chore: update quickstart image

[bzp2010]

Summary by CodeRabbit

• Chores
  • Added GitHub Actions workflow for automated publishing of quickstart resources, supporting both scheduled pushes to the main branch and manual dispatch triggers, including cloud storage uploads and content delivery network cache invalidation.
  • Updated default Docker image repository source for quickstart deployments to enhance availability and ensure consistent image resolution.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces automated publishing of quickstart artifacts to S3 via a new GitHub Actions workflow triggered on main branch pushes to quickstart/** and manual dispatch. The workflow assumes an AWS IAM role, uploads three quickstart files with proper content types, and invalidates CloudFront cache. The default Docker image reference in the quickstart configuration is also updated.

Changes

Quickstart Publishing Automation

Layer / File(s)	Summary
Quickstart Configuration quickstart/docker-compose.yaml	AISIX service image default changes from ghcr.io/api7/aisix:latest to api7/aisix:latest via AISIX_IMAGE fallback.
Workflow Triggers and Permissions .github/workflows/quickstart.yaml	New "Publish quickstart script" workflow triggers on main pushes within quickstart/** or manual dispatch with repository read permissions.
AWS Credential Configuration .github/workflows/quickstart.yaml	Job configures AWS credentials by assuming AWS_QUICKSTART_ROLE in us-west-2 region.
Artifact Publishing to S3 .github/workflows/quickstart.yaml	Uploads quickstart.sh, docker-compose.yaml, and config.yaml to S3 with explicit MIME content types.
CloudFront Cache Invalidation .github/workflows/quickstart.yaml	Invalidates CloudFront distribution paths for /aisix/* resources using CLOUDFRONT_DISTRIBUTION_ID.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• api7/aisix#5: Modifies the quickstart publishing CI job to use OIDC/role assumption for AWS credentials, directly related to the same publishing workflow pattern.
• api7/aisix#105: Directly modifies the quickstart configuration and Docker image defaults in the same quickstart artifacts being published by this workflow.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Security Check	❌ Error	Critical security issue found: Default admin key ("key: admin") in quickstart/config.yaml (line 9) is uploaded to public S3 bucket, exposing a known default credential.	Remove hardcoded admin_key from template or document that it must be regenerated before production use. Either omit the key entirely from config.yaml or use a placeholder like key: "CHANGE_ME_BEFORE_PRODUCTION".

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title refers to updating a quickstart image, which aligns with the main change in docker-compose.yaml that updates the AISIX_IMAGE default. However, the PR also adds a significant new GitHub Actions workflow file that is not mentioned in the title.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	PR does not contain E2E tests or test code. It only modifies CI/CD workflow configuration and Docker Compose settings. The E2E Test Quality check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bzp/chore-quickstart-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/quickstart.yaml (1)

30-38: ⚡ Quick win

Consider adding cache-control headers for S3 objects.

The S3 uploads don't specify Cache-Control headers, which means CloudFront will use default caching behavior. For quickstart files that may be updated frequently, consider adding appropriate cache-control directives.

💡 Suggested improvement with cache-control headers

       - name: Upload quickstart files to S3
         run: |
           aws s3 cp quickstart/quickstart.sh \
             s3://api7ai-docs-resources/aisix/quickstart \
-            --content-type "text/x-shellscript"
+            --content-type "text/x-shellscript" \
+            --cache-control "public, max-age=300"
           aws s3 cp quickstart/docker-compose.yaml \
             s3://api7ai-docs-resources/aisix/docker-compose.yaml \
-            --content-type "text/yaml"
+            --content-type "text/yaml" \
+            --cache-control "public, max-age=300"
           aws s3 cp quickstart/config.yaml \
             s3://api7ai-docs-resources/aisix/config.yaml \
-            --content-type "text/yaml"
+            --content-type "text/yaml" \
+            --cache-control "public, max-age=300"

This sets a 5-minute cache TTL, balancing between performance and freshness.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/quickstart.yaml around lines 30 - 38, Add appropriate
Cache-Control headers to the S3 upload commands so CloudFront won't rely on
default caching; update each aws s3 cp invocation that uploads
quickstart/quickstart.sh, quickstart/docker-compose.yaml, and
quickstart/config.yaml to include a --cache-control flag (for example "public,
max-age=300" or another TTL you choose) so the files have a short CDN TTL and
can be refreshed when updated.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/quickstart.yaml:
- Around line 22-26: The workflow references repository secrets that may not
exist; ensure the two required secrets AWS_QUICKSTART_ROLE and
CLOUDFRONT_DISTRIBUTION_ID are created in the repo settings before merging so
the Configure AWS credentials step (uses: aws-actions/configure-aws-credentials)
and the CloudFront invalidation step can access them; add those secrets in
GitHub > Settings > Secrets (or update CI docs to instruct maintainers) so ${{
secrets.AWS_QUICKSTART_ROLE }} and ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} are
available at runtime.

---

Nitpick comments:
In @.github/workflows/quickstart.yaml:
- Around line 30-38: Add appropriate Cache-Control headers to the S3 upload
commands so CloudFront won't rely on default caching; update each aws s3 cp
invocation that uploads quickstart/quickstart.sh,
quickstart/docker-compose.yaml, and quickstart/config.yaml to include a
--cache-control flag (for example "public, max-age=300" or another TTL you
choose) so the files have a short CDN TTL and can be refreshed when updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c13db995-921d-4cdb-b67e-5d1d63cd4ad0

📥 Commits

Reviewing files that changed from the base of the PR and between ee56b20 and a1695fd.

📒 Files selected for processing (2)

• .github/workflows/quickstart.yaml
• quickstart/docker-compose.yaml