omnigraph/.github/workflows/package.yml

name: Package

# Builds both the default and aws-feature omnigraph-server images and pushes
# them to ECR. Invoked manually via workflow_dispatch — not wired to tags or
# main pushes today.
#
# Prerequisites:
#   - Repo secrets AWS_REGION, AWS_ROLE_TO_ASSUME, AWS_CODEBUILD_PACKAGE_PROJECT,
#     AWS_ARTIFACT_BUCKET are set. Stored as secrets (not variables) so the
#     AWS account ID embedded in the role ARN and bucket name stays masked in
#     public workflow logs.
#   - The shared workflow at ModernRelay/.github declares these as
#     on.workflow_call.secrets (see fix/omnigraph-package-use-secrets).
#
# Each invocation produces two ECR tags per source commit:
#   - <source_sha>         (default features)
#   - <source_sha>-aws     (--features aws)

on:
  workflow_dispatch:
    inputs:
      source_ref:
        description: Git ref to package (branch, tag, or SHA). Defaults to the workflow's own ref.
        required: false
        type: string
        default: ""

jobs:
  package_default:
    name: Package default build
    uses: ModernRelay/.github/.github/workflows/omnigraph-package.yml@main
    permissions:
      id-token: write
      contents: read
      attestations: write
    with:
      repository: ${{ github.repository }}
      source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
    secrets: inherit

  package_aws:
    name: Package aws-feature build
    uses: ModernRelay/.github/.github/workflows/omnigraph-package.yml@main
    permissions:
      id-token: write
      contents: read
      attestations: write
    with:
      repository: ${{ github.repository }}
      source_ref: ${{ inputs.source_ref != '' && inputs.source_ref || github.sha }}
      features: aws
      image_tag_suffix: "-aws"
    secrets: inherit