From 363969469ac359a3f5e9d2b2ff15ee839ede9d84 Mon Sep 17 00:00:00 2001
From: Vamsi Bedapudi <vamsi@resolve.ai>
Date: Thu, 2 Apr 2026 18:28:15 -0700
Subject: [PATCH 1/2] Add CI workflow to build and push controller image to ECR

Adds a GitHub Actions workflow that builds the agent-sandbox-controller-fork
image and pushes it to ECR on push to main or manual dispatch. Uses
self-hosted runners and immutable SHA-based tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-push-controller.yml | 65 +++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .github/workflows/build-push-controller.yml

diff --git a/.github/workflows/build-push-controller.yml b/.github/workflows/build-push-controller.yml
new file mode 100644
index 000000000..8f0551a3a
--- /dev/null
+++ b/.github/workflows/build-push-controller.yml
@@ -0,0 +1,65 @@
+name: Build and Push Controller Image
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Image tag override (defaults to git SHA)"
+        required: false
+        type: string
+  push:
+    branches: [main]
+    paths:
+      - "Dockerfile"
+      - "cmd/**"
+      - "controllers/**"
+      - "internal/**"
+      - "api/**"
+      - "extensions/**"
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/build-push-controller.yml"
+
+jobs:
+  build-and-push:
+    name: Build and Push Controller
+    runs-on: arc-runner-scale-set-dev0
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registries: ${{ secrets.TOOLS_AWS_ACCOUNT_ID }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            image=public.ecr.aws/vend/moby/buildkit:buildx-stable-1
+
+      - name: Determine image tag
+        id: tag
+        run: |
+          if [ -n "${{ inputs.tag }}" ]; then
+            echo "tag=${{ inputs.tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ${{ steps.login-ecr.outputs.registry }}/agent-sandbox-controller-fork:${{ steps.tag.outputs.tag }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

From 28728741d68f0409f6080a23e932e8a976879042 Mon Sep 17 00:00:00 2001
From: Vamsi Bedapudi <vamsi@resolve.ai>
Date: Thu, 2 Apr 2026 18:28:27 -0700
Subject: [PATCH 2/2] Make Dockerfile path explicit in build-push workflow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-push-controller.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-push-controller.yml b/.github/workflows/build-push-controller.yml
index 8f0551a3a..957850eae 100644
--- a/.github/workflows/build-push-controller.yml
+++ b/.github/workflows/build-push-controller.yml
@@ -57,6 +57,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
+          file: Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           tags: |