ci: publish governance backend images to ghcr#1
Conversation
consider this: `...
There was a problem hiding this comment.
Pull request overview
This PR adds CI publishing of the governance backend Docker images to GitHub Container Registry (GHCR) and introduces a deploy-focused compose file that pulls those published images, along with runtime Dockerfile tightening and updated documentation for running Sepolia.
Changes:
- Add a GitHub Actions workflow to build & push
governance-db,governance-api, andgovernance-indexerimages to GHCR. - Add
docker-compose.ghcr.ymlto run the stack from published images. - Update API/Indexer Dockerfiles and
.dockerignorefiles; document GHCR usage in the root README.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
indexer/Dockerfile |
Tightens indexer runtime image (prod deps, non-root user), but currently hard-codes Sepolia startup. |
indexer/.dockerignore |
Updates ignored files, but still allows .env.* into build context. |
docker-compose.ghcr.yml |
New compose file consuming GHCR images for db/api/indexer. |
db/Dockerfile |
New minimal Postgres-based image for the db service. |
api/Dockerfile |
Splits builder/runner stages and runs as non-root with prod deps only. |
api/.dockerignore |
New ignore file to keep build contexts clean and avoid env leakage. |
README.md |
Documents GHCR images and example Sepolia run commands. |
.github/workflows/publish-images.yml |
New workflow to publish backend images to GHCR. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
indexer/Dockerfile
Outdated
| # Default command - will be overridden by docker-compose | ||
| CMD ["npm", "start"] | ||
| USER node | ||
| CMD ["npm", "run", "start:sepolia"] |
There was a problem hiding this comment.
CMD ["npm", "run", "start:sepolia"] hard-codes Sepolia (the script sets NETWORK=sepolia), so any NETWORK value provided at runtime (e.g. via docker-compose) is ignored. Consider changing the container entrypoint to a script that honors NETWORK from the environment (or update the npm scripts so they don't override NETWORK).
| CMD ["npm", "run", "start:sepolia"] | |
| CMD ["sh", "-c", "npm run start:${NETWORK:-sepolia}"] |
| db: | ||
| condition: service_healthy | ||
| environment: | ||
| NETWORK: ${NETWORK:-sepolia} |
There was a problem hiding this comment.
This compose file sets NETWORK: ${NETWORK:-sepolia}, but the published indexer image currently runs start:sepolia which overrides NETWORK internally. Either adjust the image entrypoint to honor the env var, or remove/rename this setting to avoid misleading configuration.
| NETWORK: ${NETWORK:-sepolia} |
indexer/.dockerignore
Outdated
| README.md | ||
| .env.local.example | ||
| .env | ||
| .env.local |
There was a problem hiding this comment.
The indexer build context still includes .env.* files (e.g. .env.mainnet) because only .env and .env.local are ignored. This can accidentally send secrets into the Docker build context on developer machines/CI. Consider ignoring .env.* (and optionally .env.local.example) similar to api/.dockerignore.
| .env.local | |
| .env.local | |
| .env.* | |
| .env.local.example |
| - name: api | ||
| image: governance-api | ||
| context: ./api | ||
| file: ./api/Dockerfile |
There was a problem hiding this comment.
The db image build uses context: ., which sends the entire repository as build context even though db/Dockerfile doesn't copy any files. Switching the context to ./db (and updating the file path accordingly) will make builds faster and reduce CI bandwidth.
Summary
Validation