From b0bce66f530c3764c8c55c297836493b56cb34e1 Mon Sep 17 00:00:00 2001
From: Joshua Shapiro <josh.shapiro@ccdatalab.org>
Date: Thu, 23 Oct 2025 14:46:30 -0400
Subject: [PATCH 1/2] Add AWS ECR to github pushes

---
 .github/workflows/build-docker.yaml | 67 +++++++++++++++++++++++------
 1 file changed, 54 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml
index 4ca68e1..b58333f 100644
--- a/.github/workflows/build-docker.yaml
+++ b/.github/workflows/build-docker.yaml
@@ -11,15 +11,19 @@ on:
       - main
 
 env:
-  REGISTRY: ghcr.io
-  REGISTRY_USER: alexslemonade
+  GH_REGISTRY: ghcr.io
+  GH_REGISTRY_USER: alexslemonade
+  AWS_REGISTRY: 997241705947.dkr.ecr.us-east-1.amazonaws.com
+  AWS_PREFIX: ghcr_io
 
 jobs:
   build_push_full:
     runs-on: ubuntu-22.04
+    environment: ${{ github.event_name == 'push' && 'prod' || '' }}
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - name: Clear space
         run: |
@@ -41,13 +45,26 @@ jobs:
           echo "Disk space after cleanup:"
           df -h
 
+      - name: Configure AWS credentials
+        if: ${{ github.event_name == 'push' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::997241705947:role/gha-ecr-access-role
+          role-session-name: githubActionSession
+          aws-region: us-east-1
+
+      - name: Log in to Amazon ECR
+        if: ${{ github.event_name == 'push' }}
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Docker login
+      - name: Docker login GHCR
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GH_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
@@ -55,26 +72,31 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/scpcatools
+          images: |
+            ${{ env.GH_REGISTRY }}/${{ env.GH_REGISTRY_USER }}/scpcatools
+            ${{ env.AWS_REGISTRY }}/${{ env.AWS_PREFIX }}/scpcatools
           tags: |
             type=semver,pattern={{raw}}
             type=edge,branch=main
             type=ref,event=pr
 
       - name: Build full image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.meta.outputs.tags }}
           push: ${{ github.event_name == 'push' }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/scpcatools:buildcache
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/scpcatools:buildcache,mode=max
+          cache-from: type=registry,ref=${{ env.GH_REGISTRY }}/${{ env.GH_REGISTRY_USER }}/scpcatools:buildcache
+          cache-to: type=registry,ref=${{ env.GH_REGISTRY }}/${{ env.GH_REGISTRY_USER }}/scpcatools:buildcache,mode=max
 
   build_push_matrix:
     runs-on: ubuntu-22.04
+    environment: ${{ github.event_name == 'push' && 'prod' || '' }}
     needs: build_push_full
     permissions:
       contents: read
       packages: write
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -83,16 +105,20 @@ jobs:
             image_name: scpcatools-slim
           - target: anndata
             image_name: scpcatools-anndata
+          - target: reports
+            image_name: scpcatools-reports
           - target: scvi
             image_name: scpcatools-scvi
-          - target: scimilarity
-            image_name: scpcatools-scimilarity
           - target: reports
             image_name: scpcatools-reports
           - target: seurat
             image_name: scpcatools-seurat
+          - target: scvi
+            image_name: scpcatools-scvi
           - target: infercnv
             image_name: scpcatools-infercnv
+          - target: scimilarity
+            image_name: scpcatools-scimilarity
 
     steps:
       - name: Clear space
@@ -110,13 +136,26 @@ jobs:
             /usr/local/share/powershell \
             /opt/hostedtoolcache
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ github.event_name == 'push' }}
+        with:
+          role-to-assume: arn:aws:iam::997241705947:role/gha-ecr-access-role
+          role-session-name: githubActionSession-${{ matrix.image_name }}
+          aws-region: us-east-1
+
+      - name: Log in to Amazon ECR
+        if: ${{ github.event_name == 'push' }}
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Docker login
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GH_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
@@ -124,7 +163,9 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/${{ matrix.image_name }}
+          images: |
+            ${{ env.GH_REGISTRY }}/${{ env.GH_REGISTRY_USER }}/${{ matrix.image_name }}
+            ${{ env.AWS_REGISTRY }}/${{ env.AWS_PREFIX }}/${{ matrix.image_name }}
           tags: |
             type=semver,pattern={{raw}}
             type=edge,branch=main
@@ -136,4 +177,4 @@ jobs:
           push: ${{ github.event_name == 'push' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.REGISTRY_USER }}/scpcatools:buildcache
+          cache-from: type=registry,ref=${{ env.GH_REGISTRY }}/${{ env.GH_REGISTRY_USER }}/scpcatools:buildcache

From acf71ba37a184bc59f50df35c9f1c9eabec7706c Mon Sep 17 00:00:00 2001
From: Joshua Shapiro <josh.shapiro@ccdatalab.org>
Date: Thu, 23 Oct 2025 15:18:45 -0400
Subject: [PATCH 2/2] make matrix alphabetical

---
 .github/workflows/build-docker.yaml | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml
index b58333f..0090152 100644
--- a/.github/workflows/build-docker.yaml
+++ b/.github/workflows/build-docker.yaml
@@ -101,24 +101,20 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - target: slim
-            image_name: scpcatools-slim
           - target: anndata
             image_name: scpcatools-anndata
+          - target: infercnv
+            image_name: scpcatools-infercnv
           - target: reports
             image_name: scpcatools-reports
+          - target: scimilarity
+            image_name: scpcatools-scimilarity
           - target: scvi
             image_name: scpcatools-scvi
-          - target: reports
-            image_name: scpcatools-reports
           - target: seurat
             image_name: scpcatools-seurat
-          - target: scvi
-            image_name: scpcatools-scvi
-          - target: infercnv
-            image_name: scpcatools-infercnv
-          - target: scimilarity
-            image_name: scpcatools-scimilarity
+          - target: slim
+            image_name: scpcatools-slim
 
     steps:
       - name: Clear space
@@ -152,7 +148,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Docker login
+      - name: Docker login GHCR
         uses: docker/login-action@v3
         with:
           registry: ${{ env.GH_REGISTRY }}