Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions .github/workflows/docker-image.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: Build and Push Docker Image

on:
workflow_dispatch:
inputs:
tag_version:
description: 'Docker image tag version (e.g., 3.3.11)'
required: true

env:
DOCKER_IMAGE_NAME: elevate-user # Configure your image name here
DOCKER_REGISTRY: docker.io
DOCKER_NAMESPACE: shikshalokamqa

jobs:
docker-image-build-and-push:
if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/docker-image'
runs-on: ubuntu-latest
Comment on lines +17 to +18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Job-level if: clause is redundant and over-restrictive

The workflow is already limited to workflow_dispatch via the on: section.
Adding an extra if: gate that hard-codes refs/heads/docker-image prevents maintainers from manually triggering the build from forks or feature branches—even though workflow_dispatch supports a branches: filter.

Consider removing the if: or moving the branch filter into the on.workflow_dispatch block:

-on:
-  workflow_dispatch:
-    inputs:
+on:
+  workflow_dispatch:
+    branches: [docker-image]
+    inputs:
...
-    if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/docker-image'
🤖 Prompt for AI Agents
In .github/workflows/docker-image.yml around lines 17 to 18, remove the
job-level if: condition that checks for github.event_name and github.ref because
it is redundant and restricts manual triggers from forks or feature branches.
Instead, move the branch filtering to the on.workflow_dispatch section by
specifying branches there, allowing more flexible manual triggering while
keeping the workflow limited to workflow_dispatch events.


steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Get Docker tag version (fail if not provided)
id: get-version
run: |
# Use workflow_dispatch input if provided
if [ ! -z "${{ github.event.inputs.tag_version }}" ]; then
VERSION="${{ github.event.inputs.tag_version }}"
# Or use TAG_VERSION env if set (for push/PR)
elif [ ! -z "${TAG_VERSION}" ]; then
VERSION="${TAG_VERSION}"
else
echo "Error: Docker image version must be provided as workflow_dispatch input or TAG_VERSION env."
exit 1
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT

- name: Check if version exists on Docker Hub
id: check-version
run: |
VERSION=${{ steps.get-version.outputs.version }}
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "https://hub.docker.com/v2/namespaces/${{ env.DOCKER_NAMESPACE }}/repositories/${{ env.DOCKER_IMAGE_NAME }}/tags/$VERSION")
if [ "$RESPONSE" -eq 200 ]; then
echo "Error: Tag $VERSION already exists on Docker Hub"
exit 1
else
echo "Tag $VERSION does not exist, proceeding with build"
fi
Comment on lines +48 to +58

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Unauthenticated tag-existence check is fragile

The curl probe is unauthenticated, so:

• Private repositories will return 401, not 404.
• Public repositories are subject to Docker Hub’s low anonymous-rate limits.

Inject the Docker Hub token to avoid both issues and broaden the status-code check:

-RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "https://hub.docker.com/v2/namespaces/${{ env.DOCKER_NAMESPACE }}/repositories/${{ env.DOCKER_IMAGE_NAME }}/tags/$VERSION")
+RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
+  -H "Authorization: Bearer ${{ secrets.DOCKERHUB_TOKEN }}" \
+  "https://hub.docker.com/v2/namespaces/${{ env.DOCKER_NAMESPACE }}/repositories/${{ env.DOCKER_IMAGE_NAME }}/tags/$VERSION")
+# Treat 200 (exists) vs 404 (missing); fail on 401/429 to surface auth or rate-limit problems.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents
In .github/workflows/docker-image.yml around lines 48 to 58, the curl command
checking if a Docker tag exists is unauthenticated, causing 401 errors for
private repos and rate limiting for public ones. Modify the curl command to
include authentication by injecting the Docker Hub token via an Authorization
header. Also, update the status code check to handle a broader range of success
codes appropriately, ensuring reliable detection of existing tags.


- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}
tags: |
type=raw,value=${{ steps.get-version.outputs.version }}

- name: Build and push Docker image
id: build
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Image digest
run: echo "Image pushed with digest ${{ steps.build.outputs.digest }}"

- name: Print pushed tags
run: |
echo "Pushed tags:"
echo "${{ steps.meta.outputs.tags }}" | tr ',' '\n'