Introduce GitHub Actions and Workflows#20
Introduce GitHub Actions and Workflows#20olivia-banks wants to merge 2 commits intoEpiForeSITE:mainfrom
Conversation
|
This should be workable. |
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to support CI on pull requests and to build/publish the project’s GHCR container image used as a dev/agent environment.
Changes:
- Adds a PR-triggered workflow intended to run dependency sync + tests via
uv. - Adds a manually triggered “Copilot Dev Environment” workflow that provisions dependencies in the container image.
- Adds a main-branch workflow to build and push the
ghcr.io/<owner>/<repo>container image fromContainerfile.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/on_pr.yml | New PR CI workflow that runs uv sync and pytest inside the GHCR container image. |
| .github/workflows/copilot.yml | New manual workflow intended to prepare a container-based dev environment for an agent. |
| .github/workflows/containerfile.yml | New workflow to build and publish the GHCR image (latest + sha tags) from Containerfile. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| container: | ||
| image: ghcr.io/${{ github.repository }}:latest | ||
| credentials: | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
This workflow runs tests inside ghcr.io/${{ github.repository }}:latest, which is built only after pushes to main. That means PRs can run against a stale image (or fail if no latest image exists yet), and dependency changes in the PR won’t be represented. Consider running CI directly on the runner with setup-uv/setup-python, or build the image as part of this PR workflow (without pushing) and run tests against that image.
| container: | |
| image: ghcr.io/${{ github.repository }}:latest | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Are you sure this is an okay tradeoff, @gvegayon? Do you have experience in how long it usually takes to build similar images on GHA?
There was a problem hiding this comment.
Generally, it should be fast. But I think, overall, having a production environment makes things more robust. Sure, the CI will fail the first time, but it will only be once. Having an image to run on becomes more important as the project starts increasing in complexity (which I've seen in the past).
There was a problem hiding this comment.
Great, thanks. I'll resolve this conversation.
| test: | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/${{ github.repository }}:latest | ||
| credentials: | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
There was a problem hiding this comment.
Pulling from GHCR in a PR workflow often requires explicit token permissions (packages: read) and can fail for PRs from forks/private packages where the token cannot access the registry. To make this workflow reliable, add explicit permissions for packages: read (and contents: read) and/or avoid GHCR pulls for PR CI.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| - name: Sync dependencies | ||
| run: uv sync --frozen | ||
|
|
||
| - name: Setup Copilot environment | ||
| run: | | ||
| echo "Development environment ready for GitHub Copilot" | ||
| echo "Python version: $(python --version)" | ||
| echo "uv version: $(uv --version)" | ||
| uv pip list |
There was a problem hiding this comment.
If this workflow is meant to mirror the devcontainer setup for the “AI agent”, it currently only runs uv sync --frozen and a few echo commands; it doesn’t apply the devcontainer’s post-create steps (e.g., syncing the dev group / tool installs). Consider invoking .devcontainer/post-create.sh (or replicating its uv sync --group dev --no-install-project) so the environment matches what contributors/agents get locally.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| copilot: | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/${{ github.repository }}:latest | ||
| credentials: | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
There was a problem hiding this comment.
Like on_pr.yml, this job pulls a GHCR image but does not declare permissions: packages: read. In orgs that default GITHUB_TOKEN to read-only or restrict package access, the image pull can fail. Add explicit job/workflow permissions for contents: read and packages: read to make execution more predictable.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot open a new pull request to apply changes based on the comments in this thread cc @olivia-banks, I think Copilot only works on this if the PR came from the same repo |
Interesting. I see now that I didn't see
I'll run a Claude session locally after my meetings and lectures. |
Fix #11 and #12.