ci(docker): avoid secret-masked image outputs

[manzuoni-astera]

Summary

• pass only the checkpoint digest between workflow jobs so GitHub secret masking does not suppress the sync_checkpoints output
• reconstruct the digest-pinned Docker Hub checkpoint ref inside the public image job before invoking buildx
• pass the public image digest to the Astera overlay job and build the overlay from that exact digest instead of a SHA tag output
• update Docker docs to describe the digest-based handoff

Why

The Docker workflow currently mirrors and verifies checkpoints successfully, then GitHub skips the checkpoints_image job output because the full image ref appears to contain a secret-matched value. The public image job receives an empty CHECKPOINTS_IMAGE and exits before any image build starts.

This keeps cross-job outputs to bare sha256:... digests, then reconstructs image refs inside the consumer job where they are used.

Validation

• git diff --check
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/docker.yml")'\n- actionlint .github/workflows/docker.yml

Summary by CodeRabbit

• Bug Fixes
  • Updated Docker image handling to use digest-pinned references across workflow steps, reducing the chance of mismatched or outdated images.
  • Improved validation and propagation of checkpoint image values between build jobs.
• Documentation
  • Clarified the Docker setup notes to reflect that the private overlay image is built from the exact public image digest generated in the same run.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 128d4f10-bfe6-4f7b-8d05-64d5f9852ede

📥 Commits

Reviewing files that changed from the base of the PR and between ae70c3c and 5a3609b.

📒 Files selected for processing (2)

• .github/workflows/docker.yml
• README.md

---

📝 Walkthrough

Walkthrough

The Docker workflow is updated to propagate image references as digests rather than composed tag strings. sync_checkpoints now outputs a raw checkpoints_digest; the public job gains a resolver step that reconstructs a digest-pinned checkpoint image ref and exports image_digest; the Astera overlay build consumes the digested public image. README wording is updated accordingly.

Digest-pinned image propagation

Layer / File(s)	Summary
sync_checkpoints: emit digest instead of full image ref .github/workflows/docker.yml	Job output renamed from checkpoints_image to checkpoints_digest; verify_checkpoints step writes only actual_digest to GITHUB_OUTPUT instead of composing a full image ref.
public job: resolver step and digest output .github/workflows/docker.yml	public job output switched to image_digest from build step digest. New "Resolve mirrored checkpoint image input" step validates CHECKPOINTS_DIGEST and constructs dockerhub_ref@CHECKPOINTS_DIGEST; build-args wired to use that resolver output.
Astera overlay and docs: consume image_digest .github/workflows/docker.yml, README.md	Astera build arg PIXI_WITH_CHECKPOINTS_IMAGE updated to reference public.outputs.image_digest; README updated to describe the exact public image digest as the overlay base.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• diff-use/sampleworks#244: Introduced the same split public/Astera image pipeline that this PR refactors to use digest-pinned outputs.
• diff-use/sampleworks#277: Also modifies the same checkpoint digest output propagation between jobs in docker.yml.
• diff-use/sampleworks#275: Updates pinned digest references in the sync_checkpoints job in the same workflow file.

Suggested reviewers

• xraymemory
• marcuscollins
• Abdelsalam-Abbas
• mag-astera

🐇 A digest, a digest, no tag shall mislead,
The workflow now pins with the hash that we need.
The resolver constructs what the builder shall see,
From checkpoint to public to Astera, digest-free!
🔒 Exact and immutable, just how it should be~

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the workflow change to avoid GitHub secret-masked image outputs by switching to digest-based handoff.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[Copilot]

Pull request overview

This PR updates the Docker CI workflow to avoid cross-job outputs being dropped due to GitHub secret masking by passing only sha256:... digests between jobs and reconstructing digest-pinned image refs inside the consumer jobs.

Changes:

• Switch sync_checkpoints → public handoff from a full image ref output to a bare checkpoints_digest output.
• Reconstruct the digest-pinned checkpoint image ref inside the public job and use that for buildx build args.
• Build the Astera overlay from the exact public image digest (not a sha-<short-sha> tag) and update README wording accordingly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
README.md	Updates Docker CI docs to describe digest-based handoff for the Astera overlay image.
.github/workflows/docker.yml	Changes inter-job outputs to digests and reconstructs digest-pinned image refs inside jobs to avoid secret-masked outputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.