From 58496f33cb3ed30206c741b651e68d6f54220174 Mon Sep 17 00:00:00 2001
From: "Dr. Ernie Prabhakar" <ernest@quilt.bio>
Date: Tue, 28 Apr 2026 23:13:03 -0700
Subject: [PATCH 1/2] Use deploy-ecr for production image publish

---
 .github/workflows/prod.yml | 41 ++++++++++++++++----------------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml
index 1b2019dd..eaae91ab 100644
--- a/.github/workflows/prod.yml
+++ b/.github/workflows/prod.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
 
     outputs:
-      image_uri_sha: ${{ steps.image.outputs.IMAGE_URI_SHA }}
+      image_uri_sha: ${{ steps.deploy.outputs.image_uri_prod }}
       image_uri_latest: ${{ steps.image.outputs.IMAGE_URI_LATEST }}
       git_sha: ${{ steps.git.outputs.GIT_SHA }}
 
@@ -50,38 +50,31 @@ jobs:
         working-directory: docker
         run: uv sync --all-extras
 
-      - name: Configure AWS credentials (OIDC)
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          role-to-assume: arn:aws:iam::730278974607:role/github/GitHub-benchling-webhook
-          aws-region: us-east-1
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
         with:
           platforms: linux/amd64
 
       - name: Build and push Docker image
-        working-directory: docker
-        run: make push-ci VERSION=${{ steps.git.outputs.GIT_SHA }}
-        env:
-          DOCKER_DEFAULT_PLATFORM: linux/amd64
-          AWS_REGION: us-east-1
-
-      - name: Get Docker image URIs
+        id: deploy
+        uses: quiltdata/gh-actions/deploy-ecr@deploy-ecr
+        with:
+          dockerfile_path: docker/Dockerfile
+          docker_context_path: docker
+          docker_platform: linux/amd64
+          build_args: |
+            VERSION=${{ steps.git.outputs.GIT_SHA }}
+          image_name: quiltdata/benchling
+          additional_tags: '["latest"]'
+          push_targets: '["prod"]'
+
+      - name: Record Docker image URIs
         id: image
         run: |
-          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-          GIT_SHA="${{ steps.git.outputs.GIT_SHA }}"
-          IMAGE_URI_SHA="${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/quiltdata/benchling:${GIT_SHA}"
-          IMAGE_URI_LATEST="${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/quiltdata/benchling:latest"
-
-          echo "IMAGE_URI_SHA=$IMAGE_URI_SHA" >> $GITHUB_OUTPUT
-          echo "IMAGE_URI_LATEST=$IMAGE_URI_LATEST" >> $GITHUB_OUTPUT
-
+          echo "IMAGE_URI_LATEST=730278974607.dkr.ecr.us-east-1.amazonaws.com/quiltdata/benchling:latest" >> "$GITHUB_OUTPUT"
           echo "Docker Images:"
-          echo "  SHA: $IMAGE_URI_SHA"
-          echo "  Latest: $IMAGE_URI_LATEST"
+          echo "  SHA: ${{ steps.deploy.outputs.image_uri_prod }}"
+          echo "  Latest: 730278974607.dkr.ecr.us-east-1.amazonaws.com/quiltdata/benchling:latest"
 
   validate:
     name: Validate Production Image

From ddbaa0344fe46b9421fcfffce1c3589ddf4846e5 Mon Sep 17 00:00:00 2001
From: "Dr. Ernie Prabhakar" <ernest@quilt.bio>
Date: Wed, 29 Apr 2026 09:01:02 -0700
Subject: [PATCH 2/2] ci: repin gh-actions reference to docker-build-publish

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/prod.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/prod.yml b/.github/workflows/prod.yml
index eaae91ab..93312743 100644
--- a/.github/workflows/prod.yml
+++ b/.github/workflows/prod.yml
@@ -57,7 +57,7 @@ jobs:
 
       - name: Build and push Docker image
         id: deploy
-        uses: quiltdata/gh-actions/deploy-ecr@deploy-ecr
+        uses: quiltdata/gh-actions/docker-build-publish@docker-build-publish
         with:
           dockerfile_path: docker/Dockerfile
           docker_context_path: docker