added aws ecr upload to rag ingestion workflow

[rootflo-hardik]

Summary by CodeRabbit

• Chores
  • Activated AWS ECR integration in the build workflow. Docker images are now automatically pushed to Amazon ECR for centralized storage and deployment readiness.

[coderabbitai]

📝 Walkthrough

Walkthrough

The workflow re-enables AWS ECR integration by activating environment variables for AWS region and ECR registry/repository, and by uncommenting AWS credential configuration, Amazon ECR login, and Docker image tag/push steps in the build job.

Changes

AWS ECR Integration

Layer / File(s)	Summary
AWS ECR Environment and Steps .github/workflows/build-rag-ingestion-develop.yaml	Workflow environment variables AWS_REGION, ECR_REGISTRY, and ECR_REPOSITORY are activated. The build job's AWS credential configuration step, ECR login step, and image tag/push-to-ECR step are enabled to push the built Docker image to Amazon ECR.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• rootflo/wavefront#286: Adds cloud container registry login and image push steps to a different workflow (Azure ACR instead of AWS ECR).
• rootflo/wavefront#269: Directly reverses this PR by commenting out the same AWS/ECR environment variables and steps.
• rootflo/wavefront#267: Introduced the original workflow with the AWS ECR build/push logic that was later commented out.

Suggested reviewers

• vizsatiz
• vishnurk6247

Poem

🐰 A push to ECR, at last, at last!
From comments' dark shadows, we cast off the past.
AWS credentials dance in the light,
Docker images soar to the registry's height! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: enabling AWS ECR upload functionality in the RAG ingestion workflow by activating previously commented-out AWS configuration and ECR steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/missing_aws_from_git_workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-rag-ingestion-develop.yaml:
- Around line 72-73: Replace the deprecated action reference "uses:
aws-actions/configure-aws-credentials@v1" with the current major release "uses:
aws-actions/configure-aws-credentials@v6" in this workflow (and any other
workflows containing the same string); update any input names if the v6 action
requires different parameters and run the workflow lint to ensure no actionlint
deprecations remain.
- Line 73: Replace floating action tags with immutable commit SHAs: update the
two workflow lines that currently read "uses:
aws-actions/configure-aws-credentials@v1" and "uses:
aws-actions/amazon-ecr-login@v1" to reference their full commit SHAs (e.g.,
"aws-actions/configure-aws-credentials@<commit-sha>" and
"aws-actions/amazon-ecr-login@<commit-sha>"); obtain the desired commit SHAs
from the respective repositories' secure releases, commit the updated workflow
file, and ensure both occurrences are pinned to fixed SHAs rather than version
tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f130e3ca-bc26-4c96-9440-b780841440c8

📥 Commits

Reviewing files that changed from the base of the PR and between fbd65bb and 3c4a601.

📒 Files selected for processing (1)

• .github/workflows/build-rag-ingestion-develop.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
rg -n "aws-actions/configure-aws-credentials@" .github/workflows -S || true
sed -n '60,90p' .github/workflows/build-rag-ingestion-develop.yaml || true

Repository: rootflo/wavefront

Length of output: 2598

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
rg -n "aws-actions/configure-aws-credentials@" .github/workflows -S || true
sed -n '60,90p' .github/workflows/build-rag-ingestion-develop.yaml || true

Repository: rootflo/wavefront

Length of output: 2598

---

🌐 Web query:

aws-actions/configure-aws-credentials current major version supported v1 v2 v3 v4 actionlint too old

💡 Result:

