Phase 4: publish image to GHCR; retire legacy self-hosted deploy workflows

[JacobHaig]

Phase 4 of agent-cloud deployment alignment

WisBot now publishes its image; deployment moves to the agent-cloud platform.

Changes

• build-and-publish.yml (new) — builds + pushes to ghcr.io/uhstray-io/wisbot on merge to main and on v* tags. Tags via metadata-action: latest, short-sha, semver. Hardened: permissions: { contents: read, packages: write }, persist-credentials: false, all actions pinned to verified commit SHAs.
• Removed legacy self-hosted-runner workflows: deployment_prod.yml, deployment_refresh_prod.yml, shutdown.yml. These did docker build + docker compose up/down on a self-hosted runner and leaked the token via cat .env. Replaced by GHCR publish + agent-cloud/Semaphore deploy.
• Kept deploy-o11y.yml (Prometheus/Promtail monitoring) — migrating observability to agent-cloud's o11y service is a tracked follow-up.
• README.md + CLAUDE.md deployment sections updated.
• Separate commit records the CodeRabbit PR-review workflow in repo-memory (per direction).

Notes

• The publish workflow pushes to GHCR using the built-in GITHUB_TOKEN (no new secrets). First publish happens when this merges to main.
• Image build itself was already validated in Phase 3's CI (Phase 3: containerize for Linux with cross-platform voice libs #11).

Depends on: Phases 1–3 (#9, #10, #11 — merged). Next: Phase 5 — agents/wisbot/ deployment dir in the agent-cloud repo.

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ee95644b-38f3-4960-af87-e3f8c5a36849

📥 Commits

Reviewing files that changed from the base of the PR and between 91e947d and afb596e.

📒 Files selected for processing (8)

• .claude/memory/MEMORY.md
• .claude/memory/feedback-coderabbit-pr-workflow.md
• .github/workflows/build-and-publish.yml
• .github/workflows/deployment_prod.yml
• .github/workflows/deployment_refresh_prod.yml
• .github/workflows/shutdown.yml
• CLAUDE.md
• README.md

💤 Files with no reviewable changes (3)

• .github/workflows/shutdown.yml
• .github/workflows/deployment_prod.yml
• .github/workflows/deployment_refresh_prod.yml

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

{CLAUDE.md,README.md}

📄 CodeRabbit inference engine (CLAUDE.md)

Update CLAUDE.md and/or README.md to reflect changes made and provide clear documentation for future reference

Files:

• README.md
• CLAUDE.md

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
Repo: uhstray-io/WisBot

Timestamp: 2026-06-01T17:54:10.246Z
Learning: Run `dotnet build` to test and validate changes after completing modifications

Learnt from: CR
Repo: uhstray-io/WisBot

Timestamp: 2026-06-01T17:54:10.246Z
Learning: Ensure code is well-structured, follows best practices, and includes appropriate error handling when making changes

Learnt from: CR
Repo: uhstray-io/WisBot

Timestamp: 2026-06-01T17:54:10.246Z
Learning: Read `.claude/memory/MEMORY.md` at the start of every session to load project context and decision history

Learnt from: CR
Repo: uhstray-io/WisBot

Timestamp: 2026-06-01T17:54:10.246Z
Learning: Use `.claude/memory/` directory for storing project knowledge (architecture decisions, team conventions, references, personal preferences)

🪛 LanguageTool

README.md

[uncategorized] ~51-~51: The official name of this software platform is spelled with a capital “H”.
Context: ... On merge to main (and on v* tags), .github/workflows/build-and-publish.yml builds...

(GITHUB)

---

[uncategorized] ~51-~51: The official name of this software platform is spelled with a capital “H”.
Context: ...shes it to ghcr.io/uhstray-io/wisbot. .github/workflows/docker-build.yml validates t...

(GITHUB)

🔇 Additional comments (5)

.claude/memory/MEMORY.md (1)

5-5: LGTM!

.claude/memory/feedback-coderabbit-pr-workflow.md (1)

1-14: LGTM!

.github/workflows/build-and-publish.yml (1)

1-55: LGTM!

CLAUDE.md (1)

18-20: LGTM!

README.md (1)

51-55: LGTM!

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Automated Docker image building and publishing to container registry on merges to main and version tags.
  • Updated deployment infrastructure with template-based configuration injection.

• Documentation

  • Updated deployment and CI/CD guidance to reflect new image publishing and deployment processes.

• Chores

  • Established PR-only merge workflow with code validation requirements.
  • Removed legacy self-hosted deployment workflows.

Walkthrough

This PR removes legacy self-hosted runner deployment workflows and introduces a new containerized CI/CD model. It documents a CodeRabbit PR validation policy, adds a build-and-publish.yml workflow that publishes Docker images to GHCR on main merges and version tags, and updates deployment documentation to describe the agent-cloud deployment platform with configuration injection.

Changes

CI/CD Migration to Docker & agent-cloud

Layer / File(s)	Summary
CodeRabbit PR Workflow Policy .claude/memory/MEMORY.md, .claude/memory/feedback-coderabbit-pr-workflow.md	Documents the new policy requiring all merges through pull requests with CodeRabbit validation, fixing unresolved findings, and requesting re-review before merge.
Docker Build & Publish GitHub Actions Workflow .github/workflows/build-and-publish.yml	New workflow that triggers on main merges and v* tag pushes, logs into GHCR, computes Docker metadata/tags, and publishes the image using Buildx with GitHub Actions caching.
Deployment Documentation Updates CLAUDE.md, README.md	Updated deployment sections describing the new flow: build-and-publish.yml publishes images to GHCR, agent-cloud pulls and deploys with Ansible-templated .env from OpenBao, and legacy self-hosted runner workflows are removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• uhstray-io/WisBot#8: Both PRs add policy entries to .claude/memory/—this PR adds CodeRabbit PR workflow requirements while the other documented a no-co-authors policy.
• uhstray-io/WisBot#11: This PR's new Docker publishing automation directly follows the containerization work in that PR, which introduced the Dockerfile and docker-build.yml PR validation workflow.

Poem

🐰 Docker images float to GHCR's sky,
CodeRabbit guards the merge gate high,
Legacy runners fade away,
agent-cloud deploys our bots today! 🤖

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: publishing the image to GHCR and retiring legacy self-hosted deploy workflows, matching the primary objectives.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing specific workflow additions, removals, and documentation updates with clear context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/ghcr-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[JacobHaig]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.