ci: 自动构建后端 Docker 镜像并发布到 GHCR (#106)#190
Merged
Merged
Conversation
Closes #106 - Add .github/workflows/docker-publish.yml to auto-build and push backend Docker image to ghcr.io on main push and version tags - Update docker-compose.yml to pull from ghcr.io by default - Update DOCKER.md with Quick Start section for pre-built images - Update README.md and README_zh.md with ghcr.io pull instructions
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow that builds and pushes the server Docker image to GHCR, switches docker-compose to reference the pre-built GHCR backend image, and updates DOCKER.md and README (EN/ZH) with pull, run, .env, and stopping guidance for using pre-built images. ChangesDocker Image Publishing and Documentation
sequenceDiagram
participant GitHubActions
participant DockerBuildx
participant GHCR
participant User
GitHubActions->>DockerBuildx: build ./server using buildx
DockerBuildx->>GHCR: push image + tags (semver / latest / sha)
User->>GHCR: docker pull ghcr.io/amintacccp/github-stars-manager-server:latest
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
docker-compose.yml (1)
13-15: ⚡ Quick winAvoid hard-coding mutable
latestfor backend image.Using
:latestin compose makes deployments non-reproducible and can cause surprise upgrades. Prefer a pinned version/digest with an env override.Suggested change
- image: ghcr.io/amintacccp/github-stars-manager-server:latest + image: ghcr.io/amintacccp/github-stars-manager-server:${BACKEND_IMAGE_TAG:-v0.6.2}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker-compose.yml` around lines 13 - 15, The docker-compose image is hard-coded to ghcr.io/amintacccp/github-stars-manager-server:latest; change it to use a pinned tag or digest and support an environment override (e.g., replace the literal value with an env var like ${BACKEND_IMAGE:-ghcr.io/amintacccp/github-stars-manager-server:vX} or a digest) and document adding BACKEND_IMAGE to .env so deployments are reproducible and not using mutable :latest.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docker-publish.yml:
- Line 22: Update the checkout step and other `uses:` entries to pin to audited
commit SHAs instead of tags and disable credential persistence: replace
`actions/checkout@v6` with its specific commit SHA for the release you rely on
and add `persist-credentials: false` to that checkout step; do the same SHA
pinning for any other `uses:` actions in the workflow to harden supply-chain
integrity and avoid leaving Git credentials in the runner.
In `@DOCKER.md`:
- Around line 10-28: Add a short prerequisite note to the "Quick Start (Using
Pre-built Images from GHCR)" section explaining that if the GHCR package is
private users must authenticate before pulling images; update the text around
the docker pull/docker-compose up commands to mention running "docker login
ghcr.io" (or equivalent GHCR auth) when images are not public and ensure the
README variants stay consistent with this note so users know to authenticate
before attempting to pull.
---
Nitpick comments:
In `@docker-compose.yml`:
- Around line 13-15: The docker-compose image is hard-coded to
ghcr.io/amintacccp/github-stars-manager-server:latest; change it to use a pinned
tag or digest and support an environment override (e.g., replace the literal
value with an env var like
${BACKEND_IMAGE:-ghcr.io/amintacccp/github-stars-manager-server:vX} or a digest)
and document adding BACKEND_IMAGE to .env so deployments are reproducible and
not using mutable :latest.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0d4a9617-55cf-412e-b7db-2defb335e912
📒 Files selected for processing (5)
.github/workflows/docker-publish.ymlDOCKER.mdREADME.mdREADME_zh.mddocker-compose.yml
- DOCKER.md: add standalone backend docker run section with env var table - README.md: add backend-only docker run examples - README_zh.md: sync Chinese docs
- docker-compose.yml: use env var override for image tag instead of hard-coded :latest - docker-publish.yml: add persist-credentials: false to checkout step - DOCKER.md: add GHCR authentication note and BACKEND_IMAGE_TAG docs - README.md/README_zh.md: add .env example with BACKEND_IMAGE_TAG
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
DOCKER.md (1)
10-19:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd GHCR auth prerequisite in Quick Start to prevent pull failures.
Line 10-19 should include a short prerequisite note: if the package is not public, users must run
docker login ghcr.iobeforedocker-compose up -d/docker pull; otherwise first-run onboarding can fail unexpectedly.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@DOCKER.md` around lines 10 - 19, Add a short prerequisite sentence to the "Quick Start (Using Pre-built Images from GHCR)" section indicating that if the GHCR package is private, users must authenticate with `docker login ghcr.io` before running `docker-compose up -d` or `docker pull`; place this note directly above the existing docker-compose commands in the Quick Start block so users see it before attempting to pull images.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@DOCKER.md`:
- Around line 10-19: Add a short prerequisite sentence to the "Quick Start
(Using Pre-built Images from GHCR)" section indicating that if the GHCR package
is private, users must authenticate with `docker login ghcr.io` before running
`docker-compose up -d` or `docker pull`; place this note directly above the
existing docker-compose commands in the Quick Start block so users see it before
attempting to pull images.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 39b23476-4345-491d-885f-9c5bfe1fb4c8
📒 Files selected for processing (3)
DOCKER.mdREADME.mdREADME_zh.md
✅ Files skipped from review due to trivial changes (1)
- README.md
🚧 Files skipped from review as they are similar to previous changes (1)
- README_zh.md
- Document both edit-in-place and override file approaches - Add warning not to commit override file to git
- docker-publish.yml: pin all 5 actions to commit SHAs with version comments - README.md: add GHCR auth note for private packages - README_zh.md: add GHCR auth note for private packages Addresses CodeRabbit review: supply-chain hardening and doc consistency
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概述
解决 #106 — 自动构建后端 Docker 镜像并发布到 GitHub Container Registry (ghcr.io),用户无需本地构建即可直接拉取使用。
变更内容
新增
.github/workflows/docker-publish.ymlmain分支 → 自动构建并推送latest标签v*标签 → 自动生成语义化版本标签 (v1.2.3,1.2.3,1.2,1)sha-<commit>标签便于追溯GITHUB_TOKEN认证,无需配置额外 Secrets更新
docker-compose.ymlghcr.io/amintacccp/github-stars-manager-server:latest拉取更新文档
DOCKER.md— 新增 Quick Start 章节README.md/README_zh.md— 添加 ghcr.io 拉取命令使用方式
合并后首次运行前,需要在 repo → Settings → Packages 中将镜像可见性设为 Public,否则用户需先
docker login ghcr.io。Summary by CodeRabbit
New Features
Documentation
Chores