@ossy/deployment-tools 0.0.107 → 1.0.1

package/CHANGELOG.md

@@ -3,7 +3,7 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
-## 0.0.107 (2026-03-29)
+## 1.0.1 (2026-04-05)
 
 **Note:** Version bump only for package @ossy/deployment-tools
 
@@ -11,7 +11,15 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 
 
-## 0.0.106 (2026-03-29)
+## 0.0.107 (2026-04-05)
+
+**Note:** Version bump only for package @ossy/deployment-tools
+
+
+
+
+
+## 0.0.106 (2026-04-05)
 
 **Note:** Version bump only for package @ossy/deployment-tools
 

package/README.md

@@ -1,7 +1,7 @@
 # @ossy/deployment-tools
 
 Collection of scripts and tools to aid deployment of
-containers and static files to Amazon Web Services through GitHub Actions.
+containers and static files to Amazon Web Services (typically from CI).
 
 ## Server
 
@@ -30,12 +30,12 @@ The first argument after the package name is the **handler** (`deployment`). Com
 
 Deployments are read from a **glob** of JSON files (e.g. `deployments.json`), and platform definitions from a **platforms** JSON file. Domain and platform for a given site are **not** taken from `ossy.json`; they live in those deployment records (and, in app workflows, mirror **`domain` / `platform` in `src/config.js`** when you use **`@ossy/cli publish`**).
 
+**Container images must live in Amazon ECR.** Each `CONTAINER` row needs a **`registry`** field with your ECR API endpoint (for example `123456789012.dkr.ecr.eu-north-1.amazonaws.com`). Both the **CLI** (`deployment deploy`) and the **worker** (`server start`) require this. The worker **always** runs **`aws ecr get-login-password | docker login`** before **`docker pull`**, using the host IAM role (or environment AWS credentials). Do not put registry passwords on the queue.
+
 ### deploy (single domain)
 
 ```bash
 npx --yes @ossy/deployment-tools deployment deploy \
-  --username "${{ github.actor }}" \
-  --authentication "${{ secrets.GITHUB_TOKEN }}" \
   --domain example.com \
   --platform my-platform \
   --platforms-path packages/infrastructure/bin/deployment-platforms.json \
@@ -44,8 +44,6 @@ npx --yes @ossy/deployment-tools deployment deploy \
 
 | Flag | Alias | Description |
 |------|--------|-------------|
-| `--username` | `-u` | User recorded on the deployment request |
-| `--authentication` | `-a` | Token used to authorize the request |
 | `--domain` | `-d` | Target site domain (must match an entry under that platform in the deployments glob) |
 | `--platform` | `-p` | Target deployment platform name |
 | `--platforms-path` | `-pp` | Path to platforms JSON (AWS / queue config) |
@@ -55,8 +53,6 @@ npx --yes @ossy/deployment-tools deployment deploy \
 
 ```bash
 npx --yes @ossy/deployment-tools deployment deploy-all \
-  --username "${{ github.actor }}" \
-  --authentication "${{ secrets.GITHUB_TOKEN }}" \
   --platform my-platform \
   --platforms-path packages/infrastructure/bin/deployment-platforms.json \
   --deployments-path "packages/infrastructure/deployments/**/*.json"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ossy/deployment-tools",
-  "version": "0.0.107",
+  "version": "1.0.1",
   "description": "Collection of scripts and tools to aid deployment of containers and static files to Amazon Web Services through GitHub Actions",
   "source": "./src/index.js",
   "main": "./src/index.js",
@@ -31,5 +31,5 @@
     "jest": "^27.5.1",
     "jsdoc": "^4.0.2"
   },
-  "gitHead": "280ce1f62d7daf721909ac5eabe4181991e00456"
+  "gitHead": "e5276fdb5dedf68b966d851077461b188c613241"
 }

package/src/deploy/cli.js

@@ -7,12 +7,6 @@ const deploy = options => {
   logInfo({ message: '[CLI] Running deploy command' })
 
   const parsedArgs = arg({
-    '--username': String,
-    '-u': '--username',
-
-    '--authentication': String,
-    '-a': '--authentication',
-
     '--domain': String,
     '-d': '--domain',
 
@@ -25,12 +19,9 @@ const deploy = options => {
     '--deployments-path': String,
     '-dp': '--deployments-path',
 
-
   }, { argv: options })
 
   PlatformDeploymentService.deploy({
-    username: parsedArgs['--username'],
-    authentication: parsedArgs['--authentication'],
     targetDomain: parsedArgs['--domain'],
     targetPlatform: parsedArgs['--platform'],
     pathToPlatformTemplates: parsedArgs['--platforms-path'],
@@ -42,12 +33,6 @@ const deployAll = options => {
   logInfo({ message: '[CLI] Running deploy-all command' })
 
   const parsedArgs = arg({
-    '--username': String,
-    '-u': '--username',
-
-    '--authentication': String,
-    '-a': '--authentication',
-
     '--platform': String,
     '-p': '--platform',
 
