Update CI/CD docs - no secrets needed with gha-runner

pbasgod7 · pbasgod7 · commit c2cf8c11a7e0 · 2026-05-12T11:12:21.000-07:00
diff --git a/CI-CD-SETUP.md b/CI-CD-SETUP.md
@@ -2,125 +2,130 @@
 
 This repository includes a GitHub Actions workflow that automatically builds and pushes a Grafana Docker image with the patched Quickwit datasource plugin to ECR.
 
-## Required GitHub Secrets
-
-The workflow requires the following secret to be configured in the repository:
-
-### `AWS_ROLE_ARN`
-AWS IAM Role ARN with permissions to push to ECR.
-
-**Example format**: `arn:aws:iam::337909757619:role/github-actions-ecr-push`
-
-**Required Permissions**:
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ecr:GetAuthorizationToken",
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:GetDownloadUrlForLayer",
-        "ecr:BatchGetImage",
-        "ecr:PutImage",
-        "ecr:InitiateLayerUpload",
-        "ecr:UploadLayerPart",
-        "ecr:CompleteLayerUpload"
-      ],
-      "Resource": [
-        "arn:aws:ecr:us-east-1:337909757619:repository/grafana-quickwit"
-      ]
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ecr:GetAuthorizationToken"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-```
+## Overview
 
-## Setting up the Secret
-
-1. Go to the repository on GitHub: https://github.com/Iterable/quickwit-datasource
-2. Navigate to **Settings** → **Secrets and variables** → **Actions**
-3. Click **New repository secret**
-4. Name: `AWS_ROLE_ARN`
-5. Value: The ARN of your IAM role (e.g., `arn:aws:iam::337909757619:role/github-actions-ecr-push`)
-6. Click **Add secret**
-
-## IAM Role Trust Policy
-
-The IAM role must trust GitHub Actions from the Iterable organization:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "arn:aws:iam::337909757619:oidc-provider/token.actions.githubusercontent.com"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
-        },
-        "StringLike": {
-          "token.actions.githubusercontent.com:sub": "repo:Iterable/quickwit-datasource:*"
-        }
-      }
-    }
-  ]
-}
-```
+The workflow uses the **`gha-runner-ecr-publish`** self-hosted runner which already has AWS credentials configured. **No additional secrets are required.**
 
 ## Workflow Triggers
 
-The workflow runs on:
-- **Push** to `disable-field-caps-all-fields` branch
-- **Push** to `main` branch
-- **Tags** matching `v*` pattern
-- **Manual** trigger via workflow_dispatch
-
-## Image Tags
-
-Images are tagged as:
-- `<grafana-version>-quickwit-<plugin-version>-<short-sha>` for branch builds
-- `<grafana-version>-quickwit-<version>` for tag builds
-- `latest` for main branch or tag builds
+The workflow runs and **publishes to ECR** on:
+- **Push** to `disable-field-caps-all-fields` or `main` branches
+- **PR merge** to these branches  
+- **Manual** workflow dispatch with `force_publish` option
 
-**Example**: `12.4.0-quickwit-0.6.0-patched-a1b2c3d`
+The workflow **builds but does not publish** on:
+- Pull request events (for testing)
+- Other branch pushes
 
-## Target ECR Repository
+## Image Details
 
+### Target ECR Repository
 - **Repository**: `grafana-quickwit`
 - **Region**: `us-east-1`
 - **Registry**: `337909757619.dkr.ecr.us-east-1.amazonaws.com`
 
