Move Docker image publishing to GHCR only and remove AWS ECR/OIDC dependency #1605
Description
Is your feature request related to a problem? Please describe.
Yes.
Describe the solution you'd like
- Current CI attempts to push images to AWS ECR by assuming an IAM role via OIDC (aws-actions/configure-aws-credentials). Those steps are failing with "Not authorized to perform sts:AssumeRoleWithWebIdentity", blocking image builds from completing and preventing the public "gpt-researcher" image from being updated.
- We do not need AWS ECR for public image distribution. GitHub Container Registry (GHCR) can host images for public repositories free of charge and GitHub Actions can push to GHCR using the built-in GITHUB token/minutes. Using GHCR avoids the AWS OIDC/role complexity and eliminates the external AWS dependency for image publishing.
- Goal: update CI so Docker images are built and pushed only to GHCR (and optionally Docker Hub if secrets exist), stop using AWS credentials/role assumption in the image CI path, and ensure release/tag builds produce semver + latest tags.
Proposed change (high level):
- Remove or disable any ECR-specific configure-aws-credentials / assume-role steps from the image build pipelines.
- Consolidate Docker build/push to the existing docker-push.yml workflow that already targets GHCR, and ensure it runs on release/tag and default-branch pushes.
- Ensure workflow permissions include packages: write so GHCR push uses the repo's GITHUB token (no AWS required).
- Update build.yml / deploy.yml to either:
- stop attempting to push to ECR, or
- if AWS deployments are still required, move that logic to a separate deploy workflow which is run only by maintainers and receives an image tag as input (the deploy workflow can retain AWS steps and be executed by a controlled user/org with AWS access).
- Add a short verification/test step in CI and documentation update describing where the images are published and how to pull them.