Conversation
…of tests and simplify Docker image push conditions
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #37 +/- ##
=======================================
Coverage 90.79% 90.79%
=======================================
Files 26 26
Lines 1412 1412
Branches 131 131
=======================================
Hits 1282 1282
Misses 94 94
Partials 36 36 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow to build and publish a Docker image to GitHub Container Registry (GHCR), with publishing gated on successful completion of the existing “Build and Test” workflow for main and direct publishing for version tags / manual dispatch.
Changes:
- Introduces
.github/workflows/publish_docker.ymlto build and push a Docker image toghcr.io. - Uses
workflow_runto gate publishing on successful test workflow completion formain. - Adds Docker metadata-based tagging and GitHub Actions cache configuration for faster rebuilds.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
For workflow_run events, actions/checkout defaults to the repository’s default branch HEAD at run time, not the SHA that was actually tested. This can result in publishing an image for a different commit than the one that triggered the successful “Build and Test” run. Consider checking out github.event.workflow_run.head_sha when github.event_name == 'workflow_run' (and falling back to github.sha for other triggers).
| uses: actions/checkout@v4 | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }} |
| tags: | | ||
| type=raw,value=latest,enable={{is_default_branch}} | ||
| type=ref,event=branch | ||
| type=semver,pattern={{version}} | ||
| type=semver,pattern={{major}}.{{minor}} | ||
| type=sha |
There was a problem hiding this comment.
Because this workflow is triggered via workflow_run, runs can complete out of order (an older main commit’s tests may finish after a newer one). With latest enabled on the default branch, a late publish from an older SHA can overwrite the latest tag with an older image. To avoid this, add a guard that only publishes latest (or publishes at all) when the workflow_run.head_sha matches the current HEAD of main (e.g., compare against refs/heads/main via git ls-remote/GitHub API), or otherwise skip/cancel stale runs.
There was a problem hiding this comment.
I will add concurrency with cancel-in-progress set to true
…ts and skip image push for PRs
…mproved comments for clarity
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # For workflow_run events, checkout the SHA that was actually tested, | ||
| # not the current HEAD (which may have moved). For other events, use github.sha. | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
We may want to bump the version we use to the latest?
|
|
||
| # Buildx enables advanced features like caching and multi-platform builds. | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
Same here, v4 looks to be newest?
mardoum
left a comment
mardoum
left a comment
There was a problem hiding this comment.
Not sure but Allen repo auth step might not be necessary, either way probably doesn't hurt anything. Looks good.
| concurrency: | ||
| group: docker-publish-${{ github.event.workflow_run.head_branch || github.ref_name }} | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
I didn't know about this mechanism -- cool
| - name: Set up AllenInstitute Repo Authorization | ||
| uses: ./.github/actions/configure-org-repo-authorization | ||
| with: | ||
| token: ${{ secrets.AI_PACKAGES_TOKEN }} | ||
| ssh_private_key: ${{ secrets.AIBSGITHUB_PRIVATE_KEY }} |
There was a problem hiding this comment.
I didn't seem to need this when I wrote a similar workflow.
rpmcginty
deleted the
feature/add-gh-action-to-promote-docker-image-to-registry
branch
What's in this Change?
Adds a new GitHub Actions workflow to build and publish a Docker image to GitHub Container Registry (GHCR), with publishing gated on successful completion of the existing “Build and Test” workflow for
mainand direct publishing for version tags / manual dispatch.This will help simplify consuming the docker image directly instead of having to rebuild
Changes:
.github/workflows/publish_docker.ymlto build and push a Docker image toghcr.io.workflow_runto gate publishing on successful test workflow completion formain.Testing