Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This pull request refactors the Docker build workflow to use a multi-step, digest-based approach for building multi-platform images. The workflow is split into three jobs: prepare (computes tags and build metadata), build (builds each platform in parallel), and merge (creates multi-platform manifest and pushes with tags).
Changes:
- Restructured workflow into three sequential jobs for better parallelization of platform builds
- Implemented digest-based builds with separate build jobs for linux/amd64 and linux/arm64 platforms
- Migrated from GITHUB_ENV to GITHUB_OUTPUT for passing data between steps (following GitHub Actions best practices)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
@sourcery-ai review |
Reviewer's GuideRefactors the Docker GitHub Actions workflow into a multi-job, multi-arch, digest-based build and manifest-merge pipeline, exposes build metadata via job outputs instead of env vars, and makes a minor formatting fix in Program.cs. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The image name
ghcr.io/cleanuparr/cleanuparris now defined both in theREGISTRY_IMAGEenv var and hard-coded when constructinggithubTags; consider switching the tag construction to useREGISTRY_IMAGEto avoid duplication and future drift. - The
pushdecision is currently computed inside the shell script using a GitHub expression (push="${{ github.event_name == 'pull_request' || inputs.push_docker == true }}"); it would be clearer and less error-prone to derive this as a pure workflow expression (e.g. a job-level output or env) rather than mixing template evaluation with bash.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The image name `ghcr.io/cleanuparr/cleanuparr` is now defined both in the `REGISTRY_IMAGE` env var and hard-coded when constructing `githubTags`; consider switching the tag construction to use `REGISTRY_IMAGE` to avoid duplication and future drift.
- The `push` decision is currently computed inside the shell script using a GitHub expression (`push="${{ github.event_name == 'pull_request' || inputs.push_docker == true }}"`); it would be clearer and less error-prone to derive this as a pure workflow expression (e.g. a job-level output or env) rather than mixing template evaluation with bash.
## Individual Comments
### Comment 1
<location path=".github/workflows/build-docker.yml" line_range="159" />
<code_context>
- uses: docker/setup-qemu-action@v3
-
- name: Login to GitHub Container Registry
+ if: needs.prepare.outputs.push == 'true'
uses: docker/login-action@v3
with:
</code_context>
<issue_to_address>
**🚨 issue (security):** Pushing images on pull_request events can fail or behave unexpectedly for forked PRs due to restricted GITHUB_TOKEN permissions.
Since `push` resolves to `true` for `pull_request` events, the `build`/`merge` jobs will try to push with the default GITHUB_TOKEN. For forked PRs this token is read‑only, so pushes will fail and can block the workflow. If forked PRs should run this workflow, consider narrowing the `push` condition (e.g. only on `push`/`workflow_dispatch`/internal PRs) or adding a check like `github.event.pull_request.head.repo.full_name == github.repository` before attempting to push.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
Author
|
@sourcery-ai review |
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The
pushflag is now computed inside the shell script viapush="${{ github.event_name == 'pull_request' || inputs.push_docker == true }}", which mixes GitHub expressions and bash; consider moving this logic back into the workflow YAML (e.g., as anoutputsexpression) so it remains purely declarative and easier to reason about. - In the
mergejob, the manifest creation step assumes thatprepare.outputs.tagsis non-empty; it may be worth guarding against an empty or malformed tags string (e.g., all whitespace or leading/trailing commas) to avoid creating a manifest with no valid tags.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `push` flag is now computed inside the shell script via `push="${{ github.event_name == 'pull_request' || inputs.push_docker == true }}"`, which mixes GitHub expressions and bash; consider moving this logic back into the workflow YAML (e.g., as an `outputs` expression) so it remains purely declarative and easier to reason about.
- In the `merge` job, the manifest creation step assumes that `prepare.outputs.tags` is non-empty; it may be worth guarding against an empty or malformed tags string (e.g., all whitespace or leading/trailing commas) to avoid creating a manifest with no valid tags.
## Individual Comments
### Comment 1
<location path=".github/workflows/build-docker.yml" line_range="95-97" />
<code_context>
githubTags=""
-
if [ -n "$latestDockerTag" ]; then
githubTags="$githubTags,ghcr.io/cleanuparr/cleanuparr:$latestDockerTag"
fi
</code_context>
<issue_to_address>
**suggestion:** Consider using REGISTRY_IMAGE env var instead of hardcoding the image name in multiple places.
`REGISTRY_IMAGE` is defined as `ghcr.io/cleanuparr/cleanuparr`, but this tag construction still hardcodes that value. Referencing `REGISTRY_IMAGE` here (e.g. `"$githubTags,${REGISTRY_IMAGE}:$latestDockerTag"`) avoids duplication and prevents drift if the image name or registry changes.
```suggestion
if [ -n "$latestDockerTag" ]; then
githubTags="$githubTags,${REGISTRY_IMAGE}:$latestDockerTag"
fi
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
Introduce a multi-stage GitHub Actions workflow to build, push, and publish multi-architecture Docker images using Buildx digests and manifests.
Build: