Skip to content

fix(ci): normalize GHCR image tag#3

Merged
CoreyLeath-code merged 3 commits into
mainfrom
agent/fix-cd-ghcr-lowercase-tag
Jul 12, 2026
Merged

fix(ci): normalize GHCR image tag#3
CoreyLeath-code merged 3 commits into
mainfrom
agent/fix-cd-ghcr-lowercase-tag

Conversation

@CoreyLeath-code

@CoreyLeath-code CoreyLeath-code commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Root cause

The CD workflow used ghcr.io/${{ github.repository_owner }}/ride-sharing-platform as the Docker image name. GHCR/Docker repository names must be lowercase, so the merged main run failed with repository name must be lowercase for ghcr.io/CoreyLeath-code/....

While auditing the same build path, the root Dockerfile also referenced COPY ../../shared, which is outside the Docker build context and would fail after the tag issue was corrected.

Changes

  • Normalize the GHCR image name in the CD workflow using Bash lowercase expansion.
  • Reuse the normalized image output for Docker tags and workflow summaries.
  • Run the CD Docker build on pull requests with push: false so this path is validated before merging.
  • Repair the root Dockerfile copy paths to stay inside the build context.
  • Install runtime dependencies from requirements.txt and add uvicorn for the container command.

Validation

  • Local git diff --check completed with only Windows CRLF warnings.
  • PR Actions should now validate the Docker build without pushing on pull requests.

Screenshots

Not applicable.

Summary by CodeRabbit

  • Chores
    • Improved container builds by managing application dependencies through a requirements file.
    • Updated deployment automation to use consistent image naming and tagging for releases.
    • Expanded automated pipeline validation to include pull requests targeting the main branch.
    • Maintained the application’s existing startup configuration and network port.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The Docker image now installs dependencies from requirements.txt, includes the application modules and shared code, and continues running Uvicorn on port 8000. The CD workflow adds pull request triggers and uses a normalized image name for tagging and deployment output.

Changes

Container Build and CD

Layer / File(s) Summary
Container packaging and runtime dependencies
Dockerfile, requirements.txt
The image installs dependencies from requirements.txt, adds the Uvicorn dependency, copies the expanded application source set, and retains the existing runtime port and command.
CD image triggers and tagging
.github/workflows/cd.yml
The workflow runs for pull requests targeting main, normalizes the image name, uses it for latest and SHA tags, and reports it in the deployment summary.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects a main change: normalizing the GHCR image tag in the CI/CD workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch agent/fix-cd-ghcr-lowercase-tag

Comment @coderabbitai help to get the list of available commands.

@CoreyLeath-code CoreyLeath-code merged commit ea0aad6 into main Jul 12, 2026
11 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/cd.yml (2)

7-8: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Make registry authentication event-specific.

Pull-request builds set push: false, but the GHCR login still runs. Fork pull requests use a read-only GITHUB_TOKEN with no secrets, so this login can fail before the build; skip it for PRs and verify that non-PR runs retain packages: write. (docs.github.com)

Proposed adjustment
       - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3

Also applies to: 40-48

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml around lines 7 - 8, Update the GHCR authentication
step in the workflow to run only for non-pull-request events, while preserving
package write permissions for those runs. Ensure pull-request builds continue
with push disabled and skip registry login entirely, including fork PRs.

41-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the image-publishing action to an immutable commit SHA.

docker/build-push-action@v6 is a mutable tag in the publishing path. GitHub recommends pinning actions to full commit SHAs to prevent tag retargeting. (docs.github.com)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml at line 41, Update the image-publishing workflow
step using docker/build-push-action to reference a full immutable commit SHA
instead of the mutable v6 tag, preserving the action version and existing step
configuration.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/cd.yml:
- Around line 7-8: Update the GHCR authentication step in the workflow to run
only for non-pull-request events, while preserving package write permissions for
those runs. Ensure pull-request builds continue with push disabled and skip
registry login entirely, including fork PRs.
- Line 41: Update the image-publishing workflow step using
docker/build-push-action to reference a full immutable commit SHA instead of the
mutable v6 tag, preserving the action version and existing step configuration.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e149fe56-89d2-4703-939e-4cb35fd48111

📥 Commits

Reviewing files that changed from the base of the PR and between d360c29 and be53f6a.

📒 Files selected for processing (3)
  • .github/workflows/cd.yml
  • Dockerfile
  • requirements.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant