Skip to content

fix: KEEP-293 tolerate missing ECR credentials for Dependabot PR builds#906

Merged
suisuss merged 1 commit intostagingfrom
fix/KEEP-293-dependabot-pr-build-ecr
Apr 21, 2026
Merged

fix: KEEP-293 tolerate missing ECR credentials for Dependabot PR builds#906
suisuss merged 1 commit intostagingfrom
fix/KEEP-293-dependabot-pr-build-ecr

Conversation

@suisuss
Copy link
Copy Markdown

@suisuss suisuss commented Apr 21, 2026

Summary

The build job in pr-checks.yml has failed on every Dependabot-authored PR since KEEP-266 + KEEP-267 landed (2026-04-17) because the job requires AWS/ECR credentials that Dependabot workflow runs cannot access.

Fix:

  • .github/workflows/pr-checks.yml: skip Configure AWS credentials and Login to AWS ECR steps when github.actor == 'dependabot[bot]'. ECR_REGISTRY env var then arrives empty at the bake step.
  • docker-bake.hcl: guard tags, cache-from, cache-to on the app target with ECR_REGISTRY != "". Empty registry -> no tags, no cache, pure Dockerfile validation build.

Only the app target is modified because the PR CI build job only builds the app target. Deploy/release workflows that build the other targets (migrator, workflow-runner, etc.) always have ECR credentials, so those targets are untouched.

Root cause

Before KEEP-267, PR CI ran pnpm build (no AWS needed) and Dependabot PRs worked. KEEP-267 replaced it with docker buildx bake + ECR cache, which requires secrets.TO_AWS_ACCESS_KEY_ID / TO_AWS_SECRET_ACCESS_KEY — both scoped to the staging environment. GitHub deliberately does not expose Actions secrets or environment secrets to Dependabot workflow runs, so both references resolve to empty strings, aws-actions/configure-aws-credentials@v6 exhausts its provider chain, and the job fails with Could not load credentials from any providers.

Regular (human-authored) PRs are unaffected — they have normal environment access and the build job passes (e.g., #905).

First visible failure: #889 (dompurify bump in docs-site). Ticket: KEEP-293.

Tradeoff

Dependabot validation runs without registry build cache -- full cold build, ~5-10 min. Acceptable for correctness.

Test plan

@suisuss suisuss merged commit e3ea437 into staging Apr 21, 2026
24 checks passed
@suisuss suisuss deleted the fix/KEEP-293-dependabot-pr-build-ecr branch April 21, 2026 04:56
@github-actions
Copy link
Copy Markdown

🧹 PR Environment Cleaned Up

The PR environment has been successfully deleted.

Deleted Resources:

  • Namespace: pr-906
  • All Helm releases (Keeperhub, Scheduler, Event services)
  • PostgreSQL Database (including data)
  • LocalStack, Redis
  • All associated secrets and configs

All resources have been cleaned up and will no longer incur costs.

@github-actions
Copy link
Copy Markdown

ℹ️ No PR Environment to Clean Up

No PR environment was found for this PR. This is expected if:

  • The PR never had the deploy-pr-environment label
  • The environment was already cleaned up
  • The deployment never completed successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant