ci: add docker build and push workflow for api and worker images

[mikolajsobolewski]

Summary by CodeRabbit

• Chores
  • Enhanced automated build and deployment pipeline to streamline containerized image creation and deployment across multiple services.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added that automatically builds and pushes Docker images for API and Worker services to ghcr.io, triggered on pushes to main, version tags, and manual dispatch events.

Changes

Docker Image Build & Push Workflow

Layer / File(s)	Summary
Workflow Trigger & Job Setup \.github/workflows/docker-build-and-push\.yml (lines 1–28)	Workflow named "Build and Push Docker Images" triggers on pushes to main, v\* tags, and manual dispatch. Job runs on ubuntu-latest with registry write permissions, checks out code, and sets up QEMU and Docker Buildx.
Image Metadata Generation \.github/workflows/docker-build-and-push\.yml (lines 29–52)	Docker metadata action extracts and generates image tags and labels for two images: ghcr\.io/${{ github\.repository }}-api and -worker, with tag rules for main branch, semantic version tags, and SHA references.
Container Registry Authentication & Build Execution \.github/workflows/docker-build-and-push\.yml (lines 10–27, 53–72)	Logs into ghcr.io using GitHub token. Two separate docker/build-push-action steps build and push API and Worker images from their respective Dockerfile targets, applying generated metadata as tags and labels.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A workflow springs to life so bright,
Docker images pushed through the night,
API and Worker, hand in paw,
Tagged and labeled without a flaw,
hop hop—your CI/CD's in awe! 🐳

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new GitHub Actions workflow for building and pushing Docker images for API and worker components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ci-docker-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/docker-build-and-push.yml (3)

54-72: ⚡ Quick win

Add layer caching to avoid rebuilding from scratch on every run.

Neither build-push step configures cache-from/cache-to, so every workflow run performs a full cold build of both targets. Since both api and worker share the same ./Dockerfile and likely share a large base/dependency layer, this is compounded — the second build cannot reuse the first's layers without a cache backend.

The standard fix for GitHub-hosted runners is the GHA cache backend:

⚡ Proposed cache configuration for both build steps

      - name: Build and push API image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          target: api
          push: true
          tags: ${{ steps.meta-api.outputs.tags }}
          labels: ${{ steps.meta-api.outputs.labels }}
+         cache-from: type=gha
+         cache-to: type=gha,mode=max

      - name: Build and push Worker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          target: worker
          push: true
          tags: ${{ steps.meta-worker.outputs.tags }}
          labels: ${{ steps.meta-worker.outputs.labels }}
+         cache-from: type=gha
+         cache-to: type=gha,mode=max

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-build-and-push.yml around lines 54 - 72, The two
docker/build-push-action steps ("Build and push API image" and "Build and push
Worker image") currently do cold builds; update both steps that use
docker/build-push-action@v6 (targets 'api' and 'worker') to enable layer caching
by adding cache-from and cache-to with the GitHub Actions cache backend
(type=gha) and mode=max so layers can be reused across runs and between the two
targets; ensure the cache keys/refs are stable (e.g., include build target and
runner info) and keep push: true and tags/labels as-is so the builds use the
cache backend instead of rebuilding from scratch.

---

23-24: 💤 Low value

Remove QEMU setup if multi-platform builds are not intended.

QEMU is only required for cross-platform emulation (e.g., building linux/arm64 on an amd64 runner). Since neither build-push step specifies a platforms: field, QEMU is set up but never used, adding unnecessary overhead to each run.

If multi-platform support is planned, add platforms: linux/amd64,linux/arm64 to both build steps. Otherwise, remove the QEMU step.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-build-and-push.yml around lines 23 - 24, The
workflow currently runs the docker/setup-qemu-action@v3 step ("Set up QEMU")
even though the build-push steps do not specify any platforms, so QEMU is
unused; either remove the "Set up QEMU" step (docker/setup-qemu-action@v3) to
eliminate the unnecessary overhead, or if you intend multi-platform builds, add
a platforms: linux/amd64,linux/arm64 setting to both build-push steps so QEMU is
actually required and used.

---

21-21: 💤 Low value

actions/checkout@v5 is not the latest major version.

