Local dev (make dev) fails after Chainguard migration due to private ECR base image #163
Description
After the recent change in
b413297 sec: migrate standard Dockerfiles to Chainguard golden base images (#159)
local development using the documented workflow no longer works for external users.
Following the README:
git clone https://github.com/scaleapi/scale-agentex
cd scale-agentex/agentex
uv venv && source .venv/bin/activate && uv sync
make dev
fails during Docker build with:
failed to solve: 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev:
401 Unauthorized
no basic auth credentials
This appears to be because the Dockerfile now uses a private ECR-hosted base image:
FROM 022465994601.dkr.ecr.us-west-2.amazonaws.com/golden/chainguard/python:3.12-dev AS base
From the PR description, CI logs into ECR before building:
Added AWS OIDC credentials + artifacts prod ECR login so integration tests can pull golden base images
However, the local dev flow (make dev / docker compose up --build) does not include any login step, and the README does not mention that AWS/ECR access is required.
Because of this, the public onboarding flow currently fails for users who do not have access to account 022465994601.
Questions
- Is local dev expected to require access to the artifacts-prod ECR?
- If so, should the README include login instructions?
- If not, should the Dockerfile use a public base image for the dev stage?
Possible fixes (suggestions)
- Use a public Chainguard image (e.g.
cgr.dev/chainguard/python) for dev builds - Document required ECR login for local development
- Provide a public dev-only Dockerfile / compose override