Skip to content

ci: allow forks to override published container image namespace#3866

Open
d-cs wants to merge 8 commits into
mainfrom
image-registry-overrides
Open

ci: allow forks to override published container image namespace#3866
d-cs wants to merge 8 commits into
mainfrom
image-registry-overrides

Conversation

@d-cs
Copy link
Copy Markdown
Collaborator

@d-cs d-cs commented Jun 8, 2026
edited
Loading

Summary

The container publish workflows hardcoded ghcr.io/triggerdotdev/... as the image destination. As a result, a fork that builds on push-to-main (or on the worker publish tags) would attempt to push to — and attest — the upstream packages rather than its own, which fails on permissions and is surprising besides.

This makes the image destination configurable via a single IMAGE_REGISTRY repository variable, while leaving the upstream defaults byte-identical:

  • Single source of truth (publish.yml): a resolve-registry job resolves the target registry namespace once — IMAGE_REGISTRY repository variable, defaulting to ghcr.io/${{ github.repository_owner }} — and passes it down to every publish job as an image_registry input. So a fork publishes to its own namespace automatically with no configuration.
  • Webapp (publish-webapp.yml): the image now lives at <registry>/<repo-name> (e.g. ghcr.io/<owner>/trigger.dev). The provenance attestation and the downstream Trivy scan follow the same computed repo via the image_repo workflow output.
  • Workers (publish-worker.yml, publish-worker-v4.yml): build under <registry>/<worker-name>. They keep a vars.IMAGE_REGISTRY || ghcr.io/<owner> fallback so they still resolve correctly on their direct infra-* / re2-* push triggers (which bypass the parent workflow).

A single IMAGE_REGISTRY namespace variable now governs both webapp and workers (the earlier WEBAPP_IMAGE_REPO full-path override is dropped, removing the full-path/namespace asymmetry). When IMAGE_REGISTRY is unset, every resolved image name is exactly what it is today, so there is no change for this repo.

Test plan

  • actionlint passes on all four workflows
  • On merge, confirm the webapp publish still pushes ghcr.io/triggerdotdev/trigger.dev:main + the commit-SHA tag (defaults unchanged)

@d-cs
ci: allow forks to override published container image namespace
8ea6dba 
The publish workflows hardcoded ghcr.io/triggerdotdev/... as the image
destination, so a fork building on push-to-main would attempt to push to
(and attest) the upstream packages.

Derive the webapp image repo from github.repository (overridable via the
WEBAPP_IMAGE_REPO variable) and read the worker namespace from the
IMAGE_REGISTRY variable, both defaulting to the current values so upstream
behaviour is unchanged.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Jun 8, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: d8b0738

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 8, 2026
edited
Loading

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds a resolve-registry job that computes a registry namespace and passes it into reusable publish workflows. publish-webapp now accepts image_registry, computes image_repo/ image_tags (including a full-SHA tag for main), emits image_repo as a job/workflow output, and uses it in attestation. publish-worker and publish-worker-v4 accept image_registry and resolve REGISTRY with precedence instead of a hardcoded namespace. Trivy scanning in publish.yml is updated to use publish-webapp's image_repo and version outputs.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description provides a clear summary, test plan, and technical details, but is missing required checklist items, testing steps documentation, and changelog section per the template. Complete the required PR template sections: fill the checklist, document testing steps in the Testing section, and add a brief changelog entry describing the changes.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: making container image namespace configurable for forks instead of hardcoding it.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch image-registry-overrides

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@d-cs d-cs self-assigned this Jun 8, 2026
coderabbitai[bot]
coderabbitai Bot reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/publish-webapp.yml (1)

64-67: 💤 Low value

Comment overstates flexibility.

The comment claims the variable supports "any registry/path," but the login step at line 103 is hardcoded to ghcr.io. If WEBAPP_IMAGE_REPO points to a different registry (e.g., docker.io/...), the push will fail due to missing authentication.

Consider narrowing the comment to reflect the actual supported scope (ghcr.io namespaces only), or note that additional login configuration would be required for non-ghcr.io registries.

📝 Suggested comment clarification 
-          # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes
-          # to its own package automatically with no extra config. Set the
-          # WEBAPP_IMAGE_REPO repository variable to override it with any
-          # registry/path.
+          # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes
+          # to its own package automatically with no extra config. Set the
+          # WEBAPP_IMAGE_REPO repository variable to override with a different
+          # ghcr.io namespace (e.g. ghcr.io/myorg/myimage). Non-ghcr.io registries
+          # would require additional login configuration.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5b3d75ad-b0ce-46b0-838a-32a095691647

📥 Commits

Reviewing files that changed from the base of the PR and between ef04cc3 and 8ea6dba.

📒 Files selected for processing (4)
  • .github/workflows/publish-webapp.yml
  • .github/workflows/publish-worker-v4.yml
  • .github/workflows/publish-worker.yml
  • .github/workflows/publish.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze (javascript-typescript)
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-10-12T01:08:24.066Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-09-23T12:51:42.019Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.
📚 Learning: 2026-03-02T12:43:34.140Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: packages/cli-v3/CLAUDE.md:0-0
Timestamp: 2026-03-02T12:43:34.140Z
Learning: Applies to packages/cli-v3/src/deploy/buildImage.ts : Build Docker images using `src/deploy/buildImage.ts` for local Docker/Depot or remote builds

Applied to files:

  • .github/workflows/publish-worker.yml
  • .github/workflows/publish.yml
  • .github/workflows/publish-webapp.yml
📚 Learning: 2024-10-12T01:08:24.066Z 
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 1306
File: .github/actions/get-image-tag/action.yml:51-62
Timestamp: 2024-10-12T01:08:24.066Z
Learning: In the 'get-image-tag' GitHub Action, prefer dependent workflows to fail immediately when the tag is invalid, without outputting the validity status as an output.

