Add Docker build workflow#98
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds three new GitHub Actions workflows (.github/workflows/docker-build.yml, .github/workflows/docker-build-mcp-sse-server.yml, .github/workflows/docker-build-mcp-sse-server-tags.yml) to build multi-arch Docker images with Buildx, compute tag metadata, conditionally log into ghcr.io, push non-PR builds, and generate provenance attestations; triggers include pushes to main, v* tags, PRs to main, and manual dispatch. Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant GH as GitHub Actions
participant Runner as Runner / Buildx
participant Registry as ghcr.io
Dev->>GH: push to main / push v* tag / open PR / workflow_dispatch
GH->>Runner: checkout repo & setup buildx
Runner->>Runner: compute tag metadata (branch/PR/semver/sha/latest/custom)
alt PR run
Runner->>Runner: build image (no push), output digest/tags
Runner-->>GH: emit build outputs
else non-PR run (branch or manual)
Runner->>Registry: login to ghcr.io
Runner->>Runner: build multi-arch images with cache (linux/amd64, linux/arm64)
Runner->>Registry: push images & manifest
Runner->>Runner: create provenance attestation
Runner-->>GH: emit image digest and computed tags
end
alt tag push (v* tag)
Runner->>Registry: login to ghcr.io
Runner->>Runner: build & push semver-derived tags and labels
Runner->>Runner: generate and push attestation
Runner-->>GH: emit digest and tags
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/docker-build.yml (2)
52-57: Consider conditionalizing the login step for efficiency.The login step runs unconditionally, but it's not needed for PRs since push is disabled. While not a security concern, adding a condition would avoid unnecessary authentication attempts on PR builds.
💡 Proposed improvement
- name: Log in to Container Registry + if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-build.yml around lines 52 - 57, The "Log in to Container Registry" step (uses: docker/login-action@v3) runs on every workflow run but isn't needed for PRs; add a conditional to that step (e.g., set an if condition such as github.event_name != 'pull_request' or github.event_name == 'push') so the docker/login-action only executes for non-PR runs (pushs or dispatches), preventing unnecessary authentication attempts.
74-84: Consider addinglinux/arm64platform support if targeting ARM-based systems.The build configuration is correct using
docker/build-push-action@v6(current as of Feb 2026) with proper push conditions and GHA caching. If this image will run on ARM systems (e.g., Apple Silicon, ARM servers), addlinux/arm64to theplatformslist for broader compatibility.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-build.yml around lines 74 - 84, The Docker build step (step name "Build and push Docker image", id "push" using docker/build-push-action@v6) currently sets platforms: linux/amd64 only; update the step's with: platforms value to include linux/arm64 (e.g., "linux/amd64,linux/arm64") so the action builds multi-arch images for ARM-based systems and AMD64, keeping existing push, tags, labels, and cache settings unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/docker-build.yml:
- Around line 52-57: The "Log in to Container Registry" step (uses:
docker/login-action@v3) runs on every workflow run but isn't needed for PRs; add
a conditional to that step (e.g., set an if condition such as github.event_name
!= 'pull_request' or github.event_name == 'push') so the docker/login-action
only executes for non-PR runs (pushs or dispatches), preventing unnecessary
authentication attempts.
- Around line 74-84: The Docker build step (step name "Build and push Docker
image", id "push" using docker/build-push-action@v6) currently sets platforms:
linux/amd64 only; update the step's with: platforms value to include linux/arm64
(e.g., "linux/amd64,linux/arm64") so the action builds multi-arch images for
ARM-based systems and AMD64, keeping existing push, tags, labels, and cache
settings unchanged.
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/docker-build.yml (2)
19-24: Consider adding the workflow file to the path filter for self-testing.When this workflow file itself is modified in a PR, the workflow won't trigger since
.github/workflows/docker-build.ymlisn't in thepathsfilter. Adding it would allow validating workflow syntax changes in PRs.💡 Suggested change
pull_request: branches: [main] paths: - Dockerfile - requirements.txt - "**.py" + - ".github/workflows/docker-build.yml"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-build.yml around lines 19 - 24, Update the pull_request paths filter so the workflow triggers when its own file changes: inside the pull_request block update the paths array (the current paths list under pull_request) to include ".github/workflows/docker-build.yml" in addition to "Dockerfile", "requirements.txt", and "**.py" so edits to the workflow file itself will run the workflow for PR validation.
71-71: Consider adding a prefix to the SHA tag for clarity.The SHA tag is generated without a prefix, resulting in tags like
abc1234. Adding asha-prefix (e.g.,sha-abc1234) would make it clearer that this is a commit reference rather than a version number.💡 Suggested change
- type=sha,prefix=,suffix=,format=short + type=sha,prefix=sha-,suffix=,format=short🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-build.yml at line 71, Update the tag generation line that currently reads "type=sha,prefix=,suffix=,format=short" to include a meaningful prefix so SHA tags become "sha-<sha>"; specifically change the prefix value to "sha-" (i.e., "type=sha,prefix=sha-,suffix=,format=short") so that the generated tag clearly indicates a commit SHA.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/docker-build.yml:
- Around line 19-24: Update the pull_request paths filter so the workflow
triggers when its own file changes: inside the pull_request block update the
paths array (the current paths list under pull_request) to include
".github/workflows/docker-build.yml" in addition to "Dockerfile",
"requirements.txt", and "**.py" so edits to the workflow file itself will run
the workflow for PR validation.
- Line 71: Update the tag generation line that currently reads
"type=sha,prefix=,suffix=,format=short" to include a meaningful prefix so SHA
tags become "sha-<sha>"; specifically change the prefix value to "sha-" (i.e.,
"type=sha,prefix=sha-,suffix=,format=short") so that the generated tag clearly
indicates a commit SHA.
Add GitHub Actions workflow to build and push mcp-sse-server Docker image to GHCR. Triggered on changes to mcp-sse-server/** directory. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/docker-build-mcp-sse-server.yml (1)
49-92: Pin all GitHub Actions to commit SHAs instead of floating version tags.Using floating tags (
@v4,@v3, etc.) across all workflows allows upstream tag drift and increases supply-chain risk. Pin each action to a specific commit SHA for immutability and reproducibility. This applies to all five workflow files (backup.yml, ci.yml, docker-build-mcp-sse-server.yml, docker-build.yml, and release-please.yml).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docker-build-mcp-sse-server.yml around lines 49 - 92, The workflow uses floating action tags (actions/checkout@v4, docker/setup-buildx-action@v3, docker/login-action@v3, docker/metadata-action@v5, docker/build-push-action@v6, actions/attest-build-provenance@v2) which must be pinned to specific commit SHAs; replace each uses: owner/action@tag entry with the corresponding owner/action@<commit-sha> for the exact release you want to lock, verify the SHAs from each action's GitHub repo, and apply the same SHA-pinning pattern across the other workflows mentioned (backup.yml, ci.yml, docker-build.yml, release-please.yml) to ensure immutability and reproducibility.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/docker-build-mcp-sse-server.yml:
- Around line 41-45: The workflow grants overly broad permissions under the
permissions block (packages: write, attestations: write, id-token: write) for
all events; change it so the PR/build job uses least privilege (e.g., keep
contents: read and remove packages/attestations/id-token writes) and create a
separate non-PR publish/attest job that runs on push/tags with elevated
permissions (add packages: write, attestations: write, id-token: write) and
which contains the publish and attest steps referenced in the workflow; update
job triggers so publish/attest only run on non-pull_request events and ensure
the original build job retains only the minimal permissions it needs.
- Around line 16-21: The current workflow mixes push.tags and push.paths which
is ineffective because GitHub Actions ignores paths for tag events; update by
splitting tag-based triggers into a separate workflow (or remove push.tags
here): keep this workflow's push.block with branches and push.paths (remove
push.tags), and create a new workflow that uses push.tags: ["v*"] alone (or with
its own logic) so tag pushes run independently; reference the push.tags and
push.paths entries to locate and modify the trigger blocks and ensure the tag
workflow is scoped appropriately (or add conditional checks if you prefer a
single workflow).
