GitHub actions

[borkarsaish65]

Summary by CodeRabbit

Chores

• Enhanced Docker release workflow with optional manual or automatic semantic versioning and explicit release-candidate support.
• Conditional image build/push gated behind a push toggle; Docker checks and push steps run only when publishing.
• Added a separate workflow to promote RC images to production with validation and production tagging.
• Added concurrency controls and clearer job summaries that always report the Git tag and optionally include image digest.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 30524a41-6937-4a4c-8f81-8ab32e48de7a

📥 Commits

Reviewing files that changed from the base of the PR and between c7deb54 and 656547b.

📒 Files selected for processing (2)

• .github/workflows/docker-image.yml
• .github/workflows/prod-release.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/docker-image.yml
• .github/workflows/prod-release.yml

---

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows were added/updated: docker-image.yml resolves semantic or RC versions (manual or auto-bumped), conditionally publishes multi-arch Docker images, and always creates a Git tag; prod-release.yml promotes an RC tag to production by validating tags, retagging/pushing the image, and creating a production Git tag.

Changes

Docker Image Build with Semantic Versioning

Layer / File(s)	Summary
Workflow Inputs and Execution Configuration .github/workflows/docker-image.yml	Adds workflow_dispatch inputs (tag_version, version_bump, is_rc, branch, push_image), global env/permissions, concurrency, and full-history checkout.
Semantic Version Computation .github/workflows/docker-image.yml	Bash step validates manual semver/RC or computes next RC/release from Git tags and outputs resolved version.
Git Tag Conflict Detection .github/workflows/docker-image.yml	Fails early if computed Git tag already exists.
Docker Hub Authentication and Tag Verification .github/workflows/docker-image.yml	When push_image == 'true': log into Docker Hub and verify tag existence via HTTP API; QEMU/Buildx and metadata extraction are conditional.
Multi-Architecture Build Setup & Guard .github/workflows/docker-image.yml	QEMU/Buildx setup and docker/build-push-action invocation are guarded by push_image so builds/pushes only run when enabled.
Git Tag Creation and Push .github/workflows/docker-image.yml	Creates and pushes an annotated Git tag for the resolved version unconditionally.
Job Summary and Output .github/workflows/docker-image.yml	Writes a job summary that always includes the Git tag and branch and conditionally includes Docker image reference and digest if an image was pushed.

RC-to-Production Promotion Workflow

Layer / File(s)	Summary
Production Release Trigger and Inputs .github/workflows/prod-release.yml	Adds workflow_dispatch trigger requiring rc_tag, plus env, permissions, and concurrency.
RC Validation and Production Version Derivation .github/workflows/prod-release.yml	Validates x.y.z-rc.N format, derives prod_version by stripping the RC suffix, and emits outputs.
Checkout Repository at RC Tag .github/workflows/prod-release.yml	Checks out the repo at the provided RC Git tag with full history (fetch-depth: 0).
Git Tag Presence Checks .github/workflows/prod-release.yml	Fails if the RC Git tag is missing locally or if the derived production Git tag already exists.
Docker Hub Authentication and Image Verification .github/workflows/prod-release.yml	Logs into Docker Hub and uses HTTP API to confirm the RC image exists and production tag does not; aborts on unexpected responses.
Build/Push Production Image .github/workflows/prod-release.yml	Sets up QEMU/Buildx and runs docker/build-push-action to push multi-arch image tagged with production version using RC tag as cache-from.
Create and Push Production Git Tag .github/workflows/prod-release.yml	Creates and pushes an annotated production Git tag to origin.
Promotion Summary Output .github/workflows/prod-release.yml	Writes a job summary including RC tag, production tag, Docker image reference, and pushed image digest.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibbled tags and hopped the fence,

Resolved the numbers, made sense,
RCs leapt up to wear production's crown,
Docker layers stacked, then pushed on down,
A little hop — releases go out with a bounce!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'GitHub actions' is vague and generic, using a broad organizational term without specifying the actual changes (semantic versioning, RC management, or promotion workflows).	Consider a more descriptive title such as 'Add semantic versioning and RC-to-prod promotion GitHub Actions workflows' to clearly convey the main purpose of the changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[borkarsaish65]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docker-image.yml:
- Around line 82-113: The current RC branch always increments the latest RC
(LATEST_RC -> BASE/RC_NUM -> VERSION) ignoring the requested BUMP; instead
compute the desired base version from the latest stable tag (LATEST) using the
BUMP logic (major/minor/patch or defaults), then if an LATEST_RC exists extract
its BASE and RC_NUM and compare BASE to the desired base: if they match
increment RC_NUM, otherwise start a new RC series (RC_NUM=1 and
BASE=desired_base). Update the block that sets BASE, RC_NUM and VERSION
(variables LATEST_RC, LATEST, BASE, RC_NUM, VERSION, BUMP) to implement this
comparison and fallback to the existing default base logic when there is no
stable LATEST.

