ci: use deploy-ecr for production image publish

[drernie]

Summary

Migrates .github/workflows/prod.yml to the unified deploy-ecr action on quiltdata/gh-actions/deploy-ecr@deploy-ecr.

Behavior preserved:

• image name remains quiltdata/benchling
• push target remains Prod only
• the workflow still pushes both the checked-out HEAD SHA tag and latest
• Docker build remains linux/amd64
• VERSION=<git sha> is still passed as a Docker build arg
• validation still checks the SHA image and the latest tag

Notes

This follows the migration plan in 07-unify-deploy-ecr.md. _VERSIONS keys were not found in this repo; image name was preserved from the existing workflow ECR URI.

The previous workflow only built, pushed, and validated the image; it did not run aws ecs update-service, so this PR does not add cluster_name / service_name deployment inputs.

Validation

• Parsed workflow YAML with Ruby YAML.load_file
• git diff --check HEAD~1..HEAD

Greptile Summary

This PR replaces the manual build/push steps in prod.yml with the unified quiltdata/gh-actions/deploy-ecr@deploy-ecr composite action, preserving the image name, platform, build args, and tags.

• The explicit aws-actions/configure-aws-credentials step was removed from build-and-push with no role_to_assume or equivalent input passed to the deploy-ecr action — if the action does not handle OIDC auth internally, the ECR push will fail.

Confidence Score: 3/5

Hold for confirmation that deploy-ecr handles OIDC authentication internally before merging.

A P1 finding exists: the explicit AWS credential step was removed from the build job and no role ARN is passed to the deploy-ecr action. If the action requires pre-configured credentials, the workflow will fail on every push to main.

.github/workflows/prod.yml — specifically the build-and-push job and its credential setup

Important Files Changed

Filename	Overview
.github/workflows/prod.yml	Migrates build/push to the unified deploy-ecr action; removes explicit AWS credential configuration from the build job without passing equivalent inputs to the action, which may cause ECR auth failure

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant DE as deploy-ecr action
    participant ECR as AWS ECR (Prod)
    participant V as validate job

    GH->>GH: Checkout & Extract git SHA
    GH->>GH: Set up Python / uv
    GH->>GH: Set up Docker Buildx
    GH->>DE: uses: deploy-ecr (image_name, build_args, push_targets=prod)
    Note over DE,ECR: AWS auth handled internally?
    DE->>ECR: docker build & push (SHA tag + latest)
    DE-->>GH: outputs.image_uri_prod
    GH->>GH: Record IMAGE_URI_LATEST (hardcoded account ID)
    GH->>V: needs: build-and-push (image_uri_sha, git_sha)
    V->>ECR: Pull & validate image (architecture + startup)

Loading

_{Reviews (1): Last reviewed commit: "Use deploy-ecr for production image publ..." | Re-trigger Greptile}

Greptile also left 2 inline comments on this PR.

[greptile-apps]

AWS credentials missing in build-and-push job

The aws-actions/configure-aws-credentials step (with role-to-assume: arn:aws:iam::730278974607:role/github/GitHub-benchling-webhook) was removed from this job, and no equivalent credential inputs (e.g. role_to_assume, aws_region) are passed to the deploy-ecr action. If the action doesn't configure OIDC authentication internally, the ECR push will fail with an auth error. The id-token: write permission is still declared, but the workflow no longer wires any role ARN into the build-and-push job context.

[greptile-apps]

Action pinned to mutable branch, not a commit SHA

quiltdata/gh-actions/deploy-ecr@deploy-ecr references a branch name rather than an immutable commit SHA. If the branch is force-pushed or compromised, this workflow will silently run the new (potentially malicious) action code. Pin to a specific commit SHA, e.g.:

uses: quiltdata/gh-actions/deploy-ecr@<commit-sha>

[drernie]

Closing — branch is a workspace shim used to repin against quiltdata/gh-actions/docker-build-publish; not intended to merge. Branch retained for ad-hoc dispatches.