sample-bedrock-agentcore-runtime-cicd/.github/workflows/deploy-agentcore.yml at main · aws-samples/sample-bedrock-agentcore-runtime-cicd · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Deploy Strand Agent to Bedrock AgentCore Runtime

on:
  workflow_dispatch:

env:
  AWS_REGION: us-east-1

permissions:
  id-token: write
  contents: read

jobs:
  validate:
    name: Validate Agent Code
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955

    - name: Set up Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
      with:
        python-version: '3.12'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r agents/requirements.txt
        pip install pytest black isort flake8

    - name: Format and lint check
      run: |
        black --check agents/
        isort --check-only agents/
        flake8 agents/ --max-line-length=88 --extend-ignore=E203,W503

  build-and-deploy:
    name: Build and Deploy Agent
    runs-on: ubuntu-latest
    needs: validate
    outputs:
      ecr-repository: ${{ steps.set-vars.outputs.ecr-repository }}

    steps:
    - name: Checkout code
      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955

    - name: Set up Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
      with:
        python-version: '3.12'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r agents/requirements.txt
        pip install boto3

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@d0834ad3a60a024346910e522a81b0002bd37fea
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
        role-session-name: GitHubActions-AgentCore-Deploy
        aws-region: ${{ env.AWS_REGION }}

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@18ce135bb5112fa8ce4ed6c17ab05699d7f3a5e0
      with:
        platforms: linux/arm64

    - name: Set environment variables
      id: set-vars
      run: |
        AGENT_NAME="strands_agent"
        ECR_REPOSITORY="${AGENT_NAME}"
        echo "AGENT_NAME=${AGENT_NAME}" >> $GITHUB_ENV
        echo "ECR_REPOSITORY=${ECR_REPOSITORY}" >> $GITHUB_ENV
        echo "ecr-repository=${ECR_REPOSITORY}" >> $GITHUB_OUTPUT

    - name: Create IAM role
      run: |
        python scripts/create_iam_role.py \
          --agent-name "${{ env.AGENT_NAME }}" \
          --region "${{ env.AWS_REGION }}"

    - name: Create Bedrock guardrail
      run: |
        python scripts/create_guardrail.py \
          --region "${{ env.AWS_REGION }}"

    - name: Setup ECR repository and scanning
      run: |
        # Check if repository exists, create if not
        if aws ecr describe-repositories --repository-names ${{ env.ECR_REPOSITORY }} --region ${{ env.AWS_REGION }} >/dev/null 2>&1; then
          echo "Repository already exists"
        else
          echo "Creating repository..."
          aws ecr create-repository --repository-name ${{ env.ECR_REPOSITORY }} --region ${{ env.AWS_REGION }} \
            --image-scanning-configuration scanOnPush=true
          echo "Repository created successfully"

          # Enable enhanced scanning (one-time registry setup)
          aws ecr put-registry-scanning-configuration \
            --scan-type ENHANCED \
            --rules 'scanFrequency=SCAN_ON_PUSH,repositoryFilters=[{filter="*",filterType="WILDCARD"}]' \
            --region ${{ env.AWS_REGION }} 2>/dev/null && echo "Enhanced scanning enabled" || echo "Enhanced scanning setup failed"
        fi

    - name: Login to ECR
      uses: aws-actions/amazon-ecr-login@33f92af657bba1882ab79d8621debd2f6769a0c9

    - name: Build and push Docker image
      run: |
        ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
        IMAGE_TAG="${GITHUB_SHA:0:8}"
        ECR_URI="${ACCOUNT_ID}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPOSITORY }}:${IMAGE_TAG}"
        ECR_LATEST="${ACCOUNT_ID}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPOSITORY }}:latest"

        docker buildx build --platform linux/arm64 -t $ECR_URI -t $ECR_LATEST --push .
        echo "CONTAINER_URI=$ECR_URI" >> $GITHUB_ENV

    - name: Deploy to AgentCore Runtime
      run: |
        python scripts/deploy_agent.py \
          --agent-name "${{ env.AGENT_NAME }}" \
          --region "${{ env.AWS_REGION }}" \
          --container-uri "${{ env.CONTAINER_URI }}"

  cleanup:
    name: Cleanup Old Images
    runs-on: ubuntu-latest
    needs: build-and-deploy
    if: success()

    steps:
    - name: Checkout code
      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@d0834ad3a60a024346910e522a81b0002bd37fea
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
        role-session-name: GitHubActions-AgentCore-Cleanup
        aws-region: ${{ env.AWS_REGION }}

    - name: Cleanup old ECR images
      run: |
        python scripts/cleanup_ecr.py \
          --region "${{ env.AWS_REGION }}" \
          --repository-name "${{ needs.build-and-deploy.outputs.ecr-repository }}"