Skip to content

update: github actions#878

Merged
nevil-mathew merged 2 commits into
masterfrom
github-ac
Mar 5, 2026
Merged

update: github actions#878
nevil-mathew merged 2 commits into
masterfrom
github-ac

Conversation

@nevil-mathew

@nevil-mathew nevil-mathew commented Mar 5, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • Chores
    • Renamed workflow and added workflow-level write permissions.
    • Removed an execution guard to allow broader triggers.
    • Enforced stricter version-tag formats (x.y.z or x.y.z-rc.N), still tolerating a leading "v".
    • Checks for existing Git tags and fails if a tag exists; creates and pushes an annotated tag when valid.
    • Uses authenticated Docker Registry checks (handles exists/not-found/failure) and writes a concise Docker publish job summary.

@coderabbitai

coderabbitai Bot commented Mar 5, 2026

Copy link
Copy Markdown

Walkthrough

Updates the Docker image GitHub Actions workflow: adds workflow-level permissions, enforces stricter tag validation, checks for and creates annotated Git tags, switches Docker Hub tag checks to authenticated requests, and writes a Docker publish summary to the job summary.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/docker-image.yml
Renamed workflow; added contents: write permission; removed workflow_dispatch guard; tightened tag_version regex (accepts x.y.z or x.y.z-rc.N, strips leading v); added pre-build Git tag existence check and a step to create & push an annotated Git tag; changed Docker Hub tag verification to authenticated Bearer-token checks via Docker Hub login; replaced the final "Print pushed tags" step with a job summary that records Docker tag and digest.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User
  participant GH_Actions as "GitHub Actions (runner)"
  participant Git as "Git (repo)"
  participant DockerHub as "Docker Hub API"

  User->>GH_Actions: trigger workflow (push/PR/etc.)
  GH_Actions->>GH_Actions: validate input tag (strip "v", regex check)
  GH_Actions->>Git: check if Git tag exists
  Git-->>GH_Actions: tag exists / not found
  alt tag not found
    GH_Actions->>Git: create annotated git tag
    GH_Actions->>Git: push annotated tag
  end
  GH_Actions->>DockerHub: login (username + token)
  DockerHub-->>GH_Actions: Bearer token
  GH_Actions->>DockerHub: check image tag existence (authenticated)
  DockerHub-->>GH_Actions: 200 / 404 / other
  alt safe to push
    GH_Actions->>GH_Actions: build Docker image
    GH_Actions->>DockerHub: push image (with tag)
    DockerHub-->>GH_Actions: digest / confirmation
  end
  GH_Actions->>GH_Actions: write job summary (tag & digest)
  GH_Actions-->>User: workflow completes
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Poem

🐰 I nibbled through tags with a careful hop,
I stamped an annotated note—then stopped to pop,
I logged into Hub, checked the shiny name,
Pushed the image gently, no two builds the same.
A summary tucked under the workflow's tree—hip hop! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'update: github actions' is vague and overly generic; it does not clearly convey the specific changes made to the Docker workflow. Use a more descriptive title that highlights the main change, such as 'Enhance Docker image workflow with tag validation and authenticated Hub checks' or 'Add Git tag validation and Docker Hub authentication to build workflow'.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch github-ac

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
.github/workflows/docker-image.yml (1)

56-63: Use an explicit tag-ref check instead of generic rev parsing.

Line 60 uses git rev-parse "$VERSION", which resolves any revision name, not only tags. Prefer checking refs/tags/... directly.