In @.github/workflows/prod-release.yml:
- Around line 102-111: The Docker Hub tag existence check currently only aborts
on HTTP 200; change the logic around PROD_RESPONSE (the result of the curl call)
so that only a 404 is treated as "not found" and any other response (including
empty/non-numeric values from curl, 401, 429, 5xx, etc.) causes the workflow to
echo an error and exit 1; specifically, after assigning PROD_RESPONSE from the
curl command, validate it's the numeric 404 to proceed, otherwise print a clear
error including PROD_RESPONSE and abort to fail closed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0486e51-a0e5-4b82-9426-563066a49eda

📥 Commits

Reviewing files that changed from the base of the PR and between 9ff4e73 and c7deb54.

📒 Files selected for processing (2)

• .github/workflows/docker-image.yml
• .github/workflows/prod-release.yml

[borkarsaish65]

@coderabbitai I have addressed the PR comments, verify the changes now.

[coderabbitai]

@borkarsaish65 Sure! I'll re-review the changes to verify that the PR comments have been addressed.

✅ Actions performed

Full review triggered.

[borkarsaish65]

@coderabbitai review the PR and see if any changes are required to be done , if not approve the PR from your side.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me review the workflow files and existing comments before deciding.

---

🏁 Script executed:

#!/bin/bash
# Read both workflow files
cat .github/workflows/docker-image.yml
echo "=== SEPARATOR ==="
cat .github/workflows/prod-release.yml

Length of output: 16102

---

🏁 Script executed:

#!/bin/bash
# Get PR review comments
gh pr view 1641 --repo ELEVATE-Project/mentoring --json reviews,comments
echo "=== REVIEW COMMENTS ==="
gh api repos/ELEVATE-Project/mentoring/pulls/1641/reviews
echo "=== INLINE COMMENTS ==="
gh api repos/ELEVATE-Project/mentoring/pulls/1641/comments

Length of output: 48583

---

@borkarsaish65 I've reviewed the current code in both workflow files. Here's the status:

---

✅ Previously Raised Comments — Both Addressed

1. docker-image.yml — RC version_bump logic: The fix is correctly implemented. The code now computes DESIRED_BASE from the latest stable tag + BUMP, compares it with EXISTING_BASE from the latest RC, and either increments the RC counter (same base) or starts a new RC series (different base).

2. prod-release.yml — Fail-closed on unexpected Docker Hub responses: The PROD_RESPONSE check now correctly handles 200 (abort), 404 (safe), and all other codes (abort with error).

---

🔴 Remaining Issue — prod-release.yml: Retag step rebuilds from wrong commit

The "Retag RC image as production release" step uses docker/build-push-action@v5 and relies on cache-from pointing to the RC image. However, the Checkout repository step does not pin to the RC tag:

# Current — checks out default branch (master/HEAD)
- name: Checkout repository
  uses: actions/checkout@v4
  with:
    fetch-depth: 0

This means the build will use the Dockerfile from master, not the Dockerfile at the RC commit. If anything has changed between the RC commit and the current HEAD, the resulting "production" image will differ from the RC image you validated — defeating the purpose of the promotion workflow.

Fix: Check out at the RC tag commit:

- name: Checkout repository
  uses: actions/checkout@v4
  with:
    ref: ${{ steps.validate.outputs.rc_tag }}
    fetch-depth: 0

This ensures the production image is built from exactly the same source as the RC image.

---

ℹ️ Minor Note

The pre-merge check flagged the PR title "GitHub actions" as too vague. Consider a more descriptive title like "Add semantic versioning and RC-to-prod promotion GitHub Actions workflows" before merging.

---

I cannot approve until the checkout ref issue in prod-release.yml is fixed, as it would cause the production release to potentially differ from the RC being promoted.

[borkarsaish65]

@coderabbitai I have made the changes, verify.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat .github/workflows/prod-release.yml

Length of output: 5861

---

@borkarsaish65 The fix is verified ✅

The Checkout repository step in prod-release.yml now correctly pins to the RC tag:

- name: Checkout repository
  uses: actions/checkout@v4
  with:
    ref: ${{ steps.validate.outputs.rc_tag }}
    fetch-depth: 0

This ensures the production image is built from exactly the same source commit as the RC image being promoted — the original concern is fully resolved.

All previously raised issues are now addressed:

1. ✅ RC version bump logic in docker-image.yml
2. ✅ Fail-closed on unexpected Docker Hub responses in prod-release.yml
3. ✅ Checkout pinned to RC tag in prod-release.yml

I'll go ahead and approve the PR.

[approve]

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!