From 807c1ba4dc482489cbef5952acb64e06ceb04e81 Mon Sep 17 00:00:00 2001
From: andrew <andrew@collectivelab.io>
Date: Sat, 18 Apr 2026 16:29:43 +0300
Subject: [PATCH] Add manual-dispatch Package workflow for CodeBuild image
 builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Invokes the shared omnigraph-package reusable workflow twice per run —
once with default features, once with --features aws — producing two
ECR tags per source commit:

  <sha>         (default features)
  <sha>-aws     (--features aws → SecretsManagerTokenSource)

Manual-dispatch only for now. Neither release.yml nor release-edge.yml
currently invokes the CodeBuild-backed packaging path; this gives
operators a way to produce on-demand image variants without wiring
packaging into the tag/push cadence.

Prerequisites:
- Repo vars AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
  AWS_ARTIFACT_BUCKET must be set.
- Shared workflow must support the `features` and `image_tag_suffix`
  inputs.

Uses @main as the shared-workflow ref until a versioned tag is cut.
---
 .github/workflows/package.yml | 57 +++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 .github/workflows/package.yml

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
new file mode 100644
index 0000000..7324e23
--- /dev/null
+++ b/.github/workflows/package.yml
@@ -0,0 +1,57 @@
+name: Package
+
+# Builds both the default and aws-feature omnigraph-server images and pushes
+# them to ECR. Invoked manually via workflow_dispatch — not wired to tags or
+# main pushes today.
+#
+# Prerequisites:
+#   - Repo vars AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
+#     AWS_ARTIFACT_BUCKET are set.
+#   - The shared workflow at ModernRelay/.github supports the `features` and
+#     `image_tag_suffix` inputs (ModernRelay/.github PR #2 or later).
+#
+# Each invocation produces two ECR tags per source commit:
+#   - <source_sha>         (default features)
+#   - <source_sha>-aws     (--features aws)
+
+on:
+  workflow_dispatch:
+    inputs:
+      source_ref:
+        description: Git ref to package (branch, tag, or SHA). Defaults to the workflow's own ref.
+        required: false
+        type: string
+        default: ""
+
+jobs:
+  package_default:
+    name: Package default build
+    uses: ModernRelay/.github/.github/workflows/omnigraph-package.yml@main
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    with:
+      repository: ${{ github.repository }}
+      source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
+      aws_region: ${{ vars.AWS_REGION }}
+      aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
+      aws_codebuild_package_project: ${{ vars.AWS_CODEBUILD_PACKAGE_PROJECT }}
+      aws_artifact_bucket: ${{ vars.AWS_ARTIFACT_BUCKET }}
+
+  package_aws:
+    name: Package aws-feature build
+    uses: ModernRelay/.github/.github/workflows/omnigraph-package.yml@main
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    with:
+      repository: ${{ github.repository }}
+      source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
+      aws_region: ${{ vars.AWS_REGION }}
+      aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
+      aws_codebuild_package_project: ${{ vars.AWS_CODEBUILD_PACKAGE_PROJECT }}
+      aws_artifact_bucket: ${{ vars.AWS_ARTIFACT_BUCKET }}
+      features: aws
+      image_tag_suffix: "-aws"