fix(ci): free us-east-1 public-AMI slot before distribute (closes #86)

[kaio6fellipe]

Problem (#86)

On the v1.0.0-rc.5 release, the Distribute source AMI to us-east-1 step failed to publish with ResourceLimitExceeded (5-public-AMI quota) because us-east-1 still held 5 AMIs from the former 9-region era. The pre-build --ensure-free guard only frees us-east-2, and the us-east-1 prune runs in the post-build prune job — i.e. after the publish. The copy was left private until I published it manually.

Fix

Add a Pre-distribute free-slot guard (us-east-1) step immediately before the copy/publish step, mirroring the us-east-2 guard:

./infra/scripts/ami-prune.sh --regions us-east-1 --keep-latest 2 --ensure-free 1 --apply

• No-op in steady state (us-east-1 sits at ≤2 public AMIs after each prune; --ensure-free 1 only acts at/near the quota ceiling).
• Never deregisters the 2 newest public AMIs.
• Runs from repo root (no working-directory), using the same OIDC role; the role already has the required perms in us-east-1 (AmiPrune inline policy, Resource:*).

Validation

actionlint clean (no new findings). Step order confirmed: us-east-2 guard → us-east-1 guard → distribute → post-build prune. The underlying ami-prune.sh --ensure-free path is already covered by the script's unit tests.

Closes #86. Related: #83, #84.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved build and distribution workflow to better manage resource allocation during AMI deployment, optimizing slot management before distribution steps.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9bc9114-6a8a-469d-bdf2-fb9794086441

📥 Commits

Reviewing files that changed from the base of the PR and between 99f5e16 and f3e1d37.

📒 Files selected for processing (1)

• .github/workflows/ami-build.yml

---

📝 Walkthrough

Walkthrough

Added a pre-distribution workflow step to .github/workflows/ami-build.yml that runs ami-prune.sh against us-east-1 before the source AMI distribution step, for non-PR builds when distribution is enabled. This ensures a free public AMI slot in the target region.

Changes

AMI Distribution Guard

Layer / File(s)	Summary
Pre-distribute free-slot guard step .github/workflows/ami-build.yml	New workflow step runs ami-prune.sh with region and retention parameters against us-east-1 before the "Distribute source AMI to us-east-1" step executes on non-PR distributable builds, preventing public-AMI quota exhaustion in the target region.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• #86: Directly addresses the root cause — us-east-1 publish failing due to public-AMI quota; pre-build guard extends the existing ami-prune.sh mechanism to the target region (us-east-1) instead of only the source region (us-east-2).
• #83: Related architectural change that introduced the two-region distribution model and the pre-build --ensure-free guard mechanism that this PR extends.
• #49: Shares the same quota-mitigation pattern of running AMI prune scripts before distribution to free slots in the target region.

Poem

🐰 A rabbit hops through workflow logs,
Clearing slots before the fog,
us-east-1 now breathes free space,
AMIs find their rightful place!
✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a pre-distribute guard to free a public-AMI slot in us-east-1 before the distribute step, and it directly references the linked issue #86.
Description check	✅ Passed	The PR description is comprehensive, detailing the problem, fix, validation steps, and acceptance criteria. It directly mirrors the structure of the template with clear problem statement, solution, and implementation notes.
Linked Issues check	✅ Passed	The PR directly addresses all requirements from issue #86: adds pre-distribute guard to free us-east-1 slots [#86], preserves the 2 newest AMIs [#86], maintains soft-fail behavior [#86], and passes validation [#86].
Out of Scope Changes check	✅ Passed	The change is narrowly scoped to the CI workflow: adding a single pre-distribute step to .github/workflows/ami-build.yml that directly addresses the issue without introducing unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ami-us-east-1-quota-guard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

OpenSSF Scorecard — 8.3/10 ✅

Check	Score	Details
Binary-Artifacts	10/10	no binaries found in the repo
CI-Tests	10/10	24 out of 24 merged PRs checked by a CI test -- score normalized to 10
Code-Review	0/10	Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow	10/10	no dangerous workflow patterns detected
License	10/10	license file detected
Pinned-Dependencies	6/10	dependency not pinned by hash detected -- score normalized to 6
Security-Policy	10/10	security policy file detected
Token-Permissions	10/10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	10/10	0 existing vulnerabilities detected

Threshold: 7 | Full report