Skip to content

ci: publish docker image on push to main #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mvanhorn wants to merge 1 commit into
base: main
Choose a base branch
from
+7 βˆ’2
Open

ci: publish docker image on push to main #435

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions .github/workflows/docker_publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
name: Publish Docker Image

on:
push:
branches: [main]
workflow_dispatch:
inputs:
tags:
Expand All @@ -15,6 +17,9 @@ permissions:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
# On push to main, inputs.tags is empty, so fall back to "latest" so the
# latest tag tracks main. Manual dispatch still honors custom tags.
TAGS_INPUT: ${{ inputs.tags || 'latest' }}
Comment on lines 1 to +22

@greptile-apps greptile-apps Bot Jun 14, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Missing concurrency group risks mixed-arch latest manifests

The new push trigger means two workflow runs can be in flight simultaneously for consecutive commits to main. Because the arch-specific tags (latest-amd64, latest-arm64) are shared across runs, run A could push latest-amd64 from commit 1 while run B has already pushed latest-arm64 from commit 2. The publish-manifest job of either run then assembles a manifest list pointing to images from different commits β€” a silently corrupted latest image.

Adding a concurrency block before jobs: serialises (or cancels-and-restarts) builds so the arch-specific layers and manifest always come from the same commit.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/docker_publish.yaml
Line: 1-22

Comment:
**Missing concurrency group risks mixed-arch `latest` manifests**

The new push trigger means two workflow runs can be in flight simultaneously for consecutive commits to `main`. Because the arch-specific tags (`latest-amd64`, `latest-arm64`) are shared across runs, run A could push `latest-amd64` from commit 1 while run B has already pushed `latest-arm64` from commit 2. The `publish-manifest` job of either run then assembles a manifest list pointing to images from *different* commits β€” a silently corrupted `latest` image.

Adding a `concurrency` block before `jobs:` serialises (or cancels-and-restarts) builds so the arch-specific layers and manifest always come from the same commit.

How can I resolve this? If you propose a fix, please make it concise.


jobs:
build-image:
Expand Down Expand Up @@ -46,7 +51,7 @@ jobs:
id: prep
run: |
TAGS=""
IFS=',' read -ra TAG_ARRAY <<< "${{ inputs.tags }}"
IFS=',' read -ra TAG_ARRAY <<< "${TAGS_INPUT}"
for t in "${TAG_ARRAY[@]}"; do
TAGS="${TAGS}${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${t}-${{ matrix.arch }},"
done
Expand Down Expand Up @@ -84,7 +89,7 @@ jobs:
env:
SHORT_SHA: ${{ github.sha }}
run: |
IFS=',' read -ra TAG_ARRAY <<< "${{ inputs.tags }}"
IFS=',' read -ra TAG_ARRAY <<< "${TAGS_INPUT}"
FIRST_TAG="${TAG_ARRAY[0]}"

# Create manifest for first tag with SHA tag
Expand Down