Skip to content

Add workflow to build full-repo image and upload to GAR#1005

Draft
jdyaberi-pp wants to merge 1 commit into
mainfrom
feat/gar-upload-full-repo-image
Draft

Add workflow to build full-repo image and upload to GAR#1005
jdyaberi-pp wants to merge 1 commit into
mainfrom
feat/gar-upload-full-repo-image

Conversation

@jdyaberi-pp

Copy link
Copy Markdown
Contributor

Summary

  • Adds .github/workflows/upload-image-gar.yml to build the full-repo Docker image from legacy/dockerfile and push it to Google Artifact Registry as potpie-latest (tags: short SHA + latest).
  • Fixes early Dockerfile COPY layers so hatchling can resolve README.md / LICENSE during uv sync.
  • Ignores stale potpie/observability in .dockerignore so local leftovers cannot break the workspace glob.

Test plan

  • Locally built image successfully: docker build --tag potpie-latest -f legacy/dockerfile .
  • Confirmed image exists as potpie-latest:latest
  • Ensure GitHub secrets STAGE_GCLOUD_PROJECT_ID and STAGE_GKE_SA_KEY (and staging environment) are configured on this repo
  • Run the workflow via Actions → Build and Upload image to Artifact Registry → Run workflow
  • Verify image appears in GAR at us-central1-docker.pkg.dev/<project>/potpie/potpie-latest:latest

Made with Cursor

Uses legacy/dockerfile to produce potpie-latest, tagged with the short SHA and latest, and fixes early-layer COPY so hatchling metadata validation succeeds during uv sync.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Added a manually triggered workflow to build and publish Docker images to Google Artifact Registry.
    • Images are published with both a commit-based tag and a latest tag.
    • The workflow can create the target container repository when needed.
  • Bug Fixes

    • Improved Docker build reliability by excluding files that can interfere with workspace synchronization.
    • Included required project documentation and metadata during Docker image builds.

Walkthrough

Changes

Artifact Registry image publishing

Layer / File(s) Summary
Docker build context and metadata
legacy/.dockerignore, legacy/dockerfile
The build excludes potpie/observability and copies root and legacy documentation alongside dependency metadata.
Manual registry publishing workflow
.github/workflows/upload-image-gar.yml
A manually dispatched workflow authenticates to Google Cloud, ensures the Artifact Registry repository exists, builds the legacy image, and pushes short-SHA and latest tags.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding a workflow to build the repo image and upload it to GAR.
Description check ✅ Passed The description is directly related to the workflow, Dockerfile, and .dockerignore changes in this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/upload-image-gar.yml:
- Around line 18-20: Remove the unused id-token: write permission from the
workflow permissions block while authentication continues using
credentials_json; alternatively, migrate the authentication step to Workload
Identity Federation and configure it to use the existing id-token permission
instead of a long-lived service account key.
- Around line 23-24: Update the checkout step using actions/checkout@v4 to set
persist-credentials: false, ensuring no Git token is retained for subsequent
workflow steps.
- Around line 3-4: Add a workflow-level concurrency group to the
upload-image-gar workflow alongside the existing workflow_dispatch trigger,
using a stable group name and preventing or canceling overlapping runs so
concurrent image pushes cannot race on the latest tag.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: be414589-0c08-4e75-80f8-dd34c8fd5d28

📥 Commits

Reviewing files that changed from the base of the PR and between a6ae3da and 404e92a.

📒 Files selected for processing (3)
  • .github/workflows/upload-image-gar.yml
  • legacy/.dockerignore
  • legacy/dockerfile

Comment on lines +3 to +4
on:
workflow_dispatch:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Add concurrency control to prevent races on the latest tag.

Two concurrent workflow_dispatch runs could push different images to the latest tag simultaneously, with the last push winning non-deterministically. Adding a concurrency group prevents this.

🔒 Suggested fix
 on:
   workflow_dispatch:
 
+concurrency:
+  group: build-and-upload-gar
+  cancel-in-progress: true
+
 env:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
workflow_dispatch:
on:
workflow_dispatch
concurrency:
group: build-and-upload-gar
cancel-in-progress: true
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 3-4: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-image-gar.yml around lines 3 - 4, Add a
workflow-level concurrency group to the upload-image-gar workflow alongside the
existing workflow_dispatch trigger, using a stable group name and preventing or
canceling overlapping runs so concurrent image pushes cannot race on the latest
tag.

Source: Linters/SAST tools

Comment on lines +18 to +20
permissions:
contents: "read"
id-token: "write"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | 🏗️ Heavy lift

id-token: write is unused — migrate to Workload Identity Federation or remove the permission.

The auth step uses credentials_json (long-lived service account key), which does not require id-token: write. The permission is currently granted but unused, violating least-privilege. Two options:

  1. Quick fix: Remove id-token: write if staying with key-based auth.
  2. Recommended: Migrate to Workload Identity Federation, which uses short-lived tokens and eliminates the need to store a service account key as a GitHub secret. The id-token: write permission would then be correctly used.
🔒 Option 2 — WIF migration
       permissions:
         contents: "read"
-        id-token: "write"
+        id-token: "write"  # Required for Workload Identity Federation
       - id: "auth"
         uses: "google-github-actions/auth@v2"
         with:
-          credentials_json: "${{ secrets.STAGE_GKE_SA_KEY }}"
+          workload_identity_provider: "projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL>/providers/<PROVIDER>"
+          service_account: "<SA_EMAIL>@<PROJECT_ID>.iam.gserviceaccount.com"

Also applies to: 26-29

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 20-20: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-image-gar.yml around lines 18 - 20, Remove the
unused id-token: write permission from the workflow permissions block while
authentication continues using credentials_json; alternatively, migrate the
authentication step to Workload Identity Federation and configure it to use the
existing id-token permission instead of a long-lived service account key.

Source: Linters/SAST tools

Comment on lines +23 to +24
- name: Checkout
uses: actions/checkout@v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Set persist-credentials: false on the checkout step.

By default actions/checkout@v4 persists a Git token in the runner's credential store for the duration of the job. This workflow doesn't perform any Git operations after checkout, so the persisted credential is unnecessary and expands the attack surface if a subsequent step is compromised.

🔒 Suggested fix
 - name: Checkout
   uses: actions/checkout@v4
+  with:
+    persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@v4
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-image-gar.yml around lines 23 - 24, Update the
checkout step using actions/checkout@v4 to set persist-credentials: false,
ensuring no Git token is retained for subsequent workflow steps.

Source: Linters/SAST tools

@jdyaberi-pp jdyaberi-pp marked this pull request as draft July 10, 2026 05:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant