LCORE-569: Move rag-content images to quay.io

[matysek]

Description

LCORE-569: Move rag-content images to quay.io

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Renamed build pipelines to clearly distinguish CPU and GPU image builds.
  • Updated container publishing to Quay.io under the lightspeed-core namespace.
  • Switched authentication to dedicated Quay secrets for more secure pushes.
  • Improves reliability and clarity of development image distribution.
  • No product behavior changes; end users are unaffected.

[coderabbitai]

Walkthrough

Renamed CPU/GPU workflows, switched image registry/namespace to quay.io/lightspeed-core, and updated push credentials to use Quay-specific secrets in both build_and_push_dev.yaml and build_and_push_dev_gpu.yaml.

Changes

Cohort / File(s)	Summary
CI: build-and-push workflows .github/workflows/build_and_push_dev.yaml, .github/workflows/build_and_push_dev_gpu.yaml	Rename workflows to “Build CPU/GPU image…”. Change env IMAGE_REGISTRY from ghcr.io to quay.io and IMAGE_NAMESPACE to lightspeed-core. Update push step to use secrets.QUAY_REGISTRY_USERNAME and secrets.QUAY_REGISTRY_PASSWORD instead of GitHub actor/token.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer
  participant GH as GitHub Actions
  participant Build as Docker Build
  participant Quay as Quay.io Registry

  Dev->>GH: Push to main
  GH->>Build: Build image (CPU or GPU)
  note over GH,Build: IMAGE_REGISTRY=quay.io<br/>IMAGE_NAMESPACE=lightspeed-core
  GH->>Quay: Login using secrets (username/password)
  Build-->>GH: Image artifact
  GH->>Quay: Push image
  Quay-->>GH: Push result (success/failure)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LCORE-305: Use uv for image building, disable building gpu variant #27 — Also changes the same workflows to adjust registry/namespace and Quay auth.
• LCORE-438: Fix imabe building for GPU variant #32 — Introduces/updates the GPU build-and-push workflow that this PR further modifies.

Suggested reviewers

• tisnik

Poem

I hop through YAML fields so bright,
Tagging CPU, GPU just right—
From ghcr past the willow tree,
To quay-side docks with secret key.
Thump-thump, images set to go,
A rabbit waves: “to prod we row!” 🐇🛳️

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (9)

.github/workflows/build_and_push_dev.yaml (5)

1-1: Workflow name clarity: good; consider aligning job id for consistency.

The rename reflects CPU scope well. Optional: also rename the job id build-and-push-dev to build-and-push-dev-cpu to make logs/artifacts unambiguous next to the GPU workflow.

-  build-and-push-dev:
+  build-and-push-dev-cpu:

---

12-13: Hardcoded Quay namespace; prefer repo/org variables for portability.

Pinning IMAGE_NAMESPACE to lightspeed-core works for this repo but breaks on forks and complicates org-wide changes. Recommend pulling the namespace from a repository/organization variable so forks can override and we avoid edits in code.

-  IMAGE_NAMESPACE: lightspeed-core
+  # Define QUAY_NAMESPACE at org/repo level (Settings → Variables → Actions)
+  IMAGE_NAMESPACE: ${{ vars.QUAY_NAMESPACE }}

Follow-up: ensure a vars.QUAY_NAMESPACE is defined; otherwise the workflow will fail to compose the registry path.

---

72-73: Switch to Quay robot credentials; also trim GitHub permissions to least privilege.

Using Quay-specific secrets is correct. Two improvements:

• Use a Quay robot account (format: org+robot) for scoped, revocable access.
• Since we are no longer pushing to GHCR, packages: write can be dropped to minimize permissions.

-      # Required for image pushing to a registry
-      packages: write
+      # No GHCR push required; minimize permissions
+      # packages: write

Also ensure QUAY_REGISTRY_USERNAME contains the robot username (e.g., lightspeed-core+github) and QUAY_REGISTRY_PASSWORD is the robot token with write perms to quay.io/lightspeed-core/*.

---

65-73: Guard push on default branch explicitly and add concurrency to avoid tag races.

You already skip pushes on PRs. To avoid multiple concurrent runs overwriting latest and to ensure only main pushes publish, consider adding a concurrency group and an extra branch guard.

 jobs:
   build-and-push-dev:
     runs-on: ubuntu-latest
+    concurrency:
+      group: rag-content-cpu-${{ github.ref_name }}
+      cancel-in-progress: true
@@
-      - name: Push image to Quay.io
+      - name: Push image to Quay.io
         uses: redhat-actions/push-to-registry@v2
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
         with:
           image: ${{ steps.build_image.outputs.image }}
           tags: ${{ steps.build_image.outputs.tags }}
           registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAMESPACE }}
           username: ${{ secrets.QUAY_REGISTRY_USERNAME }}
           password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}

---

73-73: Fix YAML lint: add a trailing newline at EOF.

YAMLlint flagged “no new line character at the end of file”. Add a newline after the last line to satisfy linters and avoid diffs on some editors.

-          password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
+          password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
+

.github/workflows/build_and_push_dev_gpu.yaml (4)

1-1: Workflow name clarity: good; consider adding PR builds for early breakage detection.

Unlike the CPU workflow, this one doesn’t run on pull_request. Building (but not pushing) on PRs helps catch Containerfile regressions earlier.

-on:
-  push:
-    branches: [ main ]
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ "main" ]

The existing push step already has an if gate; it will not publish on PRs.

---

9-10: Hardcoded Quay namespace; make it configurable via repo/org variable.

Same recommendation as the CPU workflow for portability and easier org-wide changes.

-  IMAGE_NAMESPACE: lightspeed-core
+  IMAGE_NAMESPACE: ${{ vars.QUAY_NAMESPACE }}

Ensure vars.QUAY_NAMESPACE is set