feat: update the docker build workflow based on updates from celestia

[MSevey]

Overview

This PR brings in the updated docker build CI from celestia.
It also adds a simple docker file so that this repo can actively test the workflow like it does in celestia.
This branch was testing and validated with rollkit/local-da#21

Summary by CodeRabbit

• New Features

  • Introduced a new workflow for testing the Dockerfile pipeline.
  • Added a Dockerfile for building a containerized Go application.
  • Added a Go module and a simple Go application for testing Docker actions.

• Improvements

  • Updated environment variable handling and build conditions in the Dockerfile pipeline to enhance build logic and registry configuration.

[coderabbitai]

Walkthrough

Recent modifications streamline the Docker image build pipeline by introducing logical checks for PRs, merges, and forks, along with enhanced registry handling. The updates also involve new multi-stage Dockerfile integration for a Go application, complemented by support for Go module management and a simple Go program for testing. This ensures a more efficient and conditional CI/CD workflow tailored to specific triggers and configurations.

Changes

Files	Change Summary
.github/.../reusable_dockerfile_pipeline.yml	Updated env variable names, setting logic, and conditions for building & pushing Docker images
.github/.../dockerfile_workflow_test.yaml	Introduced a workflow to test the reusable Dockerfile pipeline action on pushes and pull requests
docker-action-test/Dockerfile	Added a multi-stage Docker build for creating a Go application environment
docker-action-test/go.mod	Added Go module declaration for the project with Go version 1.21
docker-action-test/main.go	Introduced a simple Go program printing "Docker CICD! ⚙️" to the console

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant WF as Workflow
    participant DK as Docker Registry

    Dev->>GH: Push code/PR
    GH->>WF: Trigger reusable_dockerfile_pipeline
    WF->>WF: Prepare Environment
    Note right of WF: Set environment variables <br>and build triggers
    opt Build Condition Met
        WF->>DK: Authenticate
        WF->>WF: Build Docker Image
        WF->>DK: Push Docker Image
    end

Loading

Poem

In the world of code, where changes flow,
Our Docker dance begins to glow.
With logic clear and triggers set,
Our containers build without a fret.
Go modules rise, a test so neat,
Docker CICD – what a treat! 🌟🚀

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between a5a6889 and 5727092.

Files selected for processing (1)

• .github/workflows/reusable_dockerfile_pipeline.yml (3 hunks)

Additional comments not posted (4)

.github/workflows/reusable_dockerfile_pipeline.yml (4)

15-19: Approved changes to environment variables and added input for Docker context.

The renaming of REGISTRY to GITHUB_REG aligns with the use of GitHub's container registry, and the addition of the dockerContext input enhances flexibility in specifying the Docker context.

Also applies to: 22-22

---

30-35: Validate new outputs in the prepare-env job.

The added outputs are essential for controlling the build process based on the context (PR, merge, fork). Ensure the expressions used are secure and correctly formatted.

Verification successful

---

Validate new outputs in the prepare-env job.

The added outputs (repo_owner, build_for_pr, build_for_merge, not_a_fork) are correctly formatted and secure. They reference outputs from previous steps, which is standard practice in GitHub Actions workflows.

• .github/workflows/reusable_dockerfile_pipeline.yml:
  • repo_owner: ${{ steps.setting_env.outputs.repo_owner }}
  • build_for_pr: ${{ steps.setting_logic.outputs.build_for_pr }}
  • build_for_merge: ${{ steps.setting_logic.outputs.build_for_merge }}
  • not_a_fork: ${{ steps.setting_logic.outputs.not_a_fork }}

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify the security and correctness of the new output expressions.

# Test: Check for potential command injection vulnerabilities.
ast-grep --lang yaml --pattern $'outputs:
  $$$
  build_for_pr: $_
  build_for_merge: $_
  not_a_fork: $_
  $$$'

Length of output: 222

---

---

Script:

#!/bin/bash
# Description: Verify the security and correctness of the new output expressions.

