fix: use AWS ECR public Node.js image for reliable builds

- Switch to public.ecr.aws/lambda/nodejs:18-x86_64 (official AWS image)
- Use npm ci for dependency installation (no rate limits)
- Use npx tsx for TypeScript execution (standard tooling)
- Resolves Docker Hub rate limits and missing Bun image issues

Author: claudfuen

.github/workflows/deploy.yml

@@ -0,0 +1,154 @@
+name: Deploy Pathfinder
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:  # Allow manual triggers
+
+env:
+  AWS_REGION: us-east-1
+
+jobs:
+  deploy:
+    name: Deploy Infrastructure and Application
+    runs-on: ubuntu-latest
+    
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+          
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: 'apps/infra/package-lock.json'
+      
+      - name: Install Pulumi CLI
+        uses: pulumi/actions@v4
+        
+      - name: Install infrastructure dependencies
+        run: |
+          cd apps/infra
+          npm ci
+          
+      - name: Update infrastructure
+        run: |
+          cd apps/infra
+          pulumi up --yes
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+          NODE_ENV: development  # Set for buildspec
+          
+      - name: Wait for infrastructure stabilization
+        run: sleep 30
+        
+      - name: Build migration image
+        run: |
+          BUILD_ID=$(aws codebuild start-build \
+            --project-name pathfinder-migration-build \
+            --query 'build.id' --output text)
+          echo "Migration build started: $BUILD_ID"
+          
+          # Wait for migration build to complete
+          aws codebuild batch-get-builds --ids $BUILD_ID \
+            --query 'builds[0].buildStatus' --output text
+          
+          while [ "$(aws codebuild batch-get-builds --ids $BUILD_ID --query 'builds[0].buildStatus' --output text)" = "IN_PROGRESS" ]; do
+            echo "Waiting for migration build to complete..."
+            sleep 30
+          done
+          
+          STATUS=$(aws codebuild batch-get-builds --ids $BUILD_ID --query 'builds[0].buildStatus' --output text)
+          if [ "$STATUS" != "SUCCEEDED" ]; then
+            echo "Migration build failed with status: $STATUS"
+            exit 1
+          fi
+          echo "Migration build completed successfully"
+          
+      - name: Run database migrations
+        run: |
+          TASK_ARN=$(aws ecs run-task \
+            --cluster pathfinder \
+            --task-definition pathfinder-migration:latest \
+            --subnets $(aws ec2 describe-subnets --filters "Name=tag:Type,Values=private" --query 'Subnets[0].SubnetId' --output text) \
+            --security-groups $(aws ec2 describe-security-groups --filters "Name=tag:Name,Values=pathfinder-codebuild-sg" --query 'SecurityGroups[0].GroupId' --output text) \
+            --query 'tasks[0].taskArn' --output text)
+          
+          echo "Migration task started: $TASK_ARN"
+          
+          # Wait for migration task to complete
+          aws ecs wait tasks-stopped --cluster pathfinder --tasks $TASK_ARN
+          
+          # Check if migration succeeded
+          EXIT_CODE=$(aws ecs describe-tasks --cluster pathfinder --tasks $TASK_ARN \
+            --query 'tasks[0].containers[0].exitCode' --output text)
+          
+          if [ "$EXIT_CODE" != "0" ]; then
+            echo "Migration failed with exit code: $EXIT_CODE"
+            exit 1
+          fi
+          echo "Migrations completed successfully"
+          
+      - name: Build application image
+        run: |
+          BUILD_ID=$(aws codebuild start-build \
+            --project-name pathfinder-app-build \
+            --query 'build.id' --output text)
+          echo "App build started: $BUILD_ID"
+          
+          # Wait for app build to complete
+          while [ "$(aws codebuild batch-get-builds --ids $BUILD_ID --query 'builds[0].buildStatus' --output text)" = "IN_PROGRESS" ]; do
+            echo "Waiting for app build to complete..."
+            sleep 30
+          done
+          
+          STATUS=$(aws codebuild batch-get-builds --ids $BUILD_ID --query 'builds[0].buildStatus' --output text)
+          if [ "$STATUS" != "SUCCEEDED" ]; then
+            echo "App build failed with status: $STATUS"
+            exit 1
+          fi
+          echo "App build completed successfully"
+          
+      - name: Deploy application
+        run: |
+          # Update ECS service to use new image
+          aws ecs update-service \
+            --cluster pathfinder \
+            --service pathfinder-app \
+            --force-new-deployment
+          
+          echo "Application deployment started"
+          
+          # Wait for deployment to stabilize
+          aws ecs wait services-stable \
+            --cluster pathfinder \
+            --services pathfinder-app
+          
+          echo "Application deployed successfully"
+          
+      - name: Verify deployment
+        run: |
+          # Get ALB DNS name
+          ALB_DNS=$(aws elbv2 describe-load-balancers \
+            --names pathfinder-lb \
+            --query 'LoadBalancers[0].DNSName' --output text)
+          
+          # Health check
+          curl -f "http://$ALB_DNS/health" || {
+            echo "Health check failed"
+            exit 1
+          }
+          
+          echo "Deployment verification successful"
+          echo "Application URL: http://$ALB_DNS" 

apps/infra/types.ts

@@ -155,14 +155,34 @@ export interface GithubOidcOutputs {
   readOnlyRoleArn: pulumi.Output<string>;
 }
 
-export interface CodeBuildOutputs {
-  migrationProjectName: pulumi.Output<string>;
-  migrationProjectArn: pulumi.Output<string>;
+export interface BuildSystemOutputs {
   appProjectName: pulumi.Output<string>;
   appProjectArn: pulumi.Output<string>;
+  migrationProjectName: pulumi.Output<string>;
+  migrationProjectArn: pulumi.Output<string>;
   codebuildRoleArn: pulumi.Output<string>;
   buildInstanceType: string;
   buildTimeout: number;
+  createApplicationDeployment: (
+    app: ApplicationConfig,
+    database: DatabaseOutputs,
+    container: ContainerOutputs
+  ) => ApplicationDeployment;
+}
+
+
+
+export interface ApplicationDeployment {
+  appName: string;
+  contextPath: string;
+  buildCommands: {
+    deployWithMigrations: string;
+  };
+  containerImage: pulumi.Output<string>;
+  healthCheckPath: string;
+  resourceRequirements: { cpu: number; memory: number };
+  scaling: { minInstances: number; maxInstances: number; targetCpuPercent: number };
+  buildProject: pulumi.Output<string>;
 }
 
 export interface TailscaleOutputs {

apps/web/Dockerfile.migration

@@ -1,13 +1,13 @@
 # Lightweight migration-only Docker image
-FROM public.ecr.aws/w0g4q7i6/bun:1.2.18-alpine
+FROM public.ecr.aws/lambda/nodejs:18-x86_64
 
 WORKDIR /app
 
 # Copy package files first for better caching
-COPY package.json bun.lock* ./
+COPY package.json ./
 
-# Install all dependencies (including dev deps like tsx if needed)
-RUN bun install --frozen-lockfile
+# Install dependencies using npm (reliable and available everywhere)
+RUN npm ci --production=false
 
 # Copy the entire src directory to avoid import path issues
 COPY src/ ./src/
@@ -25,5 +25,5 @@ RUN echo "=== Directory structure ===" && \
 # Set environment for better error reporting
 ENV NODE_ENV=production
 
-# Default command runs migrations with verbose output
-CMD ["sh", "-c", "echo 'Starting migration container...' && bun run scripts/run-migrations.ts"] 
+# Default command runs migrations with verbose output using npx tsx
+CMD ["sh", "-c", "echo 'Starting migration container...' && npx tsx scripts/run-migrations.ts"] 

