fix(coprocessor): change common-docker template#276
Merged
Conversation
tawadaa
approved these changes
Jun 13, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the gw-listener Docker setup by renaming build stages and switching the CI workflow to a new common-docker template with S3 caching support.
- Renamed the Docker “runtime” stage to “prod” and added an empty “dev” stage alias
- Updated the GitHub Actions job to use
common-docker.yml, added AWS cache secrets, and adjusted permissions
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| coprocessor/fhevm-engine/gw-listener/Dockerfile | Renamed stage alias from runtime to prod, added dev stage |
| .github/workflows/coprocessor-docker-build-gw-listener.yml | Switched CI template, added AWS cache secrets, updated permissions and inputs |
Comments suppressed due to low confidence (5)
.github/workflows/coprocessor-docker-build-gw-listener.yml:54
- [nitpick] The
docker-filepath includes a leading./; ensure the common-docker template resolves this correctly or remove the./for consistency with other jobs.
docker-file: "./coprocessor/fhevm-engine/gw-listener/Dockerfile"
.github/workflows/coprocessor-docker-build-gw-listener.yml:45
- [nitpick] Review whether the
pull-requests: 'read'permission is required by the template; granting unused permissions can broaden the attack surface.
pull-requests: 'read'
coprocessor/fhevm-engine/gw-listener/Dockerfile:17
- You’ve renamed the
runtimestage toprod. Please verify that any downstream references (e.g., CI templates or deployment scripts) expectingruntimeare updated accordingly to avoid build failures.
FROM cgr.dev/chainguard/glibc-dynamic:latest AS prod
coprocessor/fhevm-engine/gw-listener/Dockerfile:35
- [nitpick] The new
devstage is empty and simply aliasesprod. Consider adding development-specific steps or removing the unused stage to keep the Dockerfile clear.
FROM prod AS dev
.github/workflows/coprocessor-docker-build-gw-listener.yml:40
- Confirm that the AWS S3 credentials are strictly necessary for this job and scoped with least privilege to minimize risk if they’re leaked.
AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
fegmorte
force-pushed
the
fred/ci/change-docker-template
branch
from
a1f2711 to
63f7a0f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.