ci: allow forks to override published container image namespace#3866
ci: allow forks to override published container image namespace#3866d-cs wants to merge 5 commits into
Conversation
The publish workflows hardcoded ghcr.io/triggerdotdev/... as the image destination, so a fork building on push-to-main would attempt to push to (and attest) the upstream packages. Derive the webapp image repo from github.repository (overridable via the WEBAPP_IMAGE_REPO variable) and read the worker namespace from the IMAGE_REGISTRY variable, both defaulting to the current values so upstream behaviour is unchanged.
|
|
Note Currently processing new changes in this PR. This may take a few minutes, please wait... ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughAdds a resolve-registry job that computes a registry namespace and passes it into reusable publish workflows. publish-webapp now accepts image_registry, computes image_repo/ image_tags (including a full-SHA tag for main), emits image_repo as a job/workflow output, and uses it in attestation. publish-worker and publish-worker-v4 accept image_registry and resolve REGISTRY with precedence instead of a hardcoded namespace. Trivy scanning in publish.yml is updated to use publish-webapp's image_repo and version outputs. 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/publish-webapp.yml (1)
64-67: 💤 Low valueComment overstates flexibility.
The comment claims the variable supports "any registry/path," but the login step at line 103 is hardcoded to
ghcr.io. IfWEBAPP_IMAGE_REPOpoints to a different registry (e.g.,docker.io/...), the push will fail due to missing authentication.Consider narrowing the comment to reflect the actual supported scope (ghcr.io namespaces only), or note that additional login configuration would be required for non-ghcr.io registries.
📝 Suggested comment clarification
- # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes - # to its own package automatically with no extra config. Set the - # WEBAPP_IMAGE_REPO repository variable to override it with any - # registry/path. + # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes + # to its own package automatically with no extra config. Set the + # WEBAPP_IMAGE_REPO repository variable to override with a different + # ghcr.io namespace (e.g. ghcr.io/myorg/myimage). Non-ghcr.io registries + # would require additional login configuration.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 5b3d75ad-b0ce-46b0-838a-32a095691647
📒 Files selected for processing (4)
.github/workflows/publish-webapp.yml.github/workflows/publish-worker-v4.yml.github/workflows/publish-worker.yml.github/workflows/publish.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (javascript-typescript)
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-10-12T01:08:24.066Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-09-23T12:51:42.019Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.
📚 Learning: 2026-03-02T12:43:34.140Z
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/cli-v3/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:34.140Z
Learning: Applies to packages/cli-v3/src/deploy/buildImage.ts : Build Docker images using `src/deploy/buildImage.ts` for local Docker/Depot or remote builds
Applied to files:
.github/workflows/publish-worker.yml.github/workflows/publish.yml.github/workflows/publish-webapp.yml
📚 Learning: 2024-10-12T01:08:24.066Z
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-10-12T01:08:24.066Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.
Applied to files:
.github/workflows/publish-worker-v4.yml.github/workflows/publish-webapp.yml
📚 Learning: 2026-05-12T14:13:17.114Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3561
File: .claude/scripts/check-review-md.sh:76-79
Timestamp: 2026-05-12T14:13:17.114Z
Learning: In the triggerdotdev/trigger.dev repository, `.claude/REVIEW.md` drift/audit checking is handled by an LLM-based workflow using `anthropics/claude-code-action` (mirroring `.github/workflows/claude-md-audit.yml`), not a static bash script. The LLM audit catches semantic drift, stale references, contradictions, and missing/obsolete rules — not just deleted paths. The bash script `.claude/scripts/check-review-md.sh` was dropped in favor of this approach.
Applied to files:
.github/workflows/publish.yml
🔇 Additional comments (5)
.github/workflows/publish-worker-v4.yml (1)
68-71: LGTM!Also applies to: 76-76
.github/workflows/publish-worker.yml (1)
86-89: LGTM!.github/workflows/publish-webapp.yml (2)
24-26: LGTM!Also applies to: 39-39
68-81: LGTM!Also applies to: 134-134
.github/workflows/publish.yml (1)
109-109: LGTM!
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Mirror the webapp's fork-friendly default in the worker publish workflows: default the image namespace to ghcr.io/<owner> instead of the hardcoded ghcr.io/triggerdotdev. Upstream resolves byte-identically (owner is triggerdotdev), while forks now publish worker images to their own namespace with no IMAGE_REGISTRY config, matching publish-webapp.yml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Addressed the asymmetry @devin-ai-integration flagged in 7645e6d: the worker workflows ( |
Per review feedback, resolve the target container registry namespace a single time in publish.yml (the orchestration workflow) and pass it down to every publish job as an image_registry input, rather than each child workflow independently computing the default. This also unifies on one override variable: webapp and workers now both key off IMAGE_REGISTRY (a namespace, e.g. ghcr.io/<owner>), with the webapp image living at <registry>/<repo-name>. The separate WEBAPP_IMAGE_REPO variable is dropped, removing the prior asymmetry between a full-path override for the webapp and a namespace override for workers. Children keep the vars.IMAGE_REGISTRY || ghcr.io/<owner> fallback so the worker workflows still resolve correctly on their direct push triggers. Upstream defaults are byte-identical (owner is triggerdotdev). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the resolve-registry job to avoid its runner startup cost. GitHub doesn't expose the env context to a reusable workflow's with: block, so inline the resolution expression directly in each publish job's image_registry input instead. Behavior and upstream defaults unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
The container publish workflows hardcoded
ghcr.io/triggerdotdev/...as the image destination. As a result, a fork that builds on push-to-main(or on the worker publish tags) would attempt to push to — and attest — the upstream packages rather than its own, which fails on permissions and is surprising besides.This makes the image destination configurable via a single
IMAGE_REGISTRYrepository variable, while leaving the upstream defaults byte-identical:publish.yml): aresolve-registryjob resolves the target registry namespace once —IMAGE_REGISTRYrepository variable, defaulting toghcr.io/${{ github.repository_owner }}— and passes it down to every publish job as animage_registryinput. So a fork publishes to its own namespace automatically with no configuration.publish-webapp.yml): the image now lives at<registry>/<repo-name>(e.g.ghcr.io/<owner>/trigger.dev). The provenance attestation and the downstream Trivy scan follow the same computed repo via theimage_repoworkflow output.publish-worker.yml,publish-worker-v4.yml): build under<registry>/<worker-name>. They keep avars.IMAGE_REGISTRY || ghcr.io/<owner>fallback so they still resolve correctly on their directinfra-*/re2-*push triggers (which bypass the parent workflow).A single
IMAGE_REGISTRYnamespace variable now governs both webapp and workers (the earlierWEBAPP_IMAGE_REPOfull-path override is dropped, removing the full-path/namespace asymmetry). WhenIMAGE_REGISTRYis unset, every resolved image name is exactly what it is today, so there is no change for this repo.Test plan
actionlintpasses on all four workflowsghcr.io/triggerdotdev/trigger.dev:main+ the commit-SHA tag (defaults unchanged)