Skip to main content

Choose Your Method

For manual builds, see Deploy - AWS Setup. ECR tokens expire after 12 hours.

PR Validation

Every PR runs automatic validation. The workflow is in .github/workflows/validate.yml:
This checks formatting, tests, and types before merging. PR validation workflow

DockerHub with GitHub

Build and push images on GitHub release. Workflow: .github/workflows/docker-images.yml
1

Create Docker Access Token

Go to Docker Hub Settings → Security and create an access token.Docker Hub access token
2

Add GitHub Secrets

In your GitHub repo, go to Settings → Secrets and variables → Actions.Add these secrets:Add this variable:GitHub Actions secrets configuration
3

Trigger a Release

The workflow builds and pushes your-namespace/agentos-template:dev and :prd tags.GitHub Actions Docker build workflow

ECR with GitHub OIDC

Build and push to ECR using OpenID Connect. No IAM access keys stored in GitHub. Workflow: .github/workflows/ecr-images.yml

Set Up OIDC Provider

1

Add OIDC Identity Provider

  1. Open IAM Console → Identity providersAdd provider
  2. Provider type: OpenID Connect
  3. Provider URL: https://token.actions.githubusercontent.com
  4. Click Get thumbprint
  5. Audience: sts.amazonaws.com
AWS IAM OIDC Provider configuration
2

Create IAM Role

  1. After adding the provider, click Assign roleCreate a new role
Assign role to OIDC provider
  1. Select Create a new role
Create new IAM role
  1. Confirm Web identity is selected as trusted entity, Identity provider shows GitHub, and Audience is sts.amazonaws.com
Configure trusted entity
  1. Add permission: AmazonEC2ContainerRegistryPowerUser
  2. Role name: GithubActionsRole
  3. Copy the Role ARN (format: arn:aws:iam::[ACCOUNT_ID]:role/GithubActionsRole)
GitHub Actions IAM Role
3

Update Workflow File

Edit .github/workflows/ecr-images.yml:
4

Change Trigger to Release

The workflow defaults to workflow_dispatch (manual trigger). To trigger on release:
If using ECR, disable the DockerHub workflow by changing its trigger:
5

Trigger Build

Or trigger manually:
GitHub Actions ECR build workflow
Why OIDC? GitHub Actions requests a temporary token from AWS instead of using stored credentials. More secure, no credential rotation needed.

After CI/CD Builds

After a new image is pushed, update your ECS deployment:
This triggers a new deployment with the latest image.