@acsrujanchecks…add-thermos-toolkit-registry-ssm-runbook → master5 files · +431 −8review: @abir-taheerreview: @anshugarg15updated 2d agoapps/thermos/onprem/registry.Dockerfile, and pushes to ECRComposio-BuildThermosToolkitRegistryImageus-east-1Active7GitRef=masterImageTag means use the checked-out commit SHA, matching .github/workflows/self_hosted_image.ymlallowedPattern / allowedValues before shell execution.prod/github-deploy-key/hermes-thermos-toolkit-registry-builderprod-rdsproxy-thermos-writer-credentialsi-058876a42109955caThermosToolkitRegistryBuilderRole / ThermosToolkitRegistryBuilderProfile7d1a475d-7e59-4cf8-81c8-d8970eac52f9Successcomposio-self-host/thermos-toolkit-registryssm-test-7761532eae9b-20260610085750sha256:19e617cfd932a43a9433b1f2c420f830a7b7cd11d99c26d055cc8f5d7c083674latest remains on digest sha256:9794cc0142a9e7603c970903d09a7001409ce55eb71e1c49961d8637ae567b2e with tag r20260610_00--build-arg SOURCE_DB=... with BuildKit --secret usage for the SSM build script and the GitHub self-hosted image workflow.apps/thermos/onprem/registry.Dockerfile to read SOURCE_DB from a required BuildKit secret mount and export it only for registry-dump.GitRef=master intentionally per operator request for this EC2/SSM path.HOME under SSM, force-pushed branch reset handling, and file-backed BuildKit secret passing.Yes, but only if the SSM execution overrides GitRef to this PR branch:
GitRef=add-thermos-toolkit-registry-ssm-runbook
With the default GitRef=master, the AWS document will clone the repo and look for ops/ssm/thermos-toolkit-registry/build_thermos_toolkit_registry_image.sh. That file is not on master until this PR is merged, so the default execution path requires this GitHub change to land first.
No GitHub Actions runner is required. The build runs on the target EC2 builder through SSM.
bash -n ops/ssm/thermos-toolkit-registry/build_thermos_toolkit_registry_image.shops/ssm/thermos-toolkit-registry/ssm-document.yaml7