As of June 12, 2026, the current major version of the aws-actions/configure-aws-credentials action is v6 [1][2][3]. The action maintains a release policy where major versions (such as v6) receive active updates, while older major versions may no longer be supported or updated [4][5][6]. Using floating tags like @v6 is supported and recommended for convenience, as they automatically point to the latest minor/patch release within that major version [4][6]. Regarding the "actionlint too old" error, this typically occurs because actionlint checks the version of the action used in your workflow file against its own internal database of known, supported, or "modern" actions [7]. If actionlint reports that an action is "too old," it often means: 1. You are referencing an outdated major version (e.g., using v1, v2, or v3 when v6 is available) [5]. 2. Your local version of actionlint itself is outdated and does not recognize newer releases of the action (e.g., it may not be aware that v6 is a valid, current release) [7]. To resolve this: - Update your workflow to use the latest major version, currently @v6 [4][6]. - Ensure your actionlint tool is updated to the latest version to recognize the newest releases [7]. - If you are already using the latest version and still receive the error, check if your actionlint configuration requires an explicit update to its internal rules or if you are using an older, pinned commit SHA that the linter flags as deprecated [8][7].

Citations:

• 1: https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md
• 2: https://github.com/aws-actions/configure-aws-credentials/releases/tag/v6.2.0
• 3: https://github.com/aws-actions/configure-aws-credentials/releases
• 4: https://github.com/aws-actions/configure-aws-credentials/blob/main/README.md
• 5: https://github.com/aws-actions/configure-aws-credentials/blob/master/README.md
• 6: https://github.com/aws-actions/configure-aws-credentials/tree/refs/heads/main
• 7: Static Analysis Report - 2026-02-25 github/gh-aw#18283
• 8: Invalid URL error after updating to 4.3.0 aws-actions/configure-aws-credentials#1423

---

Update deprecated AWS credentials action version before merge

aws-actions/configure-aws-credentials@v1 is an outdated major release; update it to the current supported major (@v6) to avoid actionlint deprecation (“too old”) and potential workflow breakage. (This same @v1 reference appears in other workflows as well.)

🧰 Tools

🪛 actionlint (1.7.12)

[error] 73-73: the runner of "aws-actions/configure-aws-credentials@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[error] 73-73: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-rag-ingestion-develop.yaml around lines 72 - 73,
Replace the deprecated action reference "uses:
aws-actions/configure-aws-credentials@v1" with the current major release "uses:
aws-actions/configure-aws-credentials@v6" in this workflow (and any other
workflows containing the same string); update any input names if the v6 action
requires different parameters and run the workflow lint to ensure no actionlint
deprecations remain.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-rag-ingestion-develop.yaml"
echo "== File exists? =="
ls -l "$FILE" || true

echo "== Relevant lines (73-90) =="
nl -ba "$FILE" | sed -n '60,95p'

Repository: rootflo/wavefront

Length of output: 270

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-rag-ingestion-develop.yaml"
echo "== Relevant lines (70-90) with numbers (cat -n) =="
cat -n "$FILE" | sed -n '65,90p'
echo "== Lines containing configure-aws-credentials in this file =="
rg -n "aws-actions/configure-aws-credentials@" "$FILE" || true
echo "== Lines containing aws-actions/ in this file =="
rg -n "uses: aws-actions/" "$FILE" || true

Repository: rootflo/wavefront

Length of output: 1681

---

Pin AWS GitHub Action references to immutable commit SHAs (avoid floating tags).
.github/workflows/build-rag-ingestion-develop.yaml uses aws-actions/configure-aws-credentials@v1 (line 73) and aws-actions/amazon-ecr-login@v1 (line 81); pin both to full commit SHAs to prevent supply-chain drift.

🧰 Tools

🪛 actionlint (1.7.12)

[error] 73-73: the runner of "aws-actions/configure-aws-credentials@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.25.2)

[error] 73-73: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-rag-ingestion-develop.yaml at line 73, Replace
floating action tags with immutable commit SHAs: update the two workflow lines
that currently read "uses: aws-actions/configure-aws-credentials@v1" and "uses:
aws-actions/amazon-ecr-login@v1" to reference their full commit SHAs (e.g.,
"aws-actions/configure-aws-credentials@<commit-sha>" and
"aws-actions/amazon-ecr-login@<commit-sha>"); obtain the desired commit SHAs
from the respective repositories' secure releases, commit the updated workflow
file, and ensure both occurrences are pinned to fixed SHAs rather than version
tags.

Source: Linters/SAST tools