Automation: Direction

[github-actions]

Last generated: 2026-01-22T18:31:25.263Z
Provider: openai
Model: gpt-5.2

Summary

Stabilize and harden the repo’s automation around building/publishing the Privoxy Docker image: add a minimal CI build test, enforce Dockerfile best practices, add dependabot for base image updates, and make the release/publish workflow deterministic (pinned tags, labels, provenance).

Direction (what and why)

What: Treat this repository primarily as a Docker image packaging repo and build automation around repeatable image builds and safe updates (base image bumps, config changes).
Why: Current commits indicate image tweaks (pin alpine, tags, debug settings) but there’s no clear safety net shown in-tree (CI build/test, linting, dependency update automation). Small, reliable automation reduces breakage risk and manual toil when updating tags or base images.

Key goals:

• Catch breakage early: CI should at least docker build on PRs.
• Keep dependencies fresh safely: Dependabot for Dockerfile base image tag digests.
• Make releases predictable: Explicit tagging strategy and metadata/labels.

Plan (next 1–3 steps)

1. Add CI “build only” workflow (PR + push)

   • Create: .github/workflows/ci.yml
   • Jobs:
     • docker/build-push-action in build-only mode (no push) to validate Dockerfile changes.
     • Cache enabled to speed up CI.
   • Concrete contents (high level):
     • triggers: pull_request, push to master
     • steps: actions/checkout@v4, docker/setup-buildx-action@v3, docker/build-push-action@v6 with push: false, tags: privoxy:test, load: false (or load: true if you want to run a container smoke test in step 3).

2. Add Dependabot for Docker base image updates

   • Create: .github/dependabot.yml
   • Enable updates for:
     • package-ecosystem: "docker" at /
     • schedule weekly
   • If Dockerfile uses a plain tag (e.g., alpine:3.19), consider pinning by digest to reduce supply-chain risk; dependabot can update digests.

3. Add a lightweight container smoke test (optional but high value)

   • Extend .github/workflows/ci.yml:
     • build with load: true
     • run: docker run -d -p 8118:8118 privoxy:test
     • verify port is up: curl --retry 10 --retry-connrefused http://127.0.0.1:8118/ (or whatever endpoint is expected)
   • This catches “image builds but doesn’t start” regressions.

Risks/unknowns

• Privoxy runtime expectations: The image’s default command/entrypoint and health behavior aren’t shown here; smoke test may need adjustment (port, endpoint, startup time).
• Publishing strategy already exists in .github/: The repo has new workflows (“synced”); proposed CI/publish workflows may overlap. Before adding, inspect existing .github/workflows/* and consolidate rather than duplicate.
• Large bfg-1.15.0.jar committed: This is unusual for an image repo and may slow clones/CI. If it’s not required at runtime, plan a follow-up to remove it and rewrite history (but that’s higher risk and should be coordinated).

Suggested tests

• CI build test: docker build . (via GitHub Actions) on every PR.
• Config sanity (basic): Build then run container and assert it listens on expected port.
• Repro check (manual spot): Locally run docker build --no-cache . after base image bump PRs.

Progress checklist

• .github/workflows/ci.yml added and passing on PRs
• .github/dependabot.yml added; first PR generated for Dockerfile when applicable
• (Optional) Smoke test runs in CI and is stable (no flaky startup timing)
• Document in README.rst how CI verifies image health and how to run the same checks locally