Add workflow to build full-repo image and upload to GAR#1005
Add workflow to build full-repo image and upload to GAR#1005jdyaberi-pp wants to merge 1 commit into
Conversation
Uses legacy/dockerfile to produce potpie-latest, tagged with the short SHA and latest, and fixes early-layer COPY so hatchling metadata validation succeeds during uv sync. Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughChangesArtifact Registry image publishing
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/upload-image-gar.yml:
- Around line 18-20: Remove the unused id-token: write permission from the
workflow permissions block while authentication continues using
credentials_json; alternatively, migrate the authentication step to Workload
Identity Federation and configure it to use the existing id-token permission
instead of a long-lived service account key.
- Around line 23-24: Update the checkout step using actions/checkout@v4 to set
persist-credentials: false, ensuring no Git token is retained for subsequent
workflow steps.
- Around line 3-4: Add a workflow-level concurrency group to the
upload-image-gar workflow alongside the existing workflow_dispatch trigger,
using a stable group name and preventing or canceling overlapping runs so
concurrent image pushes cannot race on the latest tag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: be414589-0c08-4e75-80f8-dd34c8fd5d28
📒 Files selected for processing (3)
.github/workflows/upload-image-gar.ymllegacy/.dockerignorelegacy/dockerfile
| on: | ||
| workflow_dispatch: |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win
Add concurrency control to prevent races on the latest tag.
Two concurrent workflow_dispatch runs could push different images to the latest tag simultaneously, with the last push winning non-deterministically. Adding a concurrency group prevents this.
🔒 Suggested fix
on:
workflow_dispatch:
+concurrency:
+ group: build-and-upload-gar
+ cancel-in-progress: true
+
env:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| workflow_dispatch: | |
| on: | |
| workflow_dispatch | |
| concurrency: | |
| group: build-and-upload-gar | |
| cancel-in-progress: true |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 3-4: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/upload-image-gar.yml around lines 3 - 4, Add a
workflow-level concurrency group to the upload-image-gar workflow alongside the
existing workflow_dispatch trigger, using a stable group name and preventing or
canceling overlapping runs so concurrent image pushes cannot race on the latest
tag.
Source: Linters/SAST tools
| permissions: | ||
| contents: "read" | ||
| id-token: "write" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | 🏗️ Heavy lift
id-token: write is unused — migrate to Workload Identity Federation or remove the permission.
The auth step uses credentials_json (long-lived service account key), which does not require id-token: write. The permission is currently granted but unused, violating least-privilege. Two options:
- Quick fix: Remove
id-token: writeif staying with key-based auth. - Recommended: Migrate to Workload Identity Federation, which uses short-lived tokens and eliminates the need to store a service account key as a GitHub secret. The
id-token: writepermission would then be correctly used.
🔒 Option 2 — WIF migration
permissions:
contents: "read"
- id-token: "write"
+ id-token: "write" # Required for Workload Identity Federation - id: "auth"
uses: "google-github-actions/auth@v2"
with:
- credentials_json: "${{ secrets.STAGE_GKE_SA_KEY }}"
+ workload_identity_provider: "projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL>/providers/<PROVIDER>"
+ service_account: "<SA_EMAIL>@<PROJECT_ID>.iam.gserviceaccount.com"Also applies to: 26-29
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 20-20: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/upload-image-gar.yml around lines 18 - 20, Remove the
unused id-token: write permission from the workflow permissions block while
authentication continues using credentials_json; alternatively, migrate the
authentication step to Workload Identity Federation and configure it to use the
existing id-token permission instead of a long-lived service account key.
Source: Linters/SAST tools
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Set persist-credentials: false on the checkout step.
By default actions/checkout@v4 persists a Git token in the runner's credential store for the duration of the job. This workflow doesn't perform any Git operations after checkout, so the persisted credential is unnecessary and expands the attack surface if a subsequent step is compromised.
🔒 Suggested fix
- name: Checkout
uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/upload-image-gar.yml around lines 23 - 24, Update the
checkout step using actions/checkout@v4 to set persist-credentials: false,
ensuring no Git token is retained for subsequent workflow steps.
Source: Linters/SAST tools
Summary
.github/workflows/upload-image-gar.ymlto build the full-repo Docker image fromlegacy/dockerfileand push it to Google Artifact Registry aspotpie-latest(tags: short SHA +latest).COPYlayers so hatchling can resolveREADME.md/LICENSEduringuv sync.potpie/observabilityin.dockerignoreso local leftovers cannot break the workspace glob.Test plan
docker build --tag potpie-latest -f legacy/dockerfile .potpie-latest:latestSTAGE_GCLOUD_PROJECT_IDandSTAGE_GKE_SA_KEY(andstagingenvironment) are configured on this repous-central1-docker.pkg.dev/<project>/potpie/potpie-latest:latestMade with Cursor