Choose Your Method
For manual builds, see Deploy - AWS
Setup. ECR
tokens expire after 12 hours.
PR Validation
Every PR runs automatic validation. The workflow is in.github/workflows/validate.yml:

DockerHub with GitHub
Build and push images on GitHub release. Workflow:.github/workflows/docker-images.yml
1
Create Docker Access Token
Go to Docker Hub Settings → Security and create an access token.

2
Add GitHub Secrets
In your GitHub repo, go to Settings → Secrets and variables → Actions.Add these secrets:
Add this variable:

3
Trigger a Release
your-namespace/agentos-template:dev and :prd tags.
ECR with GitHub OIDC
Build and push to ECR using OpenID Connect. No IAM access keys stored in GitHub. Workflow:.github/workflows/ecr-images.yml
Set Up OIDC Provider
1
Add OIDC Identity Provider
- Open IAM Console → Identity providers → Add provider
- Provider type: OpenID Connect
- Provider URL:
https://token.actions.githubusercontent.com - Click Get thumbprint
- Audience:
sts.amazonaws.com

2
Create IAM Role
- After adding the provider, click Assign role → Create a new role

- Select Create a new role

- Confirm Web identity is selected as trusted entity, Identity provider shows GitHub, and Audience is
sts.amazonaws.com

- Add permission:
AmazonEC2ContainerRegistryPowerUser - Role name:
GithubActionsRole - Copy the Role ARN (format:
arn:aws:iam::[ACCOUNT_ID]:role/GithubActionsRole)

3
Update Workflow File
Edit
.github/workflows/ecr-images.yml:4
Change Trigger to Release
The workflow defaults to If using ECR, disable the DockerHub workflow by changing its trigger:
workflow_dispatch (manual trigger). To trigger on release:5
Trigger Build

Why OIDC? GitHub Actions requests a temporary token from AWS instead of
using stored credentials. More secure, no credential rotation needed.