scripts: allow public ECR image selection

2026-01-02 13:23:13 +00:00 · 2025-12-16 11:43:06 +01:00 · 2025-12-16 11:43:06 +01:00 · e1689f59f6
commit e1689f59f6
parent a3aa416de5
4 changed files with 60 additions and 25 deletions
--- a/scripts/push-ecr-test.sh
+++ b/scripts/push-ecr-test.sh
@ -3,25 +3,44 @@ set -euo pipefail

 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"

-AWS_REGION="ap-southeast-2"
-AWS_ACCOUNT_ID="968061875204"
-ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
-ECR_REPO="logos-blockchain-testing"
-TAG="test"
+# Publishes the testnet image to ECR Public by default.
+#
+# Env overrides:
+#   TAG            - image tag (default: test)
+#   ECR_IMAGE_REPO - full repo path without tag (default: public.ecr.aws/r4s5t9y4/logos/logos-blockchain)
+#   AWS_REGION     - AWS region for ecr-public login (default: us-east-1)
+#
+# Legacy (private ECR) overrides:
+#   AWS_ACCOUNT_ID - if set, uses private ECR login/push unless ECR_IMAGE_REPO points at public.ecr.aws

-LOCAL_IMAGE="${ECR_REPO}:${TAG}"
-REMOTE_IMAGE="${ECR_REGISTRY}/${ECR_REPO}:${TAG}"
+TAG="${TAG:-test}"
+ECR_IMAGE_REPO="${ECR_IMAGE_REPO:-public.ecr.aws/r4s5t9y4/logos/logos-blockchain}"
+AWS_REGION="${AWS_REGION:-us-east-1}"
+
+LOCAL_IMAGE="${LOCAL_IMAGE:-logos-blockchain-testing:${TAG}}"
+REMOTE_IMAGE="${ECR_IMAGE_REPO}:${TAG}"

 export DOCKER_DEFAULT_PLATFORM="linux/amd64"
 export CIRCUITS_PLATFORM="${CIRCUITS_PLATFORM:-linux-x86_64}"
-export IMAGE_TAG="${LOCAL_IMAGE}"
+export IMAGE_TAG="${REMOTE_IMAGE}"

 "${ROOT_DIR}/testing-framework/assets/stack/scripts/build_test_image.sh"

-aws ecr get-login-password --region "${AWS_REGION}" \
-  | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
+if [[ "${ECR_IMAGE_REPO}" == public.ecr.aws/* ]]; then
+  aws ecr-public get-login-password --region "${AWS_REGION}" \
+    | docker login --username AWS --password-stdin "public.ecr.aws"
+else
+  if [ -z "${AWS_ACCOUNT_ID:-}" ]; then
+    echo "ERROR: AWS_ACCOUNT_ID must be set for private ECR pushes (or set ECR_IMAGE_REPO=public.ecr.aws/...)" >&2
+    exit 1
+  fi
+  ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+  aws ecr get-login-password --region "${AWS_REGION}" \
+    | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
+  docker tag "${REMOTE_IMAGE}" "${ECR_REGISTRY}/${REMOTE_IMAGE#*/}"
+  REMOTE_IMAGE="${ECR_REGISTRY}/${REMOTE_IMAGE#*/}"
+fi

-docker tag "${LOCAL_IMAGE}" "${REMOTE_IMAGE}"
 docker push "${REMOTE_IMAGE}"

