fix: modified CI to push docker images to AWS ECR (#501)

Author: Hamm1

.github/workflows/docker-build.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       image:
-        description: "Docker image (e.g. docker.io/<org>/<repo>)"
+        description: "Docker image (e.g. public.ecr.aws/supabase/<repo>)"
         type: string
         required: true
       checkout_ref:
@@ -35,10 +35,15 @@ on:
         description: "Build experimental image (main branch excluded)"
         type: boolean
         default: false
+    secrets:
+      PROD_AWS_ROLE:
+        description: "AWS IAM role ARN for ECR push access"
+        required: true
 
 permissions:
   contents: read
   actions: write
+  id-token: write
 
 jobs:
   # Build each platform natively on its own runner
@@ -79,12 +84,18 @@ jobs:
       - name: Set up Docker Buildx
         uses: useblacksmith/setup-docker-builder@v1
 
-      - name: Log in to Docker Hub
+      - name: Configure AWS credentials
+        if: inputs.push == true
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
+
+      - name: Log in to Amazon ECR Public
         if: inputs.push == true
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: public.ecr.aws
 
       - name: Build and Push Single-Platform Image
         id: build
@@ -139,11 +150,16 @@ jobs:
       - name: Set up Docker Buildx
         uses: useblacksmith/setup-docker-builder@v1
 
-      - name: Log in to Docker Hub
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
+
+      - name: Log in to Amazon ECR Public
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: public.ecr.aws
 
       - name: Checkout (specific ref)
         if: inputs.checkout_ref != ''
@@ -196,8 +212,7 @@ jobs:
               TAGS="${TAGS}, v${{ inputs.version }}"
             fi
           fi
-          HUB_PATH=$(echo "${IMAGE}" | sed -E 's@^docker\.io/@@')
           echo "✅ Successfully built and pushed ${NAME} multi-arch image (${MODE} mode)"
           echo "🏷️ Tags: ${TAGS}"
           echo "🏗️ Platforms: linux/amd64, linux/arm64"
-          echo "🔗 View at: https://hub.docker.com/r/${HUB_PATH}"
+          echo "🔗 View at: https://gallery.ecr.aws/supabase/${NAME}"

.github/workflows/docker-ci.yml

@@ -18,7 +18,7 @@ on:
 permissions:
   contents: read
   actions: write
-
+  id-token: write
 jobs:
   resolve-ref:
     name: Resolve Checkout Ref
@@ -101,9 +101,10 @@ jobs:
       matrix:
         image: [etl-api, etl-replicator]
     uses: ./.github/workflows/docker-build.yml
-    secrets: inherit
+    secrets:
+      PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
     with:
-      image: docker.io/${{ vars.DOCKERHUB_USERNAME }}/${{ matrix.image }}
+      image: public.ecr.aws/supabase/${{ matrix.image }}
       context: .
       file: ./${{ matrix.image }}/Dockerfile
       push: true

.github/workflows/release.yml

@@ -18,6 +18,7 @@ on:
 permissions:
   contents: write
   actions: write
+  id-token: write
 
 jobs:
   version:
@@ -107,14 +108,15 @@ jobs:
         image: [etl-api, etl-replicator]
     uses: ./.github/workflows/docker-build.yml
     with:
-      image: docker.io/${{ vars.DOCKERHUB_USERNAME }}/${{ matrix.image }}
+      image: public.ecr.aws/supabase/${{ matrix.image }}
       context: .
       file: ./${{ matrix.image }}/Dockerfile
       push: true
       tag_with_version: true
       version: ${{ needs.version.outputs.version }}
       checkout_ref: refs/tags/${{ needs.version.outputs.tag }}
-    secrets: inherit
+    secrets:
+      PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
 
   github-release:
     name: Create GitHub Release
@@ -126,21 +128,20 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          USER="${{ vars.DOCKERHUB_USERNAME }}"
           TAG="${{ needs.version.outputs.tag }}"
           {
             echo "body<<MARKER"
             echo "Release ${TAG}"
             echo
             echo "Docker images published:"
-            echo "- docker.io/${USER}/etl-api:latest"
-            echo "- docker.io/${USER}/etl-api:${TAG}"
-            echo "- docker.io/${USER}/etl-replicator:latest"
-            echo "- docker.io/${USER}/etl-replicator:${TAG}"
+            echo "- public.ecr.aws/supabase/etl-api:latest"
+            echo "- public.ecr.aws/supabase/etl-api:${TAG}"
+            echo "- public.ecr.aws/supabase/etl-replicator:latest"
+            echo "- public.ecr.aws/supabase/etl-replicator:${TAG}"
             echo
-            echo "View on Docker Hub:"
-            echo "- https://hub.docker.com/r/${USER}/etl-api"
-            echo "- https://hub.docker.com/r/${USER}/etl-replicator"
+            echo "View on ECR Public Gallery:"
+            echo "- https://gallery.ecr.aws/supabase/etl-api"
+            echo "- https://gallery.ecr.aws/supabase/etl-replicator"
             echo "MARKER"
           } >> "$GITHUB_OUTPUT"