---
Nitpick comments:
In @.github/workflows/docker-build-mcp-sse-server.yml:
- Around line 49-92: The workflow uses floating action tags
(actions/checkout@v4, docker/setup-buildx-action@v3, docker/login-action@v3,
docker/metadata-action@v5, docker/build-push-action@v6,
actions/attest-build-provenance@v2) which must be pinned to specific commit
SHAs; replace each uses: owner/action@tag entry with the corresponding
owner/action@<commit-sha> for the exact release you want to lock, verify the
SHAs from each action's GitHub repo, and apply the same SHA-pinning pattern
across the other workflows mentioned (backup.yml, ci.yml, docker-build.yml,
release-please.yml) to ensure immutability and reproducibility.
- Split push.tags into separate workflow (tags ignore paths filters) - Separate build (PR) and publish (non-PR) jobs with least privilege - Build job: contents:read only, no push - Publish job: elevated permissions for GHCR push and attestation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/docker-build-mcp-sse-server-tags.yml:
- Around line 9-14: The workflow can produce stale mutable tags when multiple
tag-triggered runs overlap; add a top-level concurrency block to serialize tag
publish runs by inserting concurrency: with a stable group name (e.g., group:
"docker-build-mcp-sse-server-tags") and cancel-in-progress: false so runs are
queued rather than racing; update the workflow named "Docker Build (MCP SSE
Server - Tags)" to include this concurrency stanza so the tag publish steps
cannot overlap and overwrite newer aliases.
In @.github/workflows/docker-build-mcp-sse-server.yml:
- Around line 13-26: Add GitHub Actions concurrency to the workflow named
"Docker Build (MCP SSE Server)" to serialize runs that could push mutable tags
(e.g., latest/branch) and cancel in-progress duplicates; specifically, add a
top-level concurrency block (e.g., concurrency: { group:
"docker-build-mcp-sse-server-${{ github.ref }}", cancel-in-progress: true }) so
runs for the same branch/ref are serialized and any older in-flight run is
cancelled to prevent out-of-order publishing.
ℹ️ Review info
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.github/workflows/docker-build-mcp-sse-server-tags.yml.github/workflows/docker-build-mcp-sse-server.yml
- Tags workflow: serialize runs with cancel-in-progress: false to queue - Branch/PR workflow: cancel in-progress runs for same ref to save resources Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jack-arturo
left a comment
jack-arturo
left a comment
There was a problem hiding this comment.
Review: CI speed & trigger strategy
Thanks for putting this together @sakullla! The workflows are well-structured — good separation of concerns between the main app and mcp-sse-server, proper concurrency controls, and the build/publish split on the SSE workflow is solid.
A few changes to make this production-ready without burning excessive CI minutes:
1. Multi-arch builds are too slow for PRs and push-to-main
Building linux/amd64,linux/arm64 on GitHub's amd64 runners uses QEMU emulation for arm64. For a Python app with compiled dependencies, that's 20-40+ minutes per run. This should only happen when we're actually publishing an image (releases).
Proposed strategy:
| Trigger | Platforms | Push? | Rationale |
|---|---|---|---|
v* tags (releases) |
linux/amd64,linux/arm64 |
Yes | Published images need multi-arch |
Push to main |
linux/amd64 only |
No | Smoke test that image builds (~2 min) |
| PRs | linux/amd64 only |
No | Only validate Dockerfile changes |
workflow_dispatch |
linux/amd64,linux/arm64 |
Yes | Manual escape hatch |
2. PR path filter **.py is too broad
**.py matches every Python file in the repo, meaning the Docker build workflow fires on virtually every PR. Since we already have CI tests (make test, make lint), Docker validation on PR is only needed when the container definition itself changes.
Suggested PR paths:
paths:
- Dockerfile
- requirements.txt
- ".github/workflows/docker-build.yml"3. Push to main should also have a path filter
Currently, push to main has no path filter — every merge triggers a Docker build. Since we publish images on tags (via release-please), the push-to-main build is just a smoke test and should only run when container-relevant files change.
Suggested docker-build.yml:
name: Docker Build
on:
push:
branches: [main]
tags: ["v*"]
paths:
- Dockerfile
- requirements.txt
- ".github/workflows/docker-build.yml"
pull_request:
branches: [main]
paths:
- Dockerfile
- requirements.txt
- ".github/workflows/docker-build.yml"
workflow_dispatch:
inputs:
tag:
description: "Custom tag for the image (optional)"
required: false
default: ""
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha,prefix=sha-,suffix=,format=short
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v6
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Multi-arch only for releases and manual dispatch; amd64-only otherwise
platforms: ${{ (startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch') && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
- name: Generate artifact attestation
if: github.event_name != 'pull_request'
uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Print image digest
if: github.event_name != 'pull_request'
run: |
echo "Image pushed successfully!"
echo "Digest: ${{ steps.push.outputs.digest }}"
echo "Tags:"
echo "${{ steps.meta.outputs.tags }}"Key changes:
- Dynamic
platforms: Multi-arch only onv*tags andworkflow_dispatch; amd64-only for branch pushes and PRs - Path filter on push-to-main: Only triggers on Dockerfile/requirements.txt changes
- PR path filter tightened: Removed
**.py— Python changes don't need Docker validation
The same pattern should be applied to docker-build-mcp-sse-server.yml (dynamic platforms, and the build job should use amd64-only since it never pushes).
Happy to iterate on this!
Thanks for the detailed review — great points. Implemented in: What changed:
Please take another look when you have a moment — happy to adjust further. |
|
Thanks @sakullla ! I made one tiny follow-up so package-lock.json changes also trigger the SSE Docker smoke-build. Everything else looks good, shipping shortly in the next release 🙌 |
🤖 I have created a release *beep* *boop* --- ## [0.14.0](v0.13.0...v0.14.0) (2026-03-07) ### Features * **config:** add QDRANT_HOST + QDRANT_PORT as alternative to QDRANT_URL ([#112](#112)) ([0871904](0871904)) * **docker:** Add Docker build workflow ([#98](#98)) ([39bf6e7](39bf6e7)) ### Bug Fixes * **benchmarks:** handle possessive speaker names in LoCoMo ([#116](#116)) ([abcbcca](abcbcca)) * **consolidation:** reduce decay rate, add importance floor, filter archived memories ([#78](#78)) ([#105](#105)) ([3fce4ce](3fce4ce)) * handle smart apostrophes in recall entity extraction ([#115](#115)) ([05b4daa](05b4daa)) * harden MCP bridge resilience, adopt stateless transport, and update cross-client docs ([#114](#114)) ([ec88da6](ec88da6)) * **qdrant:** prevent silent vector dimension mismatch, set Voyage as recommended default ([#108](#108)) ([5f88105](5f88105)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Hi, |
|
Oops sorry @sakullla, the package was set to private by default -- just flipped it to public. ghcr.io/verygoodplugins/automem:0.14.0 should pull without auth now. Let me know if you hit anything else. |
This also doesn’t work on my side. Back-off pulling image "ghcr.io/verygoodplugins/automem/mcp-sse-server:0.14.0": ErrImagePull: failed to pull and unpack image "ghcr.io/verygoodplugins/automem/mcp-sse-server:0.14.0": failed to resolve reference "ghcr.io/verygoodplugins/automem/mcp-sse-server:0.14.0": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Averygoodplugins%2Fautomem%2Fmcp-sse-server%3Apull&service=ghcr.io: 401 Unauthorized |
|
Ok @sakullla sorry for the delay I got tripped up in blocker-hell trying to align docker, railway, github, and the new docs site. I think they're all in sync now. |
2 participants
Add Docker build workflow