 echo "${REMOTE_IMAGE}"
--- a/scripts/run-examples.sh
+++ b/scripts/run-examples.sh
@ -13,10 +13,12 @@ set -euo pipefail
 # Env overrides:
 #   VERSION                       - circuits version (default v0.3.1)
 #   NOMOS_TESTNET_IMAGE           - image reference (overridden by --ecr/--local selection)
-#   AWS_REGION                    - ECR region (default ap-southeast-2)
-#   AWS_ACCOUNT_ID                - ECR account id (default 968061875204)
-#   ECR_REPO                      - ECR repository (default logos-blockchain-testing)
-#   TAG                           - ECR tag (default test)
+#   ECR_IMAGE                     - full image reference to use for --ecr (overrides ECR_REGISTRY/ECR_REPO/TAG)
+#   ECR_REGISTRY                  - registry hostname for --ecr (default public.ecr.aws/r4s5t9y4)
+#   ECR_REPO                      - repository path for --ecr (default logos/logos-blockchain)
+#   TAG                           - tag for --ecr (default test)
+#   AWS_REGION                    - (legacy) private ECR region; used only if AWS_ACCOUNT_ID is set and ECR_REGISTRY is unset
+#   AWS_ACCOUNT_ID                - (legacy) private ECR account id; used only if ECR_REGISTRY is unset
 #   NOMOS_TESTNET_IMAGE_PULL_POLICY - k8s imagePullPolicy (default IfNotPresent; set to Always for --ecr)
 #   NOMOS_CIRCUITS_PLATFORM       - override host platform detection
 #   NOMOS_CIRCUITS_REBUILD_RAPIDSNARK - set to 1 to force rapidsnark rebuild
@ -42,10 +44,12 @@ Options:
 Environment:
  VERSION                        Circuits version (default v0.3.1)
  NOMOS_TESTNET_IMAGE            Image reference (overridden by --local/--ecr selection)
-  AWS_REGION                      ECR region (default ap-southeast-2)
-  AWS_ACCOUNT_ID                  ECR account id (default 968061875204)
-  ECR_REPO                        ECR repository (default logos-blockchain-testing)
-  TAG                             ECR tag (default test)
+  ECR_IMAGE                       Full image reference for --ecr (overrides ECR_REGISTRY/ECR_REPO/TAG)
+  ECR_REGISTRY                    Registry hostname for --ecr (default public.ecr.aws/r4s5t9y4)
+  ECR_REPO                        Repository path for --ecr (default logos/logos-blockchain)
+  TAG                             Tag for --ecr (default test)
+  AWS_REGION                      (legacy) Private ECR region (used only if AWS_ACCOUNT_ID is set and ECR_REGISTRY is unset)
+  AWS_ACCOUNT_ID                  (legacy) Private ECR account id (used only if ECR_REGISTRY is unset)
  NOMOS_TESTNET_IMAGE_PULL_POLICY K8s imagePullPolicy (default IfNotPresent; set to Always for --ecr)
  NOMOS_CIRCUITS_PLATFORM        Override host platform detection
  NOMOS_CIRCUITS_REBUILD_RAPIDSNARK  Force rapidsnark rebuild
@ -177,11 +181,23 @@ select_image() {
    IMAGE="${NOMOS_TESTNET_IMAGE:-logos-blockchain-testing:local}"
    export NOMOS_TESTNET_IMAGE_PULL_POLICY="${NOMOS_TESTNET_IMAGE_PULL_POLICY:-IfNotPresent}"
  elif [ "${selection}" = "ecr" ]; then
-    local aws_region="${AWS_REGION:-ap-southeast-2}"
-    local aws_account_id="${AWS_ACCOUNT_ID:-968061875204}"
-    local ecr_repo="${ECR_REPO:-logos-blockchain-testing}"
    local tag="${TAG:-test}"
-    IMAGE="${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com/${ecr_repo}:${tag}"
+    if [ -n "${ECR_IMAGE:-}" ]; then
+      IMAGE="${ECR_IMAGE}"
+    elif [ -n "${ECR_REGISTRY:-}" ]; then
+      local registry="${ECR_REGISTRY}"
+      local repo="${ECR_REPO:-logos/logos-blockchain}"
+      IMAGE="${registry}/${repo}:${tag}"
+    elif [ -n "${AWS_ACCOUNT_ID:-}" ]; then
+      local aws_region="${AWS_REGION:-ap-southeast-2}"
+      local aws_account_id="${AWS_ACCOUNT_ID}"
+      local repo="${ECR_REPO:-logos-blockchain-testing}"
+      IMAGE="${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com/${repo}:${tag}"
+    else
+      local registry="public.ecr.aws/r4s5t9y4"
+      local repo="${ECR_REPO:-logos/logos-blockchain}"
+      IMAGE="${registry}/${repo}:${tag}"
+    fi
    export NOMOS_TESTNET_IMAGE_PULL_POLICY="${NOMOS_TESTNET_IMAGE_PULL_POLICY:-Always}"
  else
    fail_with_usage "Unknown image selection mode: ${selection}"
--- a/testing-framework/runners/k8s/helm/nomos-runner/values.yaml
+++ b/testing-framework/runners/k8s/helm/nomos-runner/values.yaml
@ -1,4 +1,4 @@
-image: "logos-blockchain-testing:test"
+image: "public.ecr.aws/r4s5t9y4/logos/logos-blockchain:test"
 imagePullPolicy: IfNotPresent

 cfgsync:
--- a/testing-framework/runners/k8s/src/infrastructure/assets.rs
+++ b/testing-framework/runners/k8s/src/infrastructure/assets.rs
@ -112,7 +112,7 @@ pub fn prepare_assets(topology: &GeneratedTopology) -> Result<RunnerAssets, Asse
    let values_yaml = render_values_yaml(topology)?;
    let values_file = write_temp_file(tempdir.path(), "values.yaml", values_yaml)?;
    let image = env::var("NOMOS_TESTNET_IMAGE")
-        .unwrap_or_else(|_| String::from("logos-blockchain-testing:test"));
+        .unwrap_or_else(|_| String::from("public.ecr.aws/r4s5t9y4/logos/logos-blockchain:test"));

    let kzg_display = kzg_path
        .as_ref()