-## Verifying the Workflow
+### Image Tags
+Images are tagged as:
+- `<grafana-version>-quickwit-<plugin-version>-<short-sha>`
+  - Example: `12.4.0-quickwit-0.6.0-patched-a1b2c3d`
+- `latest` (always points to the most recent build)
+
+### Image Contents
+- **Base**: Grafana 12.4.0
+- **Plugin**: Quickwit datasource v0.6.0 (patched to disable field_caps)
+- **Platform**: linux/amd64
+
+## What the Workflow Does
+
+1. **Build Plugin**
+   - Installs Node.js and Go dependencies
+   - Builds frontend (TypeScript → JavaScript)
+   - Builds backend (Go binaries for Linux)
+   - Removes signature files (since plugin is patched)
+   - Packages as ZIP
+
+2. **Build Docker Image**
+   - Creates Dockerfile dynamically
+   - Copies patched plugin into Grafana base image
+   - Configures unsigned plugin loading
+   - Adds metadata labels
+
+3. **Publish to ECR** (conditional)
+   - Authenticates to ECR using runner's AWS credentials
+   - Tags image with git hash and `latest`
+   - Pushes both tags to ECR
+   - Generates build summary
+
+## Running the Workflow
+
+### Automatic (Recommended)
+Just push commits to `disable-field-caps-all-fields` branch:
+```bash
+git push origin disable-field-caps-all-fields
+```
 
-After setting up the secret, the workflow will run automatically on the next push. You can also trigger it manually:
+The workflow will automatically build and push to ECR.
 
-1. Go to **Actions** tab
+### Manual Trigger
+1. Go to the **Actions** tab in GitHub
 2. Select **Build and Push Grafana with Quickwit Plugin**
 3. Click **Run workflow**
-4. Select the branch and click **Run workflow**
+4. Select branch: `disable-field-caps-all-fields`
+5. Check **force_publish** if you want to publish to ECR
+6. Click **Run workflow**
+
+## Verifying the Build
+
+After the workflow completes:
+
+1. **Check GitHub Actions**: The workflow summary will show the published image tags
+2. **Check ECR**: 
+   ```bash
+   aws ecr describe-images \
+     --repository-name grafana-quickwit \
+     --region us-east-1 \
+     --query 'sort_by(imageDetails,& imagePushedAt)[-5:]' \
+     --output table
+   ```
+
+## Using the Image
+
+Once published, reference the image in your deployments:
+
+```yaml
+# Using specific version
+image: 337909757619.dkr.ecr.us-east-1.amazonaws.com/grafana-quickwit:12.4.0-quickwit-0.6.0-patched-a1b2c3d
+
+# Or using latest
+image: 337909757619.dkr.ecr.us-east-1.amazonaws.com/grafana-quickwit:latest
+```
 
 ## Troubleshooting
 
-**Error: Unable to locate credentials**
-- Verify the `AWS_ROLE_ARN` secret is set correctly
-- Check that the IAM role exists and the ARN is correct
+### Build Fails on Plugin Build
+- Check Node.js and Go versions in the workflow match requirements
+- Review build logs for npm or go errors
+
+### Docker Build Fails
+- Verify the Grafana base image version exists
+- Check that plugin ZIP was created successfully
+
+### ECR Push Fails
+- Verify the `gha-runner-ecr-publish` runner has ECR write permissions
+- Check that the ECR repository `grafana-quickwit` exists
+- Verify AWS credentials on the runner are valid
+
+### Workflow Doesn't Trigger
+- Ensure you're pushing to the correct branch
+- Check workflow file syntax in `.github/workflows/build-and-push.yml`
+- Verify GitHub Actions are enabled for the repository
+
+## Comparing with Backstage Setup
 
-**Error: AccessDenied**
-- Verify the IAM role has the correct permissions policy
-- Verify the IAM role's trust policy allows GitHub Actions from this repository
+This workflow follows the same pattern as `Iterable/backstage`:
+- Uses `gha-runner-ecr-publish` runner
+- Authenticates with `aws ecr get-login-password`
+- Conditionally publishes based on event type
+- Generates summary with published tags
 
-**Error: Repository does not exist**
-- Verify the ECR repository `grafana-quickwit` exists in `us-east-1`
-- Check the repository name in the workflow matches exactly
+No IAM roles or GitHub secrets are required because the self-hosted runner already has the necessary AWS permissions.
