From 0b7bb6b0990f8e3a2ce0fcf9410efecd85b833b4 Mon Sep 17 00:00:00 2001
From: bdchatham <bdchatham@gmail.com>
Date: Tue, 19 May 2026 12:34:45 -0700
Subject: [PATCH] ci(ecr): publish seitask-runner image on push to main (PR 8)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extends the existing publish job with a second build/push step for the
seitask-runner image. The runner is the orchestration container the
Chaos Mesh Workflows in scenarios/ use to apply SeiNodeTask CRs.

Same job, same OIDC role, same ECR login, same buildx setup, same
shared build cache — only an additional build-push step pointing at
runner/Dockerfile with the seitask-runner repo tag.

Both images get the same tag on each push (`<short-sha>` or the manual
`tag` workflow_dispatch input) so the controller + runner pair is
addressable as one logical release.

Prerequisite: the ECR repository `sei/seitask-runner` must exist in
account 189176372795 before this workflow runs (manual one-time setup;
the action does not auto-create repos). Filing as a separate runbook
note in the platform docs.

After this lands, scenarios/README.md's "runner image not yet
auto-published" prerequisite (item 4) can be flipped to:
  registry/sei/seitask-runner:<sha-of-controller-release>
---
 .github/workflows/ecr.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ecr.yml b/.github/workflows/ecr.yml
index 27c0c832..21f8f7ee 100644
--- a/.github/workflows/ecr.yml
+++ b/.github/workflows/ecr.yml
@@ -30,7 +30,8 @@ jobs:
 
       - uses: docker/setup-buildx-action@v3
 
-      - uses: docker/build-push-action@v6
+      - name: Build and push controller image
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
@@ -38,3 +39,19 @@ jobs:
           tags: ${{ steps.ecr-login.outputs.registry }}/sei/sei-k8s-controller:${{ inputs.tag || github.sha }}
           cache-from: type=registry,ref=${{ steps.ecr-login.outputs.registry }}/sei/build-cache:shared
           cache-to: type=registry,ref=${{ steps.ecr-login.outputs.registry }}/sei/build-cache:shared,mode=max
+
+      # The runner image is the orchestration container used by Chaos Mesh
+      # Workflows in scenarios/ — it ships its own per-kind Go text templates
+      # and applies SeiNodeTask CRs via the dynamic client. Built from the
+      # same repo context as the controller; the only difference is the
+      # Dockerfile path.
+      - name: Build and push seitask-runner image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: runner/Dockerfile
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.ecr-login.outputs.registry }}/sei/seitask-runner:${{ inputs.tag || github.sha }}
+          cache-from: type=registry,ref=${{ steps.ecr-login.outputs.registry }}/sei/build-cache:shared
+          cache-to: type=registry,ref=${{ steps.ecr-login.outputs.registry }}/sei/build-cache:shared,mode=max