feat: publish Docker image to GHCR#218
Conversation
Release notes says this is a migration to N-API, no code changes - https://github.com/Automattic/node-canvas/releases/tag/v3.0.0
|
I need an employee to comment |
@oioki know anything about this? |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| jobs: | ||
| release-ghcr-version-tag: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Missing packages write permission blocks GHCR push
High Severity
The release-ghcr-version-tag job lacks a permissions block granting packages: write. GitHub's default GITHUB_TOKEN permissions are read-only (since Feb 2023), so the docker buildx imagetools create commands will fail to push tags to GHCR. The sibling workflow image.yml correctly sets permissions: { contents: read, packages: write } on both its jobs, but this workflow omits it entirely.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| run: | | ||
| docker buildx imagetools create \ | ||
| --tag ghcr.io/getsentry/chartcuterie:${{ github.event.pull_request.head.sha || github.sha }} \ | ||
| --tag ghcr.io/getsentry/chartcuterie:nightly \ |
There was a problem hiding this comment.
Bug: The workflow unconditionally applies the nightly tag to images built from release/** branches, which should only be applied to builds from the master branch.
Severity: HIGH
Suggested Fix
The command that applies the nightly tag should be wrapped in a conditional check to ensure it only executes when the event is triggered from the master branch, for example, by adding an if: github.ref_name == 'master' condition to the step.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/image.yml#L60
Potential issue: The `assemble-chartcuterie-image` job runs on pushes to both `master`
and `release/**` branches. However, it unconditionally applies the
`ghcr.io/getsentry/chartcuterie:nightly` tag. This means that when a commit is pushed to
a release branch, it will overwrite the `nightly` tag, which is intended to track the
latest development build from `master`. This violates the standard convention for
`nightly` tags and will cause users and development environments expecting the latest
`master` build to receive a release branch build instead.
Did we get this right? 👍 / 👎 to inform future reviews.
| run: | | ||
| docker buildx imagetools create \ | ||
| --tag ghcr.io/getsentry/chartcuterie:${{ github.event.pull_request.head.sha || github.sha }} \ | ||
| --tag ghcr.io/getsentry/chartcuterie:nightly \ |
There was a problem hiding this comment.
Release pushes overwrite nightly image tag
Medium Severity
assemble-chartcuterie-image runs for both master and release/** pushes, but always retags :nightly. Any release-branch push can replace nightly with a non-master build, so consumers of ghcr.io/getsentry/chartcuterie:nightly may pull an unexpected older or branch-specific image.
|
|
||
| on: | ||
| release: | ||
| types: [prereleased, released] |
There was a problem hiding this comment.
Prereleases retagged as latest image
Medium Severity
The workflow triggers on prereleased and released, but always runs the latest retag step. Creating a prerelease will overwrite ghcr.io/getsentry/chartcuterie:latest with a prerelease image.
Additional Locations (1)
|
/gcbrun |
|
/gcbrun(96fbba5) |
|
/gcbrun(5947d0c) |
|
/gcbrun(5947d0c) |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 4 total unresolved issues (including 3 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Fork PRs don't trigger push events in the main repo, so the build check was never running for external contributors. Adding pull_request trigger uses a read-only token with no secret access, which is safe. Co-Authored-By: Claude <noreply@anthropic.com>
| release: | ||
| types: [prereleased, released] | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
Bug: The release-ghcr-version-tag workflow is missing permissions: { packages: write }. This will cause the job to fail when it attempts to publish images to the GitHub Container Registry.
Severity: CRITICAL
Suggested Fix
Add a permissions block to the release-ghcr-version-tag job to grant write access to packages.
jobs:
release-ghcr-version-tag:
runs-on: ubuntu-latest
permissions:
contents: read
packages: writePrompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/release-ghcr-version-tag.yml#L7
Potential issue: The `release-ghcr-version-tag.yml` workflow is missing a `permissions`
block. By default, the `GITHUB_TOKEN` has only read access to packages. When this
workflow runs, its attempt to push manifest tags to the GitHub Container Registry using
`docker buildx imagetools create` will fail due to insufficient permissions. This will
cause the release workflow to fail, preventing new versioned Docker images from being
published. Other workflows in the repository, like `image.yml`, correctly declare
`packages: write` for similar operations, indicating this was an oversight.
There was a problem hiding this comment.
This is fine. I'm waiting for #202 to be merged. Only then, we can move the release pipeline into Craft rather than relying on GHA like this.
|
/gcbrun(1db8ce6) |
2 participants
Taking over Hubert's PR #199