The current README for actions/checkout recommends actions/checkout@v6. v5.0.0 updated the action to use Node 24, and v6 has since been released as the new major. Consider upgrading.

-       uses: actions/checkout@v5
+       uses: actions/checkout@v6

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-build-and-push.yml at line 21, Update the GitHub
Actions checkout action to the latest major release by changing the uses
reference from "actions/checkout@v5" to "actions/checkout@v6"; locate the
workflow step that contains the uses: actions/checkout@v5 entry and replace the
version to actions/checkout@v6 so the job uses the current recommended major
release.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docker-build-and-push.yml:
- Line 10: The workflow uses workflow_dispatch with an unconditional push: true
which will publish images from any branch to ghcr.io; change the job/step that
sets push: true to be conditional (e.g., compute a boolean like should_push
based on github.ref or a workflow_dispatch input) and only set push: true when
the ref matches the protected branch (e.g., github.ref == 'refs/heads/main') or
when a specific manual input is provided; update the occurrences of push: true
(referenced in this file as workflow_dispatch and the push: true flags mentioned
at lines ~60 and ~70) to use that conditional variable so ad-hoc runs from
feature branches won’t publish unless explicitly allowed.

---

Nitpick comments:
In @.github/workflows/docker-build-and-push.yml:
- Around line 54-72: The two docker/build-push-action steps ("Build and push API
image" and "Build and push Worker image") currently do cold builds; update both
steps that use docker/build-push-action@v6 (targets 'api' and 'worker') to
enable layer caching by adding cache-from and cache-to with the GitHub Actions
cache backend (type=gha) and mode=max so layers can be reused across runs and
between the two targets; ensure the cache keys/refs are stable (e.g., include
build target and runner info) and keep push: true and tags/labels as-is so the
builds use the cache backend instead of rebuilding from scratch.
- Around line 23-24: The workflow currently runs the docker/setup-qemu-action@v3
step ("Set up QEMU") even though the build-push steps do not specify any
platforms, so QEMU is unused; either remove the "Set up QEMU" step
(docker/setup-qemu-action@v3) to eliminate the unnecessary overhead, or if you
intend multi-platform builds, add a platforms: linux/amd64,linux/arm64 setting
to both build-push steps so QEMU is actually required and used.
- Line 21: Update the GitHub Actions checkout action to the latest major release
by changing the uses reference from "actions/checkout@v5" to
"actions/checkout@v6"; locate the workflow step that contains the uses:
actions/checkout@v5 entry and replace the version to actions/checkout@v6 so the
job uses the current recommended major release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b41cf8b9-b847-4f6a-a375-35a969d54c6c

📥 Commits

Reviewing files that changed from the base of the PR and between 986bfad and 08c2f3d.

📒 Files selected for processing (1)

• .github/workflows/docker-build-and-push.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

workflow_dispatch with hardcoded push: true will publish images from any branch.

workflow_dispatch can be triggered from any branch (including feature branches), and since push: true is unconditional, images will be pushed to ghcr.io from unreviewed branches. If this is intentional for ad-hoc testing, it's fine; otherwise, guard the push.

🔒 Proposed conditional push

      - name: Build and push API image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          target: api
-         push: true
+         push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
          tags: ${{ steps.meta-api.outputs.tags }}
          labels: ${{ steps.meta-api.outputs.labels }}

      - name: Build and push Worker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          target: worker
-         push: true
+         push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
          tags: ${{ steps.meta-worker.outputs.tags }}
          labels: ${{ steps.meta-worker.outputs.labels }}

Also applies to: 60-60, 70-70

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-build-and-push.yml at line 10, The workflow uses
workflow_dispatch with an unconditional push: true which will publish images
from any branch to ghcr.io; change the job/step that sets push: true to be
conditional (e.g., compute a boolean like should_push based on github.ref or a
workflow_dispatch input) and only set push: true when the ref matches the
protected branch (e.g., github.ref == 'refs/heads/main') or when a specific
manual input is provided; update the occurrences of push: true (referenced in
this file as workflow_dispatch and the push: true flags mentioned at lines ~60
and ~70) to use that conditional variable so ad-hoc runs from feature branches
won’t publish unless explicitly allowed.