Applied to files:

  • .github/workflows/publish-worker-v4.yml
  • .github/workflows/publish-webapp.yml
📚 Learning: 2026-05-12T14:13:17.114Z 
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3561
File: .claude/scripts/check-review-md.sh:76-79
Timestamp: 2026-05-12T14:13:17.114Z
Learning: In the triggerdotdev/trigger.dev repository, `.claude/REVIEW.md` drift/audit checking is handled by an LLM-based workflow using `anthropics/claude-code-action` (mirroring `.github/workflows/claude-md-audit.yml`), not a static bash script. The LLM audit catches semantic drift, stale references, contradictions, and missing/obsolete rules — not just deleted paths. The bash script `.claude/scripts/check-review-md.sh` was dropped in favor of this approach.

Applied to files:

  • .github/workflows/publish.yml
🔇 Additional comments (5)
.github/workflows/publish-worker-v4.yml (1)

68-71: LGTM!

Also applies to: 76-76

.github/workflows/publish-worker.yml (1)

86-89: LGTM!

.github/workflows/publish-webapp.yml (2)

24-26: LGTM!

Also applies to: 39-39

68-81: LGTM!

Also applies to: 134-134

.github/workflows/publish.yml (1)

109-109: LGTM!

@d-cs d-cs marked this pull request as ready for review June 8, 2026 12:12
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@d-cs @claude
ci: make worker image defaults fork-aware
7645e6d 
Mirror the webapp's fork-friendly default in the worker publish workflows:
default the image namespace to ghcr.io/<owner> instead of the hardcoded
ghcr.io/triggerdotdev. Upstream resolves byte-identically (owner is
triggerdotdev), while forks now publish worker images to their own
namespace with no IMAGE_REGISTRY config, matching publish-webapp.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@d-cs
Copy link
Copy Markdown
Collaborator Author

d-cs commented Jun 8, 2026

Addressed the asymmetry @devin-ai-integration flagged in 7645e6d: the worker workflows (publish-worker.yml, publish-worker-v4.yml) now default the namespace to format('ghcr.io/{0}', github.repository_owner) instead of the hardcoded ghcr.io/triggerdotdev, mirroring the webapp's fork-friendly default. Upstream resolves byte-identically (owner is triggerdotdev), so forks now get zero-config worker publishing too.

myftija
myftija reviewed Jun 8, 2026
View reviewed changes
Comment thread .github/workflows/publish.yml
@d-cs @claude
ci: resolve image registry once in parent workflow
2715217 
Per review feedback, resolve the target container registry namespace a
single time in publish.yml (the orchestration workflow) and pass it down
to every publish job as an image_registry input, rather than each child
workflow independently computing the default.

This also unifies on one override variable: webapp and workers now both
key off IMAGE_REGISTRY (a namespace, e.g. ghcr.io/<owner>), with the
webapp image living at <registry>/<repo-name>. The separate
WEBAPP_IMAGE_REPO variable is dropped, removing the prior asymmetry
between a full-path override for the webapp and a namespace override for
workers.

Children keep the vars.IMAGE_REGISTRY || ghcr.io/<owner> fallback so the
worker workflows still resolve correctly on their direct push triggers.
Upstream defaults are byte-identical (owner is triggerdotdev).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@d-cs d-cs requested a review from myftija June 8, 2026 13:12
d-cs and others added 4 commits June 8, 2026 16:37
@d-cs @claude
ci: resolve registry inline instead of a dedicated job
beb5391 
Drop the resolve-registry job to avoid its runner startup cost. GitHub
doesn't expose the env context to a reusable workflow's with: block, so
inline the resolution expression directly in each publish job's
image_registry input instead. Behavior and upstream defaults unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@d-cs @claude
ci: DRY the registry expression with a YAML anchor
c564e9d 
Define the registry-resolution expression once on publish-webapp via a
YAML anchor (&image_registry) and reuse it in the worker jobs via aliases
(*image_registry). GitHub Actions has supported YAML anchors since
2025-09-18, so this gives a single source of truth without the runner
startup cost of a dedicated resolve job. Resolved value is unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@d-cs @claude
ci: inline the registry expression in each publish job
f4f3434 
Drop the YAML anchor in favor of writing the registry-resolution
expression explicitly in all three publish jobs. No job, no anchor, no
runner startup; the expression is identical across the three. Resolved
value unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@d-cs
Merge branch 'main' into image-registry-overrides
d8b0738
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jun 8, 2026

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@d8b0738

trigger.dev

npm i https://pkg.pr.new/trigger.dev@d8b0738

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@d8b0738

@trigger.dev/plugins

npm i https://pkg.pr.new/@trigger.dev/plugins@d8b0738

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@d8b0738

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@d8b0738

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@d8b0738

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@d8b0738

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@d8b0738

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@d8b0738

commit: d8b0738

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@myftija myftija Awaiting requested review from myftija

Assignees

@d-cs d-cs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@d-cs @myftija