update: github actions#878
Conversation
WalkthroughUpdates the Docker image GitHub Actions workflow: adds workflow-level permissions, enforces stricter tag validation, checks for and creates annotated Git tags, switches Docker Hub tag checks to authenticated requests, and writes a Docker publish summary to the job summary. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant User
participant GH_Actions as "GitHub Actions (runner)"
participant Git as "Git (repo)"
participant DockerHub as "Docker Hub API"
User->>GH_Actions: trigger workflow (push/PR/etc.)
GH_Actions->>GH_Actions: validate input tag (strip "v", regex check)
GH_Actions->>Git: check if Git tag exists
Git-->>GH_Actions: tag exists / not found
alt tag not found
GH_Actions->>Git: create annotated git tag
GH_Actions->>Git: push annotated tag
end
GH_Actions->>DockerHub: login (username + token)
DockerHub-->>GH_Actions: Bearer token
GH_Actions->>DockerHub: check image tag existence (authenticated)
DockerHub-->>GH_Actions: 200 / 404 / other
alt safe to push
GH_Actions->>GH_Actions: build Docker image
GH_Actions->>DockerHub: push image (with tag)
DockerHub-->>GH_Actions: digest / confirmation
end
GH_Actions->>GH_Actions: write job summary (tag & digest)
GH_Actions-->>User: workflow completes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/docker-image.yml (1)
56-63: Use an explicit tag-ref check instead of generic rev parsing.Line 60 uses
git rev-parse "$VERSION", which resolves any revision name, not only tags. Prefer checkingrefs/tags/...directly.Suggested change
- if git rev-parse "$VERSION" >/dev/null 2>&1; then + if git show-ref --tags --verify --quiet "refs/tags/$VERSION"; then echo "Error: Git tag $VERSION already exists" exit 1 fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-image.yml around lines 56 - 63, The step that checks for an existing tag uses git rev-parse "$VERSION", which can match any ref; update the check to verify the tag ref explicitly by using the VERSION variable with refs/tags (e.g. replace the rev-parse call with a verification against "refs/tags/$VERSION" such as git rev-parse --verify "refs/tags/$VERSION" or git show-ref --verify "refs/tags/$VERSION") so the script only detects existing tags; keep the surrounding git fetch --tags and the same error/exit behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/docker-image.yml:
- Around line 19-22: The permissions block currently grants "packages: write"
which is unnecessary for Docker Hub pushes; edit the "permissions" block to
remove the "packages: write" entry and keep only the minimal scopes required
(e.g., retain or change "contents" as appropriate), i.e. update the permissions
mapping where "permissions", "contents", and "packages" are defined by deleting
the "packages" key so the workflow token has least privilege.
- Around line 49-52: The VERSION validation currently allows any suffix after
the hyphen; update the regex that tests VERSION to only permit either plain
x.y.z or x.y.z-rc.N where N is one or more digits by changing the pattern to
something like ^[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ and use that with the
existing if ! [[ "$VERSION" =~ ... ]]; then check so tags like 1.2.3-beta are
rejected while 1.2.3 and 1.2.3-rc.1 pass.
- Around line 79-86: The "Create and push Git tag" step currently runs before
the build/push and can create a release tag even if the image build fails; move
the entire step that uses VERSION="${{ steps.get-version.outputs.version }}" and
runs git tag/push so it executes only after the "Build and push Docker image"
step completes successfully. Ensure the job ordering/needs or step sequence
places the "Create and push Git tag" step after the Docker build/push step so
git tag/push runs only on successful image publish.
- Around line 67-73: The Docker Hub token and tag-check logic must fail-safe:
after obtaining TOKEN (from the curl + jq call that assigns TOKEN) validate it
is non-empty and not "null" and ensure the login call returned HTTP 200 before
proceeding; then call the tag-check endpoint and inspect the HTTP status in
RESPONSE (the curl that sets RESPONSE) and treat 404 as "tag not found" (safe to
push), 200 as "tag exists" (fail the job), and any other status
(401/429/5xx/etc.) as an error that should fail the job rather than assume the
tag is absent; update the workflow to check exit codes and token value, log
clear errors, and exit non-zero when token validation or unexpected HTTP
responses occur.
---
Nitpick comments:
In @.github/workflows/docker-image.yml:
- Around line 56-63: The step that checks for an existing tag uses git rev-parse
"$VERSION", which can match any ref; update the check to verify the tag ref
explicitly by using the VERSION variable with refs/tags (e.g. replace the
rev-parse call with a verification against "refs/tags/$VERSION" such as git
rev-parse --verify "refs/tags/$VERSION" or git show-ref --verify
"refs/tags/$VERSION") so the script only detects existing tags; keep the
surrounding git fetch --tags and the same error/exit behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f1974794-f8e4-4647-89b8-aba5eb11d466
📒 Files selected for processing (1)
.github/workflows/docker-image.yml
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/docker-image.yml (1)
55-62: Consider checking explicitly for tags only.
git rev-parse "$VERSION"resolves any ref (branches, tags, or commit prefixes). If a branch happens to share the version name, this would incorrectly report the tag as existing. Usingrefs/tags/$VERSIONlimits the check to tags only.♻️ Suggested refinement
- name: Check if Git tag already exists run: | VERSION="${{ steps.get-version.outputs.version }}" git fetch --tags - if git rev-parse "$VERSION" >/dev/null 2>&1; then + if git rev-parse "refs/tags/$VERSION" >/dev/null 2>&1; then echo "Error: Git tag $VERSION already exists" exit 1 fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-image.yml around lines 55 - 62, The current tag-existence check uses git rev-parse "$VERSION" which can match branches or commits; update the check to verify the tag ref only by using the tag namespace (refs/tags/$VERSION) and the --verify/--quiet option so it only detects tags; locate the step that sets VERSION and the "Check if Git tag already exists" block and replace the rev-parse call with a verification of refs/tags/$VERSION (keeping the same error message and exit behavior).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/docker-image.yml:
- Around line 55-62: The current tag-existence check uses git rev-parse
"$VERSION" which can match branches or commits; update the check to verify the
tag ref only by using the tag namespace (refs/tags/$VERSION) and the
--verify/--quiet option so it only detects tags; locate the step that sets
VERSION and the "Check if Git tag already exists" block and replace the
rev-parse call with a verification of refs/tags/$VERSION (keeping the same error
message and exit behavior).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f3fc84fc-9d7e-4091-847c-952c1b7df3be
📒 Files selected for processing (1)
.github/workflows/docker-image.yml
Summary by CodeRabbit