@@ -57,12 +42,9 @@ const deployAll = options => {
     '--deployments-path': String,
     '-dp': '--deployments-path',
 
-
   }, { argv: options })
 
   PlatformDeploymentService.deployAll({
-    username: parsedArgs['--username'],
-    authentication: parsedArgs['--authentication'],
     targetPlatform: parsedArgs['--platform'],
     pathToPlatformTemplates: parsedArgs['--platforms-path'],
     pathToDeploymentTemplates: parsedArgs['--deployments-path']

package/src/deploy/platform-deployment.js

@@ -1,16 +1,28 @@
 const { PlatformTemplateService, DeploymentTemplateService } = require('../template')
 const { PlatformConfigService, SupportedDeploymentTypes } = require('../config')
 const { DeploymentQueueService } = require('../deployment-queue')
+const { DockerService } = require('../docker/docker-service')
 const { logError } = require('../log')
 
+function assertEcrContainer(deploymentTemplate) {
+  const r = deploymentTemplate.registry
+  if (!r || !DockerService.isEcrRegistry(r)) {
+    logError({
+      message:
+        `[PlatformDeploymentService] ${deploymentTemplate.domain}: container deployments only support Amazon ECR. ` +
+        'Set `registry` in deployments JSON to your ECR hostname (e.g. 123456789012.dkr.ecr.eu-north-1.amazonaws.com).'
+    })
+    return false
+  }
+  return true
+}
+
 /**
   * @class
 */
 class PlatformDeploymentService {
 
   static deploy({
-    username,
-    authentication,
     targetDomain,
     targetPlatform,
     pathToPlatformTemplates,
@@ -41,13 +53,12 @@ class PlatformDeploymentService {
         process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
 
         if (deploymentTemplate.type === SupportedDeploymentTypes.Container) {
-
-          const deploymentRequest = {
-            ...deploymentTemplate,
-            username: username,
-            authentication: authentication,
+          if (!assertEcrContainer(deploymentTemplate)) {
+            return Promise.reject()
           }
 
+          const deploymentRequest = { ...deploymentTemplate }
+
           return DeploymentQueueService.sendDeploymentRequest(platformConfig, deploymentRequest)
         }
 
@@ -58,9 +69,6 @@ class PlatformDeploymentService {
   }
 
   static deployAll({
-    username,
-    authentication,
-    targetDomain,
     targetPlatform,
     pathToPlatformTemplates,
     pathToDeploymentTemplates
@@ -82,7 +90,7 @@ class PlatformDeploymentService {
         }
 
         if (deploymentTemplatesForTargetPlatform.length === 0) {
-          logError({ message: `[PlatformDeploymentService] Could not find a deployment template for ${targetDomain} in ${targetPlatform}` })
+          logError({ message: `[PlatformDeploymentService] Could not find any deployment templates for platform ${targetPlatform}` })
           return Promise.reject()
         }
 
@@ -90,13 +98,12 @@ class PlatformDeploymentService {
 
         return deploymentTemplatesForTargetPlatform.map(deploymentTemplate => {
           if (deploymentTemplate.type === SupportedDeploymentTypes.Container) {
-
-            const deploymentRequest = {
-              ...deploymentTemplate,
-              username: username,
-              authentication: authentication,
+            if (!assertEcrContainer(deploymentTemplate)) {
+              return Promise.reject()
             }
 
+            const deploymentRequest = { ...deploymentTemplate }
+
             return DeploymentQueueService.sendDeploymentRequest(platformConfig, deploymentRequest)
           }
 

package/src/docker/docker-service.js

@@ -15,6 +15,29 @@ const exec = command => new Promise((resolve, reject) => {
 */
 class DockerService {
 
+  static isEcrRegistry(registry) {
+    return (
+      typeof registry === 'string' &&
+      registry.includes('.dkr.ecr.') &&
+      registry.includes('amazonaws.com')
+    )
+  }
+
+  /**
+   * Log in to ECR using the host credentials (EC2 instance profile, env keys, etc.).
+   * Requires AWS CLI v2 on the worker (`aws ecr get-login-password`).
+   */
+  static ecrLoginViaAwsCli(registry) {
+    const m =
+      typeof registry === 'string' &&
+      registry.match(/\.dkr\.ecr\.([a-z0-9-]+)\.amazonaws\.com/)
+    const region = (m && m[1]) || process.env.AWS_DEFAULT_REGION || 'eu-north-1'
+    logInfo({ message: `[DockerService] ECR login via IAM for ${registry} (region ${region})` })
+    return exec(
+      `bash -c 'aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${registry}'`
+    ).catch(logErrorAndReject(`[DockerService] Could not IAM-login to ECR ${registry}`))
+  }
+
   static startDefaultContainers(platformConfig) {
     logInfo({ message: '[DockerService] Starting default containers' })
     return exec(`docker run -d --name=mongodb --network=${platformConfig.ciDockerNetworkName} --network-alias=mongodb --rm mongo`)
@@ -72,17 +95,15 @@ class DockerService {
       
