Skip to content

feat: Refactor GitHub Actions workflows to use a reusable Docker build/push workflow #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rapoler wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Refactor GitHub Actions workflows to use a reusable Docker build/push workflow #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 18 additions & 45 deletions .github/workflows/server-prod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,49 +4,22 @@ on:
tags:
- '*'
jobs:
release:
runs-on: ubuntu-latest
build-server:
uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the file exists and examine its content
if [ -f ".github/workflows/server-prod.yaml" ]; then
  cat -n ".github/workflows/server-prod.yaml"
else
  echo "File not found"
fi

Repository: factly/gopie

Length of output: 917

🏁 Script executed:

#!/bin/bash
# Let's verify the context - confirm this is a production workflow and check the severity
# Check if there are other workflow files to understand the pattern
git ls-files ".github/workflows/" | head -20

Repository: factly/gopie

Length of output: 262

Pin the reusable workflow to an immutable ref before using it in release jobs.

GitHub lets reusable workflows be referenced by branch, tag, or SHA, but explicitly calls the commit SHA the safest option for stability and security. Keeping both release jobs on @develop means a future change in factly/gopie-ee can silently change or break tagged production builds, and full workflow reruns may resolve that branch again instead of preserving the original workflow version. (docs.github.com)

Suggested change 
-    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
+    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@<pinned-commit-sha>

Also applies to line 18.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/server-prod.yaml at line 8, The reusable workflow
reference "uses:
factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop" should be
pinned to an immutable commit SHA instead of the branch name; update both
occurrences (the one shown and the other at line 18) to use the exact commit SHA
for factly/gopie-ee so the release jobs always run the same workflow version.

with:
tags: asia-south1-docker.pkg.dev/factly-prod/gopie/server:${{ github.ref_name }}
context: server
dockerfile: server/Dockerfile
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Set env
run: |
if [[ $GITHUB_REF == refs/tags/* ]]; then
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
elif [[ $GITHUB_EVENT_NAME == "release" ]]; then
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
else
echo "RELEASE_VERSION=latest" >> $GITHUB_ENV
fi
- name: Use Go
uses: actions/setup-go@v2
id: setup_go
with:
go-version: "1.22.6"
- name: Cache go-modules
uses: actions/cache@v4
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Gopie Server to Docker Hub
uses: docker/build-push-action@v4
with:
push: true
tags: factly/gopie-server:${{ env.RELEASE_VERSION }}
file: server/Dockerfile
context: server

- name: Build and push Gopie migration to Docker Hub
uses: docker/build-push-action@v4
with:
push: true
tags: factly/gopie-migrate:${{ env.RELEASE_VERSION }}
file: server/Dockerfile.migrate
context: server
contents: read
id-token: write

build-migrate:
uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
with:
tags: asia-south1-docker.pkg.dev/factly-prod/gopie/migrate:${{ github.ref_name }}
context: server
dockerfile: server/Dockerfile.migrate
permissions:
contents: read
id-token: write
31 changes: 7 additions & 24 deletions .github/workflows/web-app.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,28 +6,11 @@ on:

jobs:
release:
runs-on: ubuntu-latest
uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the file exists and examine its content
if [ -f ".github/workflows/web-app.yaml" ]; then
    echo "=== File: .github/workflows/web-app.yaml ==="
    cat -n ".github/workflows/web-app.yaml"
else
    echo "File not found, searching for it..."
    find . -name "web-app.yaml" -o -name "*web-app*" 2>/dev/null | head -20
fi

Repository: factly/gopie

Length of output: 597

🏁 Script executed:

# Also check for other workflow files to understand the pattern
ls -la .github/workflows/ 2>/dev/null || echo "Directory not found"

Repository: factly/gopie

Length of output: 560

🏁 Script executed:

# Let's also check if there's a server-prod workflow mentioned in the scratchpad
if [ -f ".github/workflows/server-prod.yaml" ]; then
    echo "=== File: .github/workflows/server-prod.yaml (for context) ==="
    cat -n ".github/workflows/server-prod.yaml"
fi

Repository: factly/gopie

Length of output: 980

Pin the reusable workflow reference to a commit SHA instead of @develop.

This workflow is triggered on tag pushes and uses @develop to reference the shared build workflow in the external factly/gopie-ee repository. Since develop is mutable, the same tag could produce different Docker images if the upstream branch changes, breaking reproducibility. GitHub's best practice for reusable workflows is to pin to a specific commit SHA for security and deterministic builds. Note that this same issue exists in .github/workflows/server-prod.yaml (lines 8 and 18).

Suggested change 
-    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop
+    uses: factly/gopie-ee/.github/workflows/docker-build-push.yaml@<pinned-commit-sha>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/web-app.yaml at line 9, Replace the mutable branch
reference in the reusable workflow call (the string
"factly/gopie-ee/.github/workflows/docker-build-push.yaml@develop" used in
.github/workflows/web-app.yaml) with a fixed commit SHA; update the workflow
invocation to reference the repository path plus the specific commit SHA instead
of "@develop" so builds are deterministic, and make the same change for the
other occurrences noted in .github/workflows/server-prod.yaml (the two
references currently using "@develop").

with:
tags: asia-south1-docker.pkg.dev/factly-prod/gopie/web:${{ github.ref_name }}
context: web
dockerfile: web/Dockerfile.prod
permissions:
contents: 'read'
steps:
- uses: actions/checkout@v3
- name: Set env
run: |
if [[ $GITHUB_REF == refs/tags/* ]]; then
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
else
echo "RELEASE_VERSION=latest" >> $GITHUB_ENV
fi
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Gopie Web App Docker image to Docker Hub
uses: docker/build-push-action@v4
with:
push: true
tags: factly/gopie-web:${{ env.RELEASE_VERSION }}
context: web
file: web/Dockerfile.prod
contents: read
id-token: write