[plugin] Support deploying Lambda functions as OCI container images#687
Merged
Conversation
This was referenced Jul 1, 2026
sebsto
added a commit
that referenced
this pull request
Jul 1, 2026
Fixes #683 ## Description of changes `lambda-build` and `lambda-deploy` could independently choose the target architecture, so a user could build an `arm64` binary and deploy a function declaring `x64` (or the reverse). The deploy "succeeded" but the function was broken at invoke time, with no error at build or deploy. The OCI PR (#687) introduced the `build-manifest.json` hand-off but only wired the architecture into the image deploy path. This PR closes the underlying latent bug for the ZIP path and makes a mismatch impossible to deploy silently. ### `lambda-build` - Adds `--architecture <x64|arm64>` (default: host). - The flag actually drives the build: the container is run/pulled/built for that platform (`docker --platform linux/<arch>`, Apple `container --arch <arch>`), so the produced binary matches what the manifest records. The CLI-specific spelling lives in each `ContainerCLI` implementation. - Both ZIP and OCI backends record the real architecture in `build-manifest.json` (ZIP previously hardcoded `.host`). - A native (Amazon Linux host) build rejects an explicit cross-architecture request, since it can only target the host and would otherwise record a mismatched architecture. ### `lambda-deploy` - When `--architecture` is omitted, deploy adopts the architecture recorded in the manifest instead of independently re-defaulting to the host. - When `--architecture` is passed and disagrees with the built artifact, deploy fails fast with a descriptive error rather than creating a broken function. - No manifest (legacy `archive` output, or `--input-directory`) falls back to the previous behavior; `--architecture` remains the way to declare the arch there. ### Docs & tests - Documents the flag and the build→deploy hand-off in the DocC articles. - Adds unit tests for arg parsing, backend threading, the updated CLI argv, and the deploy-side reconciliation (match / mismatch / omitted / no-manifest). ## New/existing dependencies impact assessment, if applicable No new dependencies. ## Conventional Commits fix: enforce architecture consistency between lambda-build and lambda-deploy By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #193
Adds OCI container image support to the
lambda-buildandlambda-deployplugins, alongside the existing ZIP path. Functions can now be larger than the ZIP limits and bundle extra binaries or system libraries.lambda-build --archive-format ocibuilds an OCI image (minimal Amazon Linux 2023 base, your binary as thebootstrapentrypoint), using docker or Apple'scontainer.--base-oci-imageoverrides the base.lambda-deploypushes the image to Amazon ECR and creates anImage-packaged function: ensure repo, login, tag, push, unwrap the multi-arch index to the single-arch child digest (Lambda rejects indexes), then create/update. Guards against changing the package type of an existing function.Plumbing
scripts/generate-aws-clients.sh. The script was rewritten to run on stock macOS bash and to use the soto-codegenerator plugins (download-aws-models+ build) instead of driving the binary directly.Deployer+{Zip,ECR,S3,IAM,LambdaFunction,FunctionUrl,Configuration,Error}.swift.Testing
container, push to ECR, create the function, and invoke it successfully.Examples/OCIImageexample and adeploying-with-ociDocC article.Note: the OCI build and deploy commands use
--disable-sandboxbecause the container CLI talks to its daemon over a socket the plugin sandbox does not allow.