# Locate the lines defining the outputs in the YAML file.
rg 'outputs:' -A 10 .github/workflows/reusable_dockerfile_pipeline.yml

Length of output: 558

---

145-158: Ensure secure practices in Docker actions within the docker-security job.

The use of Docker actions requires careful handling of secrets and environment variables to prevent leakage or unauthorized access.

Verification successful

---

Verified secure practices in Docker actions within the docker-security job.

The environment variables used in the docker-security job are appropriately sourced from the outputs of the prepare-env job and inputs, with no direct handling of secrets in this snippet. However, ensure that the handling of outputs and inputs in their respective jobs is secure.

• Verify the secure handling of outputs and inputs in the prepare-env job and the inputs used in the docker-security job.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify secure practices in Docker actions.

# Test: Check for potential security issues in handling secrets and environment variables.
ast-grep --lang yaml --pattern $'jobs:
  docker-security:
    $$$
    uses: docker/build-push-action@$_
    $$$'

Length of output: 222

---

---

Script:

#!/bin/bash
# Description: Verify secure practices in Docker actions in the 'docker-security' job.

# Test: Check for potential security issues in handling secrets and environment variables.
rg -A 5 'docker/build-push-action' .github/workflows/reusable_dockerfile_pipeline.yml

Length of output: 910

---

Line range hint 183-307: Review conditions and configurations in the docker-build job.

This job's configurations and conditions are complex, involving multiple registries and build flags. Ensure these are set up correctly to prevent unauthorized actions or errors during the build process.

Verification successful

Let's gather the necessary information to verify the conditions and configurations in the docker-build job using rg.

---

Let's refine our search pattern and increase the context lines to capture the entire docker-build job configuration.

---

Let's verify the existence of the reusable_dockerfile_pipeline.yml file and ensure the pattern is accurate.

---

Let's refine our search pattern to ensure we capture the relevant information for the docker-build job.

---

Review conditions and configurations in the docker-build job.

The configurations and conditions for the docker-build job in the reusable_dockerfile_pipeline.yml file appear to be correctly set up to handle different scenarios based on the build flags and registry configurations. The conditions and permissions are appropriately defined to ensure that the job runs only when necessary and with the required permissions.

• The if condition ensures the job runs only when one of the build flags is true.
• The strategy matrix includes configurations for different registries with appropriate settings for run-on-pr.
• The steps within the job are gated by checks to ensure they run only when needed.

Summary of key configurations:

• Job Name and Conditions: The job name dynamically includes registry details, and the if condition checks the build flags.
• Permissions: The job requests write permissions for contents and packages.
• Strategy and Matrix: The matrix defines different registries and their configurations.
• Steps: Each step includes conditions to run only when necessary, ensuring secure and efficient execution.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify conditions and configurations in the `docker-build` job.

# Test: Check for misconfigurations or potential errors in conditions.
ast-grep --lang yaml --pattern $'jobs:
  docker-build:
    $$$
    if: $_
    $$$'

Length of output: 192

---

---

Script:

#!/bin/bash
# Description: Verify conditions and configurations in the `docker-build` job using ripgrep.

# Search for the `docker-build` job and its conditions in the reusable_dockerfile_pipeline.yml file.
rg -A 20 'jobs:\s*docker-build:' .github/workflows/reusable_dockerfile_pipeline.yml

Length of output: 85

---

---

Script:

#!/bin/bash
# Description: Verify conditions and configurations in the `docker-build` job using ripgrep.

# Search for the `docker-build` job and its conditions in the reusable_dockerfile_pipeline.yml file.
rg -A 50 'jobs:\s*docker-build:' .github/workflows/reusable_dockerfile_pipeline.yml

Length of output: 85

---

---

Script:

#!/bin/bash
# Description: Verify the existence of the reusable_dockerfile_pipeline.yml file and search for the docker-build job.