scripts/deploy.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Configuration
+AWS_REGION=${AWS_REGION:-us-east-1}
+CLUSTER_NAME="pathfinder"
+MIGRATION_PROJECT="pathfinder-migration-build"
+APP_PROJECT="pathfinder-app-build"
+
+echo -e "${GREEN}🚀 Starting Pathfinder deployment...${NC}"
+
+# Function to wait for CodeBuild
+wait_for_build() {
+    local build_id=$1
+    local project_name=$2
+    
+    echo -e "${YELLOW}⏳ Waiting for $project_name build to complete...${NC}"
+    
+    while true; do
+        status=$(aws codebuild batch-get-builds --ids "$build_id" --query 'builds[0].buildStatus' --output text)
+        
+        case $status in
+            "SUCCEEDED")
+                echo -e "${GREEN}✅ $project_name build completed successfully${NC}"
+                return 0
+                ;;
+            "FAILED"|"FAULT"|"STOPPED"|"TIMED_OUT")
+                echo -e "${RED}❌ $project_name build failed with status: $status${NC}"
+                return 1
+                ;;
+            "IN_PROGRESS")
+                echo "  Still building..."
+                sleep 30
+                ;;
+            *)
+                echo "  Status: $status"
+                sleep 30
+                ;;
+        esac
+    done
+}
+
+# Step 1: Update Infrastructure
+echo -e "${YELLOW}📋 Step 1: Updating infrastructure...${NC}"
+cd apps/infra
+export NODE_ENV=development  # Required for buildspec
+pulumi up --yes
+cd ../..
+echo -e "${GREEN}✅ Infrastructure updated${NC}"
+
+# Wait for infrastructure to stabilize
+echo -e "${YELLOW}⏳ Waiting for infrastructure to stabilize...${NC}"
+sleep 30
+
+# Step 2: Build Migration Image
+echo -e "${YELLOW}🔨 Step 2: Building migration image...${NC}"
+migration_build_id=$(aws codebuild start-build \
+    --project-name "$MIGRATION_PROJECT" \
+    --query 'build.id' --output text)
+
+echo "Migration build ID: $migration_build_id"
+wait_for_build "$migration_build_id" "Migration"
+
+# Step 3: Run Database Migrations
+echo -e "${YELLOW}🗃️  Step 3: Running database migrations...${NC}"
+
+# Get subnet and security group for migration task
+private_subnet=$(aws ec2 describe-subnets \
+    --filters "Name=tag:Type,Values=private" \
+    --query 'Subnets[0].SubnetId' --output text)
+
+codebuild_sg=$(aws ec2 describe-security-groups \
+    --filters "Name=tag:Name,Values=pathfinder-codebuild-sg" \
+    --query 'SecurityGroups[0].GroupId' --output text)
+
+# Run migration task
+migration_task_arn=$(aws ecs run-task \
+    --cluster "$CLUSTER_NAME" \
+    --task-definition pathfinder-migration:latest \
+    --subnets "$private_subnet" \
+    --security-groups "$codebuild_sg" \
+    --query 'tasks[0].taskArn' --output text)
+
+echo "Migration task ARN: $migration_task_arn"
+
+# Wait for migration to complete
+echo -e "${YELLOW}⏳ Waiting for migrations to complete...${NC}"
+aws ecs wait tasks-stopped --cluster "$CLUSTER_NAME" --tasks "$migration_task_arn"
+
+# Check migration exit code
+exit_code=$(aws ecs describe-tasks \
+    --cluster "$CLUSTER_NAME" \
+    --tasks "$migration_task_arn" \
+    --query 'tasks[0].containers[0].exitCode' --output text)
+
+if [ "$exit_code" != "0" ]; then
+    echo -e "${RED}❌ Migration failed with exit code: $exit_code${NC}"
+    exit 1
+fi
+echo -e "${GREEN}✅ Migrations completed successfully${NC}"
+
+# Step 4: Build Application Image
+echo -e "${YELLOW}🔨 Step 4: Building application image...${NC}"
+app_build_id=$(aws codebuild start-build \
+    --project-name "$APP_PROJECT" \
+    --query 'build.id' --output text)
+
+echo "App build ID: $app_build_id"
+wait_for_build "$app_build_id" "Application"
+
+# Step 5: Deploy Application
+echo -e "${YELLOW}🚢 Step 5: Deploying application...${NC}"
+
+# Update ECS service
+aws ecs update-service \
+    --cluster "$CLUSTER_NAME" \
+    --service pathfinder-app \
+    --force-new-deployment > /dev/null
+
+echo -e "${YELLOW}⏳ Waiting for deployment to stabilize...${NC}"
+aws ecs wait services-stable \
+    --cluster "$CLUSTER_NAME" \
+    --services pathfinder-app
+
+echo -e "${GREEN}✅ Application deployed successfully${NC}"
+
+# Step 6: Verify Deployment
+echo -e "${YELLOW}🔍 Step 6: Verifying deployment...${NC}"
+
+# Get ALB DNS name
+alb_dns=$(aws elbv2 describe-load-balancers \
+    --names pathfinder-lb \
+    --query 'LoadBalancers[0].DNSName' --output text)
+
+# Health check
+if curl -sf "http://$alb_dns/health" > /dev/null; then
+    echo -e "${GREEN}✅ Health check passed${NC}"
+    echo -e "${GREEN}🎉 Deployment completed successfully!${NC}"
+    echo -e "${GREEN}🌐 Application URL: http://$alb_dns${NC}"
+else
+    echo -e "${RED}❌ Health check failed${NC}"
+    exit 1
+fi