Skip to content

feat: add AMI build step to release workflow#706

Open
3alpha wants to merge 4 commits into
masterfrom
feat/ami-build-on-release
Open

feat: add AMI build step to release workflow#706
3alpha wants to merge 4 commits into
masterfrom
feat/ami-build-on-release

Conversation

@3alpha
Copy link
Copy Markdown
Member

@3alpha 3alpha commented May 28, 2026

Summary

Adds a build-ami job at the end of the release workflow that automatically builds a fresh DAppNode AMI on each release.

How it works

  1. Authenticates to AWS via OIDC (role gha-imagebuilder, no long-lived credentials)
  2. Reads the current pipeline recipe version and patch bumps it
  3. Creates a new recipe pointing to the same component (scripts download latest at build time)
  4. Updates the pipeline and triggers the build

Setup done

  • ✅ IAM role gha-imagebuilder created with minimal Image Builder permissions
  • ✅ Reuses existing GitHub OIDC provider (trust: repo:dappnode/*)
  • ✅ All ARNs stored as repo secrets
  • ✅ Base image upgraded to Ubuntu 24 LTS
  • ✅ Image tests disabled (were causing SSM failures)

Secrets added

Secret Purpose
IMAGE_BUILDER_ROLE_ARN OIDC role to assume
IMAGE_BUILDER_PIPELINE_ARN Pipeline to trigger
IMAGE_BUILDER_INFRA_ARN Infrastructure config
IMAGE_BUILDER_DIST_ARN Distribution config
IMAGE_BUILDER_COMPONENT_ARN Build component (v1.3.0)

@3alpha 3alpha requested a review from a team as a code owner May 28, 2026 10:04
@3alpha 3alpha force-pushed the feat/ami-build-on-release branch 2 times, most recently from 9a63712 to b7820f1 Compare May 28, 2026 13:44
3alpha added 3 commits May 28, 2026 16:22
@3alpha
feat: add AMI build step to release workflow
14f6ec4 
Appends a build-ami job that runs after the release job:
- Authenticates via OIDC (gha-imagebuilder role, no stored credentials)
- Patch-bumps the Image Builder recipe version
- Triggers EC2 Image Builder pipeline on Ubuntu 24 LTS

All ARNs stored as repo secrets.
@3alpha
feat: add dedicated AMI build script
28f2069 
Replaces fragile 'head -n -12' line-stripping of the prerequisites
script with a self-contained build script that:
- Installs Docker, wireguard, lsof, iptables
- Sets up /etc/rc.local for first-boot DAppNode installation
- Skips network connectivity checks (not needed during AMI build)
- Handles Ubuntu 24 LTS properly
@3alpha
refactor: separate AMI build into workflow_run triggered workflow
529782a 
- Create standalone .github/workflows/build-ami.yml triggered on
  Pre-release workflow completion
- Remove build-ami job and OIDC permissions from release.yml
- Update scripts/dappnode_ami_build.sh to require PROFILE_URL env var
- Workflow creates thin per-release component that downloads and runs
  the repo script with pinned PROFILE_URL for that specific release tag
- Remove IMAGE_BUILDER_COMPONENT_ARN secret (no longer needed)
@3alpha 3alpha force-pushed the feat/ami-build-on-release branch from c241447 to 529782a Compare May 28, 2026 14:22
@3alpha
feat: automated AMI build on release via workflow_run
b9624ae 
- Add .github/workflows/build-ami.yml (triggers after Release completes)
- Add scripts/dappnode_ami_build.sh (prerequisites + pre-download + rc.local)
- release.yml: rename to Release, mark as full release (not prerelease)
- Workflow reuses existing AWS component, just bumps recipe and triggers
- IAM role updated: added GetImageRecipe, removed unused CreateComponent
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@3alpha