Move CCV image build into GitHub Actions#33
Conversation
- Rename existing Dockerfile (codecollection-devtools-based, used for the devcontainer / IDE workflow) to Dockerfile.devcontainer and point .devcontainer.json at it. - Add new production Dockerfile based on rw-base-runtime as the CCV build target (replaces the external build-system pipeline). - Add .github/workflows/build-push.yaml: parallel native amd64/arm64 build matrix (ubuntu-latest + ubuntu-24.04-arm), push-by-digest with buildx imagetools manifest merge, catalog-compatible tag schema <sanitized_ref>-<cc_sha7>-<rt_sha7>. Builds on push to any branch and on PRs; paths-ignore skips docs-only diffs. Co-authored-by: Cursor <cursoragent@cursor.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| if [ "${{ github.event_name }}" = "pull_request" ]; then | ||
| ref_name="pr-${{ github.event.pull_request.number }}" | ||
| else | ||
| ref_name="${{ github.ref_name }}" |
There was a problem hiding this comment.
Script injection via unsanitized github.ref_name in shell
Medium Severity
${{ github.ref_name }} is interpolated directly into run: shell scripts, enabling script injection. Git branch names may contain shell metacharacters like $() and backticks, which the shell executes during substitution. This workflow already safely passes inputs.runtime_ref and inputs.base_image through env: variables — the same pattern needs to be applied to github.ref_name. The workflow holds packages: write and GITHUB_TOKEN, so exploitation could exfiltrate secrets or push a tampered container image to GHCR.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 42e3689. Configure here.
- Introduced a new GitHub Actions workflow for date-based releases that generates a release tag and dispatches a build-push workflow for creating OCI images. - The release job creates a tag and GitHub Release, while the build-release-image job runs the build-push.yaml workflow using the generated tag. - Enhanced permissions for actions to allow workflow dispatching. - Added detailed comments to explain the workflow process and outputs. This change streamlines the release process and ensures that builds are tied to specific release tags for better traceability.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7d678f5. Configure here.
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| max-parallel: 8 |
There was a problem hiding this comment.
Hardcoded max-parallel ignores user-provided input value
Medium Severity
The dispatch job hardcodes max-parallel: 8, completely ignoring the max_parallel workflow input (default "5") that is carefully threaded through the enumerate job's output. The user-configurable value is computed and exposed as needs.enumerate.outputs.max_parallel but never consumed — the dispatch concurrency is always 8 regardless of what the operator passes.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 7d678f5. Configure here.
1 participant
Summary
Moves the CodeCollectionVersion (CCV) image build for this repo out of the external build-system pipeline and into GitHub Actions, matching the pattern being rolled out across the codecollection repos.
Dockerfilebased onghcr.io/runwhen-contrib/rw-base-runtime:latest. The runtime base ships the worker binary, Python 3,rw-core-keywordssystem-wide, the helper scripts at/home/runwhen/robot-runtime/, and the standard CLI tooling (kubectl, aws, az, gcloud, helm, gh, jq, yq, ...).Dockerfile.devcontainerkeeps the existing devcontainer behavior — still usescodecollection-devtoolsfor IDE / interactive dev..devcontainer.jsonnow points at it..github/workflows/build-push.yaml: three-job workflowprepare— single source of truth for the tag set / push flagbuildmatrix on native runners:ubuntu-latest(amd64) +ubuntu-24.04-arm(arm64), each with its own GHA cache scope. Builds natively, smoke-tests on real hardware, then pushes by digest.merge— assembles the multi-arch manifest viadocker buildx imagetools createunder every tag.cc-registry-v2's OCI image catalog expects:<sanitized_ref>-<cc_sha7>-<rt_sha7>, plus moving aliases (:<branch>,:lateston main,:pr-<n>on PRs).workflow_dispatchwith overrides forbase_image/runtime_ref/push.paths-ignoreskips docs-only diffs.Supersedes #31, which had drifted 3 months from
mainand was carrying stale duplicate refactor work already merged tomainvia #28.Test plan
ccv/build-pipelineauto-triggers the workflowbuild (amd64)andbuild (arm64)smoke-tests pass on native runnersmergejob publishes multi-arch manifest toghcr.io/runwhen-contrib/aws-c7n-codecollectionunder the canonical + alias tagsMade with Cursor
Note
Medium Risk
Medium risk because it changes the production container base image and replaces the image build/release pipeline with new GitHub Actions workflows, which could impact image contents, tagging, and publishing behavior.
Overview
Shifts the CCV container build from the previous process into GitHub Actions by adding a new
Build And Pushworkflow that builds native amd64/arm64 images, runs a smoke test, and publishes a multi-arch manifest to GHCR with a canonical<ref>-<cc_sha7>-<rt_sha7>tag plus branch/PR/release aliases.Updates the production
Dockerfileto base onghcr.io/runwhen-contrib/rw-base-runtime(with optionalBASE_IMAGEoverride) while keeping local dev on the prior tooling via a newDockerfile.devcontainerand.devcontainer.jsonpointing to it.Extends
release.yamlto dispatch an image build for newly created release tags, and adds a manualbuild-all-branches.yamlworkflow to fan outbuild-push.yamlruns across many branches (with include/exclude regex and runtime pinning).Reviewed by Cursor Bugbot for commit 7d678f5. Bugbot is set up for automated code reviews on this repo. Configure here.