Suggested change
-        if git rev-parse "$VERSION" >/dev/null 2>&1; then
+        if git show-ref --tags --verify --quiet "refs/tags/$VERSION"; then
           echo "Error: Git tag $VERSION already exists"
           exit 1
         fi
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-image.yml around lines 56 - 63, The step that
checks for an existing tag uses git rev-parse "$VERSION", which can match any
ref; update the check to verify the tag ref explicitly by using the VERSION
variable with refs/tags (e.g. replace the rev-parse call with a verification
against "refs/tags/$VERSION" such as git rev-parse --verify "refs/tags/$VERSION"
or git show-ref --verify "refs/tags/$VERSION") so the script only detects
existing tags; keep the surrounding git fetch --tags and the same error/exit
behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker-image.yml:
- Around line 19-22: The permissions block currently grants "packages: write"
which is unnecessary for Docker Hub pushes; edit the "permissions" block to
remove the "packages: write" entry and keep only the minimal scopes required
(e.g., retain or change "contents" as appropriate), i.e. update the permissions
mapping where "permissions", "contents", and "packages" are defined by deleting
the "packages" key so the workflow token has least privilege.
- Around line 49-52: The VERSION validation currently allows any suffix after
the hyphen; update the regex that tests VERSION to only permit either plain
x.y.z or x.y.z-rc.N where N is one or more digits by changing the pattern to
something like ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ and use that with the
existing if ! [[ "$VERSION" =~ ... ]]; then check so tags like 1.2.3-beta are
rejected while 1.2.3 and 1.2.3-rc.1 pass.
- Around line 79-86: The "Create and push Git tag" step currently runs before
the build/push and can create a release tag even if the image build fails; move
the entire step that uses VERSION="${{ steps.get-version.outputs.version }}" and
runs git tag/push so it executes only after the "Build and push Docker image"
step completes successfully. Ensure the job ordering/needs or step sequence
places the "Create and push Git tag" step after the Docker build/push step so
git tag/push runs only on successful image publish.
- Around line 67-73: The Docker Hub token and tag-check logic must fail-safe:
after obtaining TOKEN (from the curl + jq call that assigns TOKEN) validate it
is non-empty and not "null" and ensure the login call returned HTTP 200 before
proceeding; then call the tag-check endpoint and inspect the HTTP status in
RESPONSE (the curl that sets RESPONSE) and treat 404 as "tag not found" (safe to
push), 200 as "tag exists" (fail the job), and any other status
(401/429/5xx/etc.) as an error that should fail the job rather than assume the
tag is absent; update the workflow to check exit codes and token value, log
clear errors, and exit non-zero when token validation or unexpected HTTP
responses occur.

---

Nitpick comments:
In @.github/workflows/docker-image.yml:
- Around line 56-63: The step that checks for an existing tag uses git rev-parse
"$VERSION", which can match any ref; update the check to verify the tag ref
explicitly by using the VERSION variable with refs/tags (e.g. replace the
rev-parse call with a verification against "refs/tags/$VERSION" such as git
rev-parse --verify "refs/tags/$VERSION" or git show-ref --verify
"refs/tags/$VERSION") so the script only detects existing tags; keep the
surrounding git fetch --tags and the same error/exit behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f1974794-f8e4-4647-89b8-aba5eb11d466

📥 Commits

Reviewing files that changed from the base of the PR and between 3c9ed3d and d9066aa.

📒 Files selected for processing (1)
  • .github/workflows/docker-image.yml

Comment thread .github/workflows/docker-image.yml
Comment thread .github/workflows/docker-image.yml
Comment thread .github/workflows/docker-image.yml
Comment thread .github/workflows/docker-image.yml Outdated
@nevil-mathew nevil-mathew changed the title udpated: github actions update: github actions Mar 5, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/docker-image.yml (1)

55-62: Consider checking explicitly for tags only.

git rev-parse "$VERSION" resolves any ref (branches, tags, or commit prefixes). If a branch happens to share the version name, this would incorrectly report the tag as existing. Using refs/tags/$VERSION limits the check to tags only.

♻️ Suggested refinement
     - name: Check if Git tag already exists
       run: |
         VERSION="${{ steps.get-version.outputs.version }}"
         git fetch --tags
-        if git rev-parse "$VERSION" >/dev/null 2>&1; then
+        if git rev-parse "refs/tags/$VERSION" >/dev/null 2>&1; then
           echo "Error: Git tag $VERSION already exists"
           exit 1
         fi
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-image.yml around lines 55 - 62, The current
tag-existence check uses git rev-parse "$VERSION" which can match branches or
commits; update the check to verify the tag ref only by using the tag namespace
(refs/tags/$VERSION) and the --verify/--quiet option so it only detects tags;
locate the step that sets VERSION and the "Check if Git tag already exists"
block and replace the rev-parse call with a verification of refs/tags/$VERSION
(keeping the same error message and exit behavior).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/docker-image.yml:
- Around line 55-62: The current tag-existence check uses git rev-parse
"$VERSION" which can match branches or commits; update the check to verify the
tag ref only by using the tag namespace (refs/tags/$VERSION) and the
--verify/--quiet option so it only detects tags; locate the step that sets
VERSION and the "Check if Git tag already exists" block and replace the
rev-parse call with a verification of refs/tags/$VERSION (keeping the same error
message and exit behavior).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f3fc84fc-9d7e-4091-847c-952c1b7df3be

📥 Commits

Reviewing files that changed from the base of the PR and between d9066aa and 68fcbfa.

📒 Files selected for processing (1)
  • .github/workflows/docker-image.yml

@nevil-mathew
nevil-mathew merged commit cdb3284 into master Mar 5, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant