fix: Add back temporary workflow to publish main to ghcr #725
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@brendan-kellam your pull request is missing a changelog! |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 14
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
|
|
||
| on: | ||
| push: | ||
| branches: ["main"] |
There was a problem hiding this comment.
Missing concurrency control allows race condition on parallel pushes
Medium Severity
The workflow lacks a concurrency block that the release workflow includes. When multiple pushes to main occur in quick succession, parallel workflow runs can race to publish images. If an older commit's workflow completes after a newer commit's workflow, the main tag will point to stale code. This could cause users pulling ghcr.io/sourcebot-dev/sourcebot:main to receive an outdated image version.
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
| name: Release Sourcebot (Development) | ||
|
|
||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Missing permissions for Docker registry push operations
High Severity
The workflow-level permissions: contents: read setting restricts all unspecified permissions to none. The build and publish-to-registry jobs call reusable workflows (_build.yml and _merge.yml) that require packages: write and id-token: write, but these jobs don't specify job-level permissions to grant those scopes. The called workflows' permission requests are limited by what the caller provides, so the Docker image push and cosign signing operations will fail due to insufficient GITHUB_TOKEN permissions. The original inline build job had these permissions explicitly specified at the job level.
This PR adds back a workflow to publish
mainto ghcr since the previous PR removed that functionality.Note
Introduces reusable CI for building and publishing multi-architecture Docker images and wires them into dev and prod releases.
._github/workflows/_build.yml(per-platform build, sign, and digest artifact upload) and._github/workflows/_merge.yml(merge digests into multi-platform manifest and push)release-dev.yml: builds frommainand publishesghcr.io/sourcebot-dev/sourcebot:mainrelease-prod.yml: replaces inline build/manifest steps with calls to_build.ymland_merge.yml, addspublish-to-registryjob post-tagging, and updates job dependencies/cleanup; preserves tagging (vX.Y.Z,latest) and GitHub Release creationWritten by Cursor Bugbot for commit 2eae6c3. This will update automatically on new commits. Configure here.