Phidata templates come pre-configured with Github Actions for CI/CD. We can
  1. Test and Validate on every PR
  2. Build Docker Images with Github Releases
  3. Build ECR Images with Github Releases

Test and Validate on every PR

Whenever a PR is opened against the main branch, a validate script runs that ensures
  1. The changes are formatted using ruff
  2. All unit-tests pass
  3. The changes don’t have any typing or linting errors.
Checkout the .github/workflows/validate.yml file for more information. validate-cicd

Build Docker Images with Github Releases

If you’re using Dockerhub for images, you can buld and push the images throug a Github Release. This action is defined in the .github/workflows/docker-images.yml file.
  1. Create a Docker Access Token for Github Actions
docker-access-token
  1. Create secret variables DOCKERHUB_REPO, DOCKERHUB_TOKEN and DOCKERHUB_USERNAME in your github repo. These variables are used by the action in .github/workflows/docker-images.yml
github-actions-docker-secrets
  1. Run workflow using a Github Release
This workflow is configured to run when a release is created. Create a new release using:
Confirm the image name in the .github/workflows/docker-images.yml file before running
gh release create v0.1.0 --title "v0.1.0" -n ""
github-actions-build-docker
You can also run the workflow using gh workflow run

Build ECR Images with Github Releases

If you’re using ECR for images, you can buld and push the images through a Github Release. This action is defined in the .github/workflows/ecr-images.yml file and uses the new OpenID Connect (OIDC) approach to request the access token, without using IAM access keys. We will follow this guide to create an IAM role which will be used by the github action.
  1. Open the IAM console.
  2. In the left navigation menu, choose Identity providers.
  3. In the Identity providers pane, choose Add provider.
  4. For Provider type, choose OpenID Connect.
  5. For Provider URL, enter the URL of the GitHub OIDC IdP: https://token.actions.githubusercontent.com
  6. Get thumbprint to verify the server certificate
  7. For Audience, enter sts.amazonaws.com.
Verify the information matches the screenshot below and Add provider github-oidc-provider
  1. Assign a Role to the provider.
github-oidc-provider-assign-role
  1. Create a new role.
github-oidc-provider-create-new-role
  1. Confirm that Web identity is already selected as the trusted entity and the Identity provider field is populated with the IdP. In the Audience list, select sts.amazonaws.com, and then select Next.
github-oidc-provider-trusted-entity
  1. Add the AmazonEC2ContainerRegistryPowerUser permission to this role.
  2. Create the role with the name GithubActionsRole.
  3. Find the role GithubActionsRole and copy the ARN.
github-oidc-role
  1. Create the ECR Repositories: llm and jupyter-llm which are built by the workflow.
create-ecr-image
  1. Update the workflow with the GithubActionsRole ARN and ECR Repository.
.github/workflows/ecr-images.yml
name: Build ECR Images

on:
  release:
    types: [published]

permissions:
  # For AWS OIDC Token access as per https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout

env:
  ECR_REPO: [YOUR_ECR_REPO]
  # Create role using https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
  AWS_ROLE: [GITHUB_ACTIONS_ROLE_ARN]
  AWS_REGION: us-east-1
  1. Update the docker-images workflow to NOT run on a release
.github/workflows/docker-images.yml
name: Build Docker Images

on: workflow_dispatch
  1. Run workflow using a Github Release
gh release create v0.2.0 --title "v0.2.0" -n ""
github-actions-build-ecr
You can also run the workflow using gh workflow run