandbox' || inputs.env == 'prod') && !startsWith(steps.image-tag.outputs.image_tag, 'rls-r') }} + run: | + echo "Dev image detected '${{ steps.image-tag.outputs.image_tag }}'. Tag must start with 'rls-r'." + exit 1 + - uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0 name: Slack Starting with: From b57552dd4ebdd5d547da5f871ad427fcecae390c Mon Sep 17 00:00:00 2001 From: Luke Short Date: Tue, 13 Jan 2026 15:52:32 -0800 Subject: [PATCH 2/2] address PR issues - rls-r images only for upper envs --- .github/workflows/docker-build.yml | 2 +- .github/workflows/ecs-deploy.yml | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 86f262be2..34a5e8694 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -227,7 +227,7 @@ jobs: id: login-ecr-prod uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 - name: Push image to registries for prod aws account - if: ${{ !startsWith(needs.generate_docker_tag.outputs.docker_tag, 'rls-r') }} + if: ${{ startsWith(needs.generate_docker_tag.outputs.docker_tag, 'rls-r') }} env: IMAGE_TAG: ${{ needs.generate_docker_tag.outputs.docker_tag }} REGISTRY: ${{ steps.login-ecr-prod.outputs.registry }} diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml index ea1c0eb50..2a87e55ab 100644 --- a/.github/workflows/ecs-deploy.yml +++ b/.github/workflows/ecs-deploy.yml @@ -95,6 +95,13 @@ jobs: with: aws-region: ${{ vars.AWS_REGION }} role-to-assume: arn:aws:iam::${{ secrets.PROD_ACCOUNT_ID }}:role/delegatedadmin/developer/dpc-${{ inputs.env }}-github-actions + + - name: Fail if non-release image tag used for upper environments + if: ${{ (inputs.env == 'sandbox' || inputs.env == 'prod') && !startsWith(inputs.ecr_image_tag, 'rls-r') }} + run: | + echo "Release tag must be explicitly specified with format 'rls-rXYZ' for upper environments." + exit 1 + - name: Set Deployed Image Tag id: image-tag env: @@ -110,12 +117,6 @@ jobs: fi echo $image_tag - - name: Fail if non-release image tag used for upper environments - if: ${{ (inputs.env == 'sandbox' || inputs.env == 'prod') && !startsWith(steps.image-tag.outputs.image_tag, 'rls-r') }} - run: | - echo "Dev image detected '${{ steps.image-tag.outputs.image_tag }}'. Tag must start with 'rls-r'." - exit 1 - - uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0 name: Slack Starting with: