Skip to content

feat(ci): add SHA tagging for automatic ECR cache invalidation#142

Merged
jakebromberg merged 2 commits intomainfrom
feature/ci-test-parallelization
Jan 31, 2026
Merged

feat(ci): add SHA tagging for automatic ECR cache invalidation#142
jakebromberg merged 2 commits intomainfrom
feature/ci-test-parallelization

Conversation

@jakebromberg
Copy link
Member

@jakebromberg jakebromberg commented Jan 31, 2026

Summary

  • Add SHA-based image tagging to automatically detect when ECR cached images are stale
  • Prevents issues where CI uses outdated images that don't include recently merged code (like the /requests endpoint issue)
  • Images are now tagged with sha-{commit_sha} in addition to semver and :latest tags

How it works

  1. On push to main: After tests pass, images are pushed to ECR with both sha-{commit_sha} and :latest tags
  2. On PR: CI calculates the merge-base SHA and tries to pull sha-{merge_base_sha} image first
  3. Fallback: If SHA-tagged image doesn't exist, falls back to :latest (with a warning)
  4. Deploy workflow: Also pushes SHA tags alongside semver tags

Files changed

  • .github/workflows/test.yml - Add merge-base SHA detection, SHA-tagged pulls, ECR push on main
  • .github/workflows/deploy-base.yml - Add SHA tag when pushing to ECR

Test plan

  • Verify merge-base SHA is correctly calculated in PRs
  • Verify images are pushed to ECR with SHA tags on main merge
  • Verify SHA-tagged images are pulled when available
  • Verify fallback to :latest when SHA tag doesn't exist
  • Verify semver tagging still works in deploy workflow

feat(ci): add SHA tagging for automatic ECR cache invalidation
f50c3ee 
Add SHA-based image tagging to automatically detect when ECR cached
images are stale, preventing issues where CI uses outdated images
that don't include recently merged code.

Changes:
- Add merge-base SHA detection in detect-changes job
- Pull images try SHA-tagged version first, fall back to :latest
- Push images to ECR with SHA tags when tests pass on main
- Deploy workflow also pushes SHA tags alongside semver tags

This ensures PRs always use images that contain all code from their
merge-base with main, eliminating the need for manual cache
invalidation via code comments.
@jakebromberg jakebromberg force-pushed the feature/ci-test-parallelization branch from d2f4878 to f50c3ee Compare January 31, 2026 12:54
@jakebromberg jakebromberg merged commit dfa6894 into main Jan 31, 2026
4 checks passed
@jakebromberg jakebromberg deleted the feature/ci-test-parallelization branch January 31, 2026 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakebromberg