Skip to main content

Choose Your Method

MethodWhen to UseSetup Effort
Manual buildsSmall teams, infrequent deploysLow
DockerHub + GitHubUsing DockerHub, simpler setupMedium
ECR + GitHub OIDCUsing ECR, no stored credentialsHigher
For manual builds, see Getting Started - AWS Setup. ECR tokens expire after 12 hours.

PR Validation

Every PR runs automatic validation. The workflow is in .github/workflows/validate.yml: 
# Runs on every PR
on:
  pull_request:
This checks formatting, tests, and types before merging. PR validation workflow

DockerHub with GitHub

Build and push images on GitHub release. Workflow: .github/workflows/docker-images.yml
1

Create Docker Access Token

Go to Docker Hub Settings → Security and create an access token.Docker Hub access token
2

Add GitHub Secrets

In your GitHub repo, go to Settings → Secrets and variables → Actions.Add these secrets:
NameValue
DOCKERHUB_USERNAMEYour Docker Hub username
DOCKERHUB_TOKENThe access token from Step 1
Add this variable:
NameValue
DOCKERHUB_NAMESPACEYour Docker Hub namespace (usually your username)
GitHub Actions secrets configuration
3

Trigger a Release

gh release create v0.1.0 --title "v0.1.0" -n ""
The workflow builds and pushes your-namespace/agentos-template:dev and :prd tags.GitHub Actions Docker build workflow

ECR with GitHub OIDC

Build and push to ECR using OpenID Connect. No IAM access keys stored in GitHub. Workflow: .github/workflows/ecr-images.yml

Set Up OIDC Provider

1

Add OIDC Identity Provider

  1. Open IAM Console → Identity providersAdd provider
  2. Provider type: OpenID Connect
  3. Provider URL: https://token.actions.githubusercontent.com
  4. Click Get thumbprint
  5. Audience: sts.amazonaws.com
AWS IAM OIDC Provider configuration
2

Create IAM Role

  1. After adding the provider, click Assign roleCreate a new role
Assign role to OIDC provider
  1. Select Create a new role
Create new IAM role
  1. Confirm Web identity is selected as trusted entity, Identity provider shows GitHub, and Audience is sts.amazonaws.com
Configure trusted entity
  1. Add permission: AmazonEC2ContainerRegistryPowerUser
  2. Role name: GithubActionsRole
  3. Copy the Role ARN (format: arn:aws:iam::[ACCOUNT_ID]:role/GithubActionsRole)
GitHub Actions IAM Role
3

Update Workflow File

Edit .github/workflows/ecr-images.yml:
env:
  ECR_REPO: [ACCOUNT_ID].dkr.ecr.us-east-1.amazonaws.com
  AWS_ROLE: arn:aws:iam::[ACCOUNT_ID]:role/GithubActionsRole
  AWS_REGION: us-east-1
4

Change Trigger to Release

The workflow defaults to workflow_dispatch (manual trigger). To trigger on release:
on:
  release:
    types: [published]
If using ECR, disable the DockerHub workflow by changing its trigger:
# In docker-images.yml
on: workflow_dispatch
5

Trigger Build

gh release create v0.1.0 --title "v0.1.0" -n ""
Or trigger manually:
gh workflow run ecr-images.yml
GitHub Actions ECR build workflow
Why OIDC? GitHub Actions requests a temporary token from AWS instead of using stored credentials. More secure, no credential rotation needed.

After CI/CD Builds

After a new image is pushed, update your ECS deployment: 
ag infra patch prd:aws:::service
This triggers a new deployment with the latest image.