fix(webapp): reconcile ECR default policy on existing repos

ThullyoCunha · ThullyoCunha · commit 18f7bef92fc2 · 2026-04-29T09:41:41.000-03:00
Mirrors how the existing-repo branch already reconciles cache settings.
SetRepositoryPolicy is idempotent, so applying it on every deploy is
safe and covers two recovery cases that the previous version didn't:

1. A previous repo creation succeeded but SetRepositoryPolicy failed
   mid-flight, leaving the repo without a policy. Without
   reconciliation, the existing-repo branch would just return the repo
   and runners would keep getting 403 Forbidden forever — manual
   intervention required.
2. The operator updates DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY
   to grant pull to additional accounts/principals. Existing repos
   need to pick up the new value, not just freshly created ones.

The factored `applyEcrRepositoryPolicy` helper is shared between the
create and reconcile call sites, keeping behavior identical.
diff --git a/apps/webapp/app/v3/getDeploymentImageRef.server.ts b/apps/webapp/app/v3/getDeploymentImageRef.server.ts
@@ -270,19 +270,46 @@ async function createEcrRepository({
   // self-hosters whose ECR account is separate from the account running the
   // EKS workers — without this the workers get 403 Forbidden when pulling the
   // task image (default ECR policy only grants access to the registry owner).
+  // The existing-repo branch of `ensureEcrRepositoryExists` reconciles this
+  // same policy on every call, so a partial-create that fails here is
+  // self-healing on the next deploy.
   if (defaultRepositoryPolicy) {
-    await ecr.send(
-      new SetRepositoryPolicyCommand({
-        repositoryName: result.repository.repositoryName,
-        registryId: result.repository.registryId,
-        policyText: defaultRepositoryPolicy,
-      })
-    );
+    await applyEcrRepositoryPolicy({
+      repositoryName: result.repository.repositoryName!,
+      region,
+      accountId: result.repository.registryId ?? accountId,
+      assumeRole,
+      defaultRepositoryPolicy,
+    });
   }
 
   return result.repository;
 }
 
+async function applyEcrRepositoryPolicy({
+  repositoryName,
+  region,
+  accountId,
+  assumeRole,
+  defaultRepositoryPolicy,
+}: {
+  repositoryName: string;
+  region: string;
+  accountId?: string;
+  assumeRole?: AssumeRoleConfig;
+  defaultRepositoryPolicy: string;
+}): Promise<void> {
+  const ecr = await createEcrClient({ region, assumeRole });
+
+  await ecr.send(
+    new SetRepositoryPolicyCommand({
+      repositoryName,
+      registryId: accountId,
+      policyText: defaultRepositoryPolicy,
+    })
+  );
+}
+
 async function updateEcrRepositoryCacheSettings({
   repositoryName,
   region,
@@ -441,6 +468,31 @@ async function ensureEcrRepositoryExists({
       }
     }
 
+    // Reconcile the default repository policy on every call. Idempotent, and
+    // covers two recovery cases: (1) a previous create succeeded but the
+    // SetRepositoryPolicy call failed mid-flight, leaving the repo without a
+    // policy; (2) the operator updated DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY
+    // and existing repos need to pick up the new value.
+    if (defaultRepositoryPolicy) {
+      const [policyError] = await tryCatch(
+        applyEcrRepositoryPolicy({
+          repositoryName,
+          region,
+          accountId,
+          assumeRole,
+          defaultRepositoryPolicy,
+        })
+      );
+
+      if (policyError) {
+        logger.error("Failed to reconcile ECR repository policy on existing repo", {
+          repositoryName,
+          region,
+          policyError,
+        });
+      }
+    }
+
     return {
       repo: existingRepo,
       repoCreated: false,
