add: github action to publish docker image#784
Conversation
WalkthroughA new GitHub Actions workflow file is added to automate building and pushing Docker images. This workflow is manually triggered on the Changes
Sequence Diagram(s)sequenceDiagram
participant User
participant GitHub Actions
participant Docker Hub
User->>GitHub Actions: Manually triggers workflow with tag_version
GitHub Actions->>GitHub Actions: Checkout code
GitHub Actions->>GitHub Actions: Setup Buildx
GitHub Actions->>Docker Hub: Login with secrets
GitHub Actions->>Docker Hub: Check if tag exists
alt Tag exists
GitHub Actions-->>User: Abort workflow
else Tag does not exist
GitHub Actions->>GitHub Actions: Extract metadata
GitHub Actions->>Docker Hub: Build & push multi-arch image
GitHub Actions->>User: Output image digest and tags
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
Note ⚡️ Unit Test Generation is now available in beta!Learn more here, or try it out under "Finishing Touches" below. ✨ Finishing Touches🧪 Generate unit tests
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
.github/workflows/docker-image.yml (3)
33-46: Shell test style is brittleUsing
[ ! -z "$VAR" ]can break when$VARcontains spaces or is unset withset -u.
Prefer the more idiomatic-ntest and always quote the variable:-if [ ! -z "${{ github.event.inputs.tag_version }}" ]; then +if [ -n "${{ github.event.inputs.tag_version }}" ]; then ... -elif [ ! -z "${TAG_VERSION}" ]; then +elif [ -n "${TAG_VERSION}" ]; thenThis small change improves robustness without altering behaviour.
68-79: Consider enabling provenance/SBOM generation
docker/build-push-action@v5supportsprovenance=trueandsbom=trueflags, producing SLSA provenance and CycloneDX SBOM without extra effort—valuable for supply-chain transparency.platforms: linux/amd64,linux/arm64 + provenance: true + sbom: true cache-from: type=gha
87-87: Add a trailing newlineYAMLlint flags the missing newline at EOF.
Appending one keeps tooling quiet and adheres to POSIX text-file conventions.- echo "${{ steps.meta.outputs.tags }}" | tr ',' '\n' + echo "${{ steps.meta.outputs.tags }}" | tr ',' '\n' +
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/docker-image.yml(1 hunks)
🧰 Additional context used
🪛 YAMLlint (1.37.1)
.github/workflows/docker-image.yml
[error] 87-87: no new line character at the end of file
(new-line-at-end-of-file)
| if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/docker-image' | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Job-level if: clause is redundant and over-restrictive
The workflow is already limited to workflow_dispatch via the on: section.
Adding an extra if: gate that hard-codes refs/heads/docker-image prevents maintainers from manually triggering the build from forks or feature branches—even though workflow_dispatch supports a branches: filter.
Consider removing the if: or moving the branch filter into the on.workflow_dispatch block:
-on:
- workflow_dispatch:
- inputs:
+on:
+ workflow_dispatch:
+ branches: [docker-image]
+ inputs:
...
- if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/docker-image'🤖 Prompt for AI Agents
In .github/workflows/docker-image.yml around lines 17 to 18, remove the
job-level if: condition that checks for github.event_name and github.ref because
it is redundant and restricts manual triggers from forks or feature branches.
Instead, move the branch filtering to the on.workflow_dispatch section by
specifying branches there, allowing more flexible manual triggering while
keeping the workflow limited to workflow_dispatch events.
| - name: Check if version exists on Docker Hub | ||
| id: check-version | ||
| run: | | ||
| VERSION=${{ steps.get-version.outputs.version }} | ||
| RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "https://hub.docker.com/v2/namespaces/${{ env.DOCKER_NAMESPACE }}/repositories/${{ env.DOCKER_IMAGE_NAME }}/tags/$VERSION") | ||
| if [ "$RESPONSE" -eq 200 ]; then | ||
| echo "Error: Tag $VERSION already exists on Docker Hub" | ||
| exit 1 | ||
| else | ||
| echo "Tag $VERSION does not exist, proceeding with build" | ||
| fi |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Unauthenticated tag-existence check is fragile
The curl probe is unauthenticated, so:
• Private repositories will return 401, not 404.
• Public repositories are subject to Docker Hub’s low anonymous-rate limits.
Inject the Docker Hub token to avoid both issues and broaden the status-code check:
-RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "https://hub.docker.com/v2/namespaces/${{ env.DOCKER_NAMESPACE }}/repositories/${{ env.DOCKER_IMAGE_NAME }}/tags/$VERSION")
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+ -H "Authorization: Bearer ${{ secrets.DOCKERHUB_TOKEN }}" \
+ "https://hub.docker.com/v2/namespaces/${{ env.DOCKER_NAMESPACE }}/repositories/${{ env.DOCKER_IMAGE_NAME }}/tags/$VERSION")
+# Treat 200 (exists) vs 404 (missing); fail on 401/429 to surface auth or rate-limit problems.Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In .github/workflows/docker-image.yml around lines 48 to 58, the curl command
checking if a Docker tag exists is unauthenticated, causing 401 errors for
private repos and rate limiting for public ones. Modify the curl command to
include authentication by injecting the Docker Hub token via an Authorization
header. Also, update the status code check to handle a broader range of success
codes appropriately, ensuring reliable detection of existing tags.
Summary by CodeRabbit