fix(ci): normalize GHCR image tag#3
Conversation
📝 WalkthroughWalkthroughThe Docker image now installs dependencies from ChangesContainer Build and CD
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/cd.yml (2)
7-8: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winMake registry authentication event-specific.
Pull-request builds set
push: false, but the GHCR login still runs. Fork pull requests use a read-onlyGITHUB_TOKENwith no secrets, so this login can fail before the build; skip it for PRs and verify that non-PR runs retainpackages: write. (docs.github.com)Proposed adjustment
- name: Log in to GitHub Container Registry + if: github.event_name != 'pull_request' uses: docker/login-action@v3Also applies to: 40-48
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cd.yml around lines 7 - 8, Update the GHCR authentication step in the workflow to run only for non-pull-request events, while preserving package write permissions for those runs. Ensure pull-request builds continue with push disabled and skip registry login entirely, including fork PRs.
41-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the image-publishing action to an immutable commit SHA.
docker/build-push-action@v6is a mutable tag in the publishing path. GitHub recommends pinning actions to full commit SHAs to prevent tag retargeting. (docs.github.com)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cd.yml at line 41, Update the image-publishing workflow step using docker/build-push-action to reference a full immutable commit SHA instead of the mutable v6 tag, preserving the action version and existing step configuration.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/cd.yml:
- Around line 7-8: Update the GHCR authentication step in the workflow to run
only for non-pull-request events, while preserving package write permissions for
those runs. Ensure pull-request builds continue with push disabled and skip
registry login entirely, including fork PRs.
- Line 41: Update the image-publishing workflow step using
docker/build-push-action to reference a full immutable commit SHA instead of the
mutable v6 tag, preserving the action version and existing step configuration.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: e149fe56-89d2-4703-939e-4cb35fd48111
📒 Files selected for processing (3)
.github/workflows/cd.ymlDockerfilerequirements.txt
Root cause
The CD workflow used
ghcr.io/${{ github.repository_owner }}/ride-sharing-platformas the Docker image name. GHCR/Docker repository names must be lowercase, so the mergedmainrun failed withrepository name must be lowercaseforghcr.io/CoreyLeath-code/....While auditing the same build path, the root
Dockerfilealso referencedCOPY ../../shared, which is outside the Docker build context and would fail after the tag issue was corrected.Changes
push: falseso this path is validated before merging.requirements.txtand adduvicornfor the container command.Validation
git diff --checkcompleted with only Windows CRLF warnings.Screenshots
Not applicable.
Summary by CodeRabbit