# Verify the existence of the reusable_dockerfile_pipeline.yml file
fd reusable_dockerfile_pipeline.yml

# If the file exists, search for the docker-build job and its conditions
if [ -f ".github/workflows/reusable_dockerfile_pipeline.yml" ]; then
  rg -A 50 'jobs:\s*docker-build:' .github/workflows/reusable_dockerfile_pipeline.yml
fi

Length of output: 187

---

---

Script:

#!/bin/bash
# Description: Verify conditions and configurations in the `docker-build` job using ripgrep with refined search patterns.

# Search for the `jobs` section in the reusable_dockerfile_pipeline.yml file.
rg -A 100 'jobs:' .github/workflows/reusable_dockerfile_pipeline.yml

# Search for the `docker-build` job within the `jobs` section.
rg -A 50 'docker-build:' .github/workflows/reusable_dockerfile_pipeline.yml

Length of output: 7413

[coderabbitai]

Actionable comments posted: 1

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 5727092 and 7840030.

Files selected for processing (4)

• .github/workflows/dockerfile_workflow_test.yaml (1 hunks)
• docker-action-test/Dockerfile (1 hunks)
• docker-action-test/go.mod (1 hunks)
• docker-action-test/main.go (1 hunks)

Files skipped from review due to trivial changes (2)

• docker-action-test/go.mod
• docker-action-test/main.go

Additional context used

Hadolint

docker-action-test/Dockerfile

[error] 9-9: Use COPY instead of ADD for files and folders (DL3020)

---

[warning] 17-17: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version> (DL3018)

---

[warning] 18-18: COPY to a relative destination without WORKDIR set. (DL3045)

Additional comments not posted (4)

docker-action-test/Dockerfile (2)

17-17: Pin versions in apk add to ensure reproducibility.

Using specific versions for packages installed via apk add ensures that builds are reproducible and avoids potential issues with updated packages.

- RUN apk update && apk add --no-cache bash curl jq
+ RUN apk update && apk add --no-cache bash=5.1.16-r0 curl=7.79.1-r0 jq=1.6-r1

Tools

Hadolint

[warning] 17-17: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version> (DL3018)

---

18-18: Set a specific WORKDIR before COPY to ensure clarity.

The COPY command should have a clear destination set by WORKDIR to avoid ambiguity.

+ WORKDIR /app
  COPY --from=builder /app/main .

Tools

Hadolint

[warning] 18-18: COPY to a relative destination without WORKDIR set. (DL3045)

.github/workflows/dockerfile_workflow_test.yaml (2)

18-18: Ensure versioning in GitHub Actions to avoid unexpected changes.

Using a specific version or commit hash for GitHub Actions ensures that the workflow is stable and prevents breaking changes from affecting the build process unexpectedly.

- uses: rollkit/.github/.github/workflows/reusable_dockerfile_pipeline.yml@develop
+ uses: rollkit/.github/.github/workflows/reusable_dockerfile_pipeline.yml@v1.0.0  # Assuming v1.0.0 is the latest stable version

Also applies to: 30-30

---

20-20: Clarify the use of Dockerfile paths in the workflow.

Ensure that the path to the Dockerfile is correct and accessible from the workflow context. This helps avoid path-related errors during the build process.

Also applies to: 32-32

Verification successful

---

Dockerfile path is correct and accessible.

• The Dockerfile exists at the specified path (./docker-action-test/Dockerfile), confirming its correctness and accessibility from the workflow context.

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Description: Verify the Dockerfile path.

# Test: Check if the Dockerfile exists at the specified path. Expect: The file should exist.
if [ -f ./docker-action-test/Dockerfile ]; then
    echo "Dockerfile path is correct."
else
    echo "Dockerfile path is incorrect."
fi

Length of output: 109

[tuxcanfly]

OK.

[yarikbratashchuk]

haha, too late :)