From 7599e4ea262b06cb719daffec75eb6fcf8e801e4 Mon Sep 17 00:00:00 2001 From: Universe Ops Date: Thu, 21 May 2026 01:12:50 +0300 Subject: [PATCH 1/2] fix(github-actions-image): install aws-cli so static-site sync works MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `pkg/clouds/pulumi/aws/static_website.go` shells out to `aws s3 sync` via Pulumi `local.NewCommand`, but neither the prod nor staging Dockerfile installed the AWS CLI — every static-site stack run under the simplecontainer/github-actions image failed with `/bin/sh: aws: not found`. Adding the alpine `aws-cli` package (community repo, python-based) to the runtime layer of both images + extending the build-time smoke test to cover `aws --version`. Co-Authored-By: Claude Opus 4.7 --- github-actions-staging.Dockerfile | 5 ++++- github-actions.Dockerfile | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/github-actions-staging.Dockerfile b/github-actions-staging.Dockerfile index 7d907026..49d11746 100644 --- a/github-actions-staging.Dockerfile +++ b/github-actions-staging.Dockerfile @@ -75,8 +75,10 @@ RUN rm -rf \ # ── runtime ───────────────────────────────────────────────────────────────── FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 +# aws-cli needed by Pulumi local.Command shell-outs (e.g. `aws s3 sync` in the +# static-website template at pkg/clouds/pulumi/aws/static_website.go). RUN apk update && apk upgrade --no-cache \ - && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 \ + && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 aws-cli \ && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* COPY --from=builder /opt/pulumi /opt/pulumi @@ -93,6 +95,7 @@ RUN chmod +x ./github-actions \ RUN pulumi version > /dev/null \ && gcloud version > /dev/null \ && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ + && aws --version > /dev/null \ && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ diff --git a/github-actions.Dockerfile b/github-actions.Dockerfile index e279aae6..2863e9b6 100644 --- a/github-actions.Dockerfile +++ b/github-actions.Dockerfile @@ -87,8 +87,10 @@ RUN rm -rf \ FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 # python3 stays — gcloud invokes it. py3-pip / binutils / upx confined to builder. +# aws-cli needed by Pulumi local.Command shell-outs (e.g. `aws s3 sync` in the +# static-website template at pkg/clouds/pulumi/aws/static_website.go). RUN apk update && apk upgrade --no-cache \ - && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 \ + && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 aws-cli \ && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* COPY --from=builder /opt/pulumi /opt/pulumi @@ -107,6 +109,7 @@ RUN chmod +x ./github-actions \ RUN pulumi version > /dev/null \ && gcloud version > /dev/null \ && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ + && aws --version > /dev/null \ && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ From a62b1c41a8d7110e1535c29c07ed307cac90c190 Mon Sep 17 00:00:00 2001 From: Universe Ops Date: Thu, 21 May 2026 01:20:33 +0300 Subject: [PATCH 2/2] fix(aws/static-site): implement DnsConfigAware so baseDnsZone is honoured MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit aws.StaticSiteInput embeds api.StackConfigStatic (which carries Site. BaseDnsZone) but never exposed an OverriddenBaseZone() method, so the type assertion in pulumi/deploy.go fell through and the Cloudflare registrar fell back to the parent stack's default zone. Records intended for e.g. simple-forge.com landed in the simple-container.com zone and Cloudflare appended the suffix → simple-forge.com.simple- container.com. GCP, Lambda and ECS Fargate inputs already implement the interface; this just restores parity. Co-Authored-By: Claude Opus 4.7 --- pkg/clouds/aws/static_website.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/clouds/aws/static_website.go b/pkg/clouds/aws/static_website.go index de48a39e..20ced930 100644 --- a/pkg/clouds/aws/static_website.go +++ b/pkg/clouds/aws/static_website.go @@ -15,6 +15,14 @@ type StaticSiteInput struct { StackName string `json:"stackName" yaml:"stackName"` } +// OverriddenBaseZone implements api.DnsConfigAware so the Cloudflare registrar +// uses the stack's baseDnsZone instead of the parent stack's default zone — +// otherwise records get created with the parent zone suffixed (e.g. +// simple-forge.com → simple-forge.com.simple-container.com). +func (i *StaticSiteInput) OverriddenBaseZone() string { + return i.Site.BaseDnsZone +} + func ToStaticSiteConfig(tpl any, stackDir, stackName string, stackCfg *api.StackConfigStatic) (any, error) { templateCfg, ok := tpl.(*TemplateConfig) if !ok {