From ae8a523db23601a6bf79758a4a91fbf1dccaff4c Mon Sep 17 00:00:00 2001
From: Zakhar Kleyman <zakhar.kleyman@mongodb.com>
Date: Tue, 9 Sep 2025 13:34:00 -0400
Subject: [PATCH] SERVER-104014 migrate to DevProd ECR (#40640)

GitOrigin-RevId: 39e0eb2822e257335476db33f95098081ded8046
---
 etc/evergreen_yml_components/definitions.yml | 32 +++++++++-----------
 evergreen/container_registry_login.sh        | 14 +++++++++
 evergreen/garasign_gpg_crypt_sign.sh         |  2 +-
 evergreen/garasign_gpg_sign.sh               |  2 +-
 evergreen/garasign_jsign_sign.sh             |  2 +-
 5 files changed, 32 insertions(+), 20 deletions(-)
 create mode 100644 evergreen/container_registry_login.sh

diff --git a/etc/evergreen_yml_components/definitions.yml b/etc/evergreen_yml_components/definitions.yml
index 33350a82ade..89961617e13 100644
--- a/etc/evergreen_yml_components/definitions.yml
+++ b/etc/evergreen_yml_components/definitions.yml
@@ -2283,6 +2283,19 @@ functions:
       args:
         - "./src/evergreen/sasl_windows_cyrussasl_teardown.sh"
 
+  "log into devprod container registry":
+  - command: ec2.assume_role
+    params:
+      role_arn: ${ecr_role_evergreen_arn}
+  - *f_expansions_write
+  - command: subprocess.exec
+    params:
+      binary: bash
+      include_expansions_in_env:
+        [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
+      args:
+        - "./src/evergreen/container_registry_login.sh"
+
 # Pre task steps
 pre:
 - func: "set task expansion macros"
@@ -7127,15 +7140,7 @@ tasks:
       aws_key_remote: ${repo_aws_key}
       aws_secret_remote: ${repo_aws_secret}
   - func: "f_expansions_write"
-
-  # login to container registry
-  - command: shell.exec
-    params:
-      shell: bash
-      silent: true
-      script: |
-        set -oe
-        echo "${release_tools_container_registry_password}" | podman login --password-stdin --username ${release_tools_container_registry_username} ${release_tools_container_registry}
+  - func: "log into devprod container registry"
 
   # signing windows artifacts
   - command: subprocess.exec
@@ -7466,14 +7471,7 @@ tasks:
       aws_key_remote: ${repo_aws_key}
       aws_secret_remote: ${repo_aws_secret}
   - func: "f_expansions_write"
-  # login to container registry
-  - command: shell.exec
-    params:
-      shell: bash
-      silent: true
-      script: |
-        set -oe
-        echo "${release_tools_container_registry_password}" | podman login --password-stdin --username ${release_tools_container_registry_username} ${release_tools_container_registry}
+  - func: "log into devprod container registry"
   - command: subprocess.exec
     params:
       binary: bash
diff --git a/evergreen/container_registry_login.sh b/evergreen/container_registry_login.sh
new file mode 100644
index 00000000000..5b3a32d9348
--- /dev/null
+++ b/evergreen/container_registry_login.sh
@@ -0,0 +1,14 @@
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
+. "$DIR/prelude.sh"
+
+cd src
+
+set -oe
+attempts=0
+max_attempts=4
+
+while ! aws ecr get-login-password --region us-east-1 | podman login --password-stdin --username ${release_tools_container_registry_username_ecr} ${release_tools_container_registry_ecr}; do
+  [ "$attempts" -ge "$max_attempts" ] && exit 1
+  ((attempts++))
+  sleep 10
+done
diff --git a/evergreen/garasign_gpg_crypt_sign.sh b/evergreen/garasign_gpg_crypt_sign.sh
index 9ae7d568ac9..2d25d01c308 100644
--- a/evergreen/garasign_gpg_crypt_sign.sh
+++ b/evergreen/garasign_gpg_crypt_sign.sh
@@ -29,5 +29,5 @@ podman run \
   --env-file=signing-envfile \
   --rm \
   -v $(pwd):$(pwd) -w $(pwd) \
-  ${garasign_gpg_image} \
+  ${garasign_gpg_image_ecr} \
   /bin/bash -c "$(cat ./gpg_signing_commands.sh)"
diff --git a/evergreen/garasign_gpg_sign.sh b/evergreen/garasign_gpg_sign.sh
index ea83f39d04b..2d2524ed27e 100644
--- a/evergreen/garasign_gpg_sign.sh
+++ b/evergreen/garasign_gpg_sign.sh
@@ -61,5 +61,5 @@ podman run \
   --env-file=signing-envfile \
   --rm \
   -v $(pwd):$(pwd) -w $(pwd) \
-  ${garasign_gpg_image} \
+  ${garasign_gpg_image_ecr} \
   /bin/bash -c "$(cat ./gpg_signing_commands.sh)"
diff --git a/evergreen/garasign_jsign_sign.sh b/evergreen/garasign_jsign_sign.sh
index f150d398883..12e7a80e278 100644
--- a/evergreen/garasign_jsign_sign.sh
+++ b/evergreen/garasign_jsign_sign.sh
@@ -31,7 +31,7 @@ podman run \
   --env-file=signing-envfile \
   --rm \
   -v $(pwd):$(pwd) -w $(pwd) \
-  ${garasign_jsign_image} \
+  ${garasign_jsign_image_ecr} \
   /bin/bash -c "$(cat ./jsign_signing_commands.sh)"
 
 # generating checksums