   }
 
-  static resolveCredentials({ registry, username, authentication }) {
-    const shouldAuthenticate = username || authentication
-
-    shouldAuthenticate
-      ? logInfo({ message: '[DockerService] Docker credentials provided, logging in to private repository' })
-      : logInfo({ message: '[DockerService] No docker credentials provided, assuming image is publicly hosted' })
-
-    return !shouldAuthenticate
-      ? Promise.resolve()
-      : exec(`docker login ${registry} -u ${username} -p ${authentication}`)
-        .catch(logErrorAndReject(`[DockerService] Could not authenticate with ${registry}`))
+  static resolveCredentials({ registry }) {
+    if (!DockerService.isEcrRegistry(registry)) {
+      return Promise.reject(
+        new Error(
+          `[DockerService] Only Amazon ECR is supported; registry was: ${registry ?? '(missing)'}`
+        )
+      )
+    }
+    return DockerService.ecrLoginViaAwsCli(registry)
   }
 
   static deploy(platformConfig, deploymentRequest) {

package/src/infrastructure/cli.js

@@ -5,6 +5,7 @@ const { TrustCiStack } = require('./trust-ci-stack')
 const { DeploymentTargetStack } = require('./deployment-target-stack')
 const { DnsStack } = require('./dns-stack')
 const { SesStack } = require('./ses-stack')
+const { EcrStack } = require('./ecr-stack')
 const { PlatformTemplateService, DeploymentTemplateService } = require('../template')
 const { PlatformConfigService } = require('../config')
 
@@ -28,6 +29,10 @@ Promise.all([
       }
 
       new TrustCiStack(app, `${config.platformName}-trust-ci`, stackProps)
+      new EcrStack(app, `${config.platformName}-ecr`, {
+        ...stackProps,
+        deployments: deploymentMap[config.platformName] || []
+      })
 
       const deploymentTarget = new DeploymentTargetStack(app, `${config.platformName}-deployment-target`, stackProps)
 

package/src/infrastructure/container-deployment-target/container-deployment-target.js

@@ -106,6 +106,16 @@ class ContainerDeploymentTarget extends Construct {
             'route53:ListHostedZones'
           ],
           resources: ['*']
+        }),
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          actions: [
+            'ecr:GetAuthorizationToken',
+            'ecr:BatchGetImage',
+            'ecr:GetDownloadUrlForLayer',
+            'ecr:BatchCheckLayerAvailability'
+          ],
+          resources: ['*']
         })
       ]
     }))

package/src/infrastructure/ecr-stack.js

@@ -0,0 +1,53 @@
+const { Stack, RemovalPolicy } = require('aws-cdk-lib')
+const { Repository, TagStatus } = require('aws-cdk-lib/aws-ecr')
+const { SupportedDeploymentTypes } = require('../config')
+
+/**
+ * EcrStackProps
+ * @typedef {Object} EcrStackProps
+ * @property {PlatformConfig} config - platform config
+ * @property {DeploymentTemplate[]} deployments - deployment templates
+ */
+
+/**
+ * Creates one ECR repository per unique container image name.
+ * @class
+ */
+class EcrStack extends Stack {
+
+  /**
+   * @param {object} scope
+   * @param {string} id
+   * @param {EcrStackProps} props
+   */
+  constructor(scope, id, props) {
+    super(scope, id, props)
+
+    const deployments = props.deployments || []
+    const repositoryNames = [...new Set(
+      deployments
+        .filter(deployment => deployment.type === SupportedDeploymentTypes.Container)
+        .map(deployment => deployment.image)
+        .filter(Boolean)
+    )]
+
+    repositoryNames.forEach(repositoryName => {
+      new Repository(this, `${repositoryName.replace(/[^A-Za-z0-9]/g, '-')}-repository`, {
+        repositoryName,
+        removalPolicy: RemovalPolicy.RETAIN,
+        imageScanOnPush: true,
+        lifecycleRules: [
+          {
+            description: 'Keep latest 5 tagged images',
+            maxImageCount: 5,
+            tagStatus: TagStatus.TAGGED
+          }
+        ]
+      })
+    })
+  }
+}
+
+module.exports = {
+  EcrStack
+}

package/src/template/deployment-template.js

@@ -33,7 +33,6 @@ class DeploymentTemplateService {
            .flatMap(json => JSON.parse(json))
            .map(deploymentTemplate => ({
              containerPort: '3000',
-             registry: 'ghcr.io',
              ...deploymentTemplate
            }))
            .reduce((deploymentsMap, deployment) => {