Pass checkpoint image properly

[denis-zaitsev]

Fix Docker workflow output masking.

A value stored in GitHub Secrets matches part of the Docker image path, so GitHub masks that part of the string. Because we were passing the full image path between jobs as an output, the value could be dropped/emptied.

This changes the workflow to pass only the checkpoint digest between jobs and rebuild the full image path inside the build job.

Summary by CodeRabbit

• Chores
  • Improved the way checkpoint image references are passed between build steps, using digest information to construct the final image reference more reliably.
  • Added validation to ensure the checkpoint digest is present and correctly formatted before builds continue.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0a15999-768a-4216-add2-ba1c8dee8c79

📥 Commits

Reviewing files that changed from the base of the PR and between f8b411a and a8c2454.

📒 Files selected for processing (1)

• .github/workflows/docker.yml

---

📝 Walkthrough

Walkthrough

The workflow refactors checkpoint image propagation: sync_checkpoints now outputs only the raw digest (checkpoints_digest) instead of a full image ref. The public job gains a new checkpoint-ref step that validates the digest and constructs the full digest-pinned image ref before passing it to the public-build step.

Changes

Checkpoint digest propagation refactor

Layer / File(s)	Summary
sync_checkpoints output contract and digest emission .github/workflows/docker.yml	Job output renamed from checkpoints_image to checkpoints_digest; verify_checkpoints step now emits only the raw digest to GITHUB_OUTPUT.
checkpoint-ref resolution and public-build wiring .github/workflows/docker.yml	New checkpoint-ref step reads the digest, validates it is non-empty and starts with sha256:, constructs the full image ref using CHECKPOINTS_DOCKERHUB_IMAGE, and public-build consumes it via steps.checkpoint-ref.outputs.image.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• diff-use/sampleworks#244: Directly related — introduced digest-pinned checkpoint mirroring and SHA-based digest outputs through the same workflow jobs.
• diff-use/sampleworks#251: Intersects at the sync_checkpoints job output and public build-arg wiring in the same docker.yml.
• diff-use/sampleworks#143: Modifies the same CI workflow around Docker Hub checkpoint base image usage for builds.

Suggested reviewers

• xraymemory
• marcuscollins
• Abdelsalam-Abbas

🐇 A digest alone hops down the line,
No full ref to carry — just the sha256 sign.
The public job catches it, checks it's just right,
Then builds the full image ref, clean and tight.
Small refactor, big clarity — what a delight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: passing the checkpoint image information correctly through the Docker workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pass-checkpoint-image-properly

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[Abdelsalam-Abbas]

Approving. Verified against the latest main run: sync_checkpoints succeeds, public fails at the empty-input check, astera is skipped — exactly the secret-in-job-output emptying this fixes. Passing the bare sha256: digest across the job boundary and reconstructing the ref inside the consuming job (a step output, not subject to the same emptying) is the right mechanism, and the added sha256: prefix check is a nice guard.

Non-blocking follow-up: the public -> astera image-ref job output (docker.yml:111/179, consumed at :230) embeds the same docker.io/<namespace>/... path and is the same kind of cross-job output. If the masking secret is the Docker Hub namespace, astera will hit the identical emptying once public starts succeeding (it's been skipped until now). Worth applying the same pattern there — pass only the digest/short-sha and rebuild the full ref inside astera.