From 8da1977b40d72880bbce1e34cbe9e9e1c7b34b0e Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 11:25:25 -0700 Subject: [PATCH 1/7] Add GitHub Action to build and publish Docker image to registry --- .github/workflows/docker-publish.yml | 69 ++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/docker-publish.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..100df11 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,69 @@ +name: Build and Publish Docker Image + +on: + push: + branches: [main] + tags: + - 'v*' + pull_request: + branches: [main] + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push: + name: Build and Push Docker Image + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up AllenInstitute Repo Authorization + uses: ./.github/actions/configure-org-repo-authorization + with: + token: ${{ secrets.AI_PACKAGES_TOKEN }} + ssh_private_key: ${{ secrets.AIBSGITHUB_PRIVATE_KEY }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha + + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: . + file: ./docker/Dockerfile + platforms: linux/amd64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + ssh: default=${{ env.SSH_AUTH_SOCK }} + cache-from: type=gha + cache-to: type=gha,mode=max From 0ee6191979d5d44bca25f2e1f81f98154f514109 Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 11:27:45 -0700 Subject: [PATCH 2/7] Refactor GitHub Actions workflow to trigger on successful completion of tests and simplify Docker image push conditions --- .github/workflows/docker-publish.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 100df11..e5c1d0c 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,12 +1,13 @@ name: Build and Publish Docker Image on: - push: + workflow_run: + workflows: ["Build and Test"] + types: [completed] branches: [main] + push: tags: - 'v*' - pull_request: - branches: [main] workflow_dispatch: env: @@ -18,6 +19,10 @@ jobs: name: Build and Push Docker Image runs-on: ubuntu-latest timeout-minutes: 30 + # Only run if triggered manually, by tag, or if the test workflow succeeded + if: > + github.event_name != 'workflow_run' || + github.event.workflow_run.conclusion == 'success' permissions: contents: read packages: write @@ -36,7 +41,6 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry - if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -49,8 +53,8 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | + type=raw,value=latest,enable={{is_default_branch}} type=ref,event=branch - type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha @@ -61,7 +65,7 @@ jobs: context: . file: ./docker/Dockerfile platforms: linux/amd64 - push: ${{ github.event_name != 'pull_request' }} + push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} ssh: default=${{ env.SSH_AUTH_SOCK }} From 9a8c7c821da0ade237ba39e5c8080a1d79e0bcd0 Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 11:30:58 -0700 Subject: [PATCH 3/7] Renamed GH action and added comments for improved readability --- ...{docker-publish.yml => publish_docker.yml} | 38 +++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) rename .github/workflows/{docker-publish.yml => publish_docker.yml} (52%) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/publish_docker.yml similarity index 52% rename from .github/workflows/docker-publish.yml rename to .github/workflows/publish_docker.yml index e5c1d0c..c605235 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/publish_docker.yml @@ -1,13 +1,30 @@ +# Builds and publishes Docker image to GitHub Container Registry (ghcr.io) +# +# This workflow is gated on successful tests: +# - For pushes to main: waits for "Build and Test" workflow to complete successfully +# - For version tags (v*): runs directly (assumes tag is cut from tested code) +# - For manual dispatch: runs directly (operator takes responsibility) +# +# Published images are available at: ghcr.io//aibs-informatics-aws-lambda + name: Build and Publish Docker Image on: + # Trigger after the test workflow completes on main branch. + # Note: workflow_run triggers on completion (success OR failure), so we check + # the conclusion in the job's `if` condition below. workflow_run: workflows: ["Build and Test"] types: [completed] branches: [main] + + # Version tags trigger directly (no test gate) - assumes tags are cut from + # tested commits on main. push: tags: - 'v*' + + # Allow manual trigger for debugging or re-running failed builds. workflow_dispatch: env: @@ -19,24 +36,31 @@ jobs: name: Build and Push Docker Image runs-on: ubuntu-latest timeout-minutes: 30 - # Only run if triggered manually, by tag, or if the test workflow succeeded + + # Gate logic: + # - workflow_run events: only proceed if the triggering workflow succeeded + # - tag pushes / manual dispatch: always proceed (no workflow_run event) if: > github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' + permissions: - contents: read - packages: write + contents: read # Required to checkout the repository + packages: write # Required to push to GitHub Container Registry steps: - name: Checkout repository uses: actions/checkout@v4 + # Configure SSH agent and git credentials for accessing private + # AllenInstitute repositories during the Docker build. - name: Set up AllenInstitute Repo Authorization uses: ./.github/actions/configure-org-repo-authorization with: token: ${{ secrets.AI_PACKAGES_TOKEN }} ssh_private_key: ${{ secrets.AIBSGITHUB_PRIVATE_KEY }} + # Buildx enables advanced features like caching and multi-platform builds. - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -47,6 +71,11 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + # Generate Docker tags based on git context: + # - "latest" for default branch (main) + # - branch name (e.g., "main") + # - semver tags (e.g., "1.2.3", "1.2") + # - short SHA (e.g., "sha-abc1234") - name: Extract metadata (tags, labels) id: meta uses: docker/metadata-action@v5 @@ -68,6 +97,9 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + # Forward SSH agent to builder for private repo access during build + # (used by `RUN --mount=type=ssh` in Dockerfile) ssh: default=${{ env.SSH_AUTH_SOCK }} + # Use GitHub Actions cache for Docker layers to speed up rebuilds cache-from: type=gha cache-to: type=gha,mode=max From adeb2da142360a4a767c9c281c9b2ef58ab0a022 Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 11:34:52 -0700 Subject: [PATCH 4/7] Enhance GitHub Actions workflow to validate Dockerfile on pull requests and skip image push for PRs --- .github/workflows/publish_docker.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml index c605235..36b68b3 100644 --- a/.github/workflows/publish_docker.yml +++ b/.github/workflows/publish_docker.yml @@ -3,6 +3,7 @@ # This workflow is gated on successful tests: # - For pushes to main: waits for "Build and Test" workflow to complete successfully # - For version tags (v*): runs directly (assumes tag is cut from tested code) +# - For pull requests: builds only (no push) to validate Dockerfile before merge # - For manual dispatch: runs directly (operator takes responsibility) # # Published images are available at: ghcr.io//aibs-informatics-aws-lambda @@ -24,6 +25,10 @@ on: tags: - 'v*' + # Build (but don't push) on pull requests to validate the Dockerfile. + pull_request: + branches: [main] + # Allow manual trigger for debugging or re-running failed builds. workflow_dispatch: @@ -64,7 +69,9 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # Skip login for PRs since we won't push the image. - name: Log in to GitHub Container Registry + if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -74,6 +81,7 @@ jobs: # Generate Docker tags based on git context: # - "latest" for default branch (main) # - branch name (e.g., "main") + # - PR number (e.g., "pr-123") - used for build validation only # - semver tags (e.g., "1.2.3", "1.2") # - short SHA (e.g., "sha-abc1234") - name: Extract metadata (tags, labels) @@ -84,17 +92,19 @@ jobs: tags: | type=raw,value=latest,enable={{is_default_branch}} type=ref,event=branch + type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha + # Build the image; only push for non-PR events. - name: Build and push Docker image uses: docker/build-push-action@v6 with: context: . file: ./docker/Dockerfile platforms: linux/amd64 - push: true + push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} # Forward SSH agent to builder for private repo access during build From 130249866c497c01fa7ea111d1d9235c2912a7f2 Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 12:06:17 -0700 Subject: [PATCH 5/7] Refining Docker build workflow with optional SSH agent handling and improved comments for clarity --- .github/workflows/publish_docker.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml index 36b68b3..3a9b00c 100644 --- a/.github/workflows/publish_docker.yml +++ b/.github/workflows/publish_docker.yml @@ -59,6 +59,7 @@ jobs: # Configure SSH agent and git credentials for accessing private # AllenInstitute repositories during the Docker build. + # This step is optional - the composite action handles missing secrets gracefully. - name: Set up AllenInstitute Repo Authorization uses: ./.github/actions/configure-org-repo-authorization with: @@ -108,8 +109,8 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} # Forward SSH agent to builder for private repo access during build - # (used by `RUN --mount=type=ssh` in Dockerfile) - ssh: default=${{ env.SSH_AUTH_SOCK }} + # (used by `RUN --mount=type=ssh` in Dockerfile). Only set if SSH agent is available. + ssh: ${{ env.SSH_AUTH_SOCK && format('default={0}', env.SSH_AUTH_SOCK) || '' }} # Use GitHub Actions cache for Docker layers to speed up rebuilds cache-from: type=gha cache-to: type=gha,mode=max From 9d269bc1a6db6db9748f7ecccbdc5bc048501011 Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 12:08:05 -0700 Subject: [PATCH 6/7] Add concurrency control and improve checkout step in Docker publish workflow --- .github/workflows/publish_docker.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml index 3a9b00c..cb5f3c2 100644 --- a/.github/workflows/publish_docker.yml +++ b/.github/workflows/publish_docker.yml @@ -32,6 +32,12 @@ on: # Allow manual trigger for debugging or re-running failed builds. workflow_dispatch: +# Prevent out-of-order publishing when multiple workflow_run events complete. +# If a newer run starts while an older one is in progress, cancel the older one. +concurrency: + group: docker-publish-${{ github.event.workflow_run.head_branch || github.ref_name }} + cancel-in-progress: true + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} @@ -54,8 +60,12 @@ jobs: packages: write # Required to push to GitHub Container Registry steps: + # For workflow_run events, checkout the SHA that was actually tested, + # not the current HEAD (which may have moved). For other events, use github.sha. - name: Checkout repository uses: actions/checkout@v4 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} # Configure SSH agent and git credentials for accessing private # AllenInstitute repositories during the Docker build. From ca4172e7cf34b4b0c81a42b89f9399a9bd820d67 Mon Sep 17 00:00:00 2001 From: Ryan McGinty Date: Wed, 1 Apr 2026 12:24:43 -0700 Subject: [PATCH 7/7] upgrade gh actions --- .github/workflows/publish_docker.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml index cb5f3c2..4e292fa 100644 --- a/.github/workflows/publish_docker.yml +++ b/.github/workflows/publish_docker.yml @@ -63,7 +63,7 @@ jobs: # For workflow_run events, checkout the SHA that was actually tested, # not the current HEAD (which may have moved). For other events, use github.sha. - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ github.event.workflow_run.head_sha || github.sha }} @@ -78,7 +78,7 @@ jobs: # Buildx enables advanced features like caching and multi-platform builds. - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 # Skip login for PRs since we won't push the image. - name: Log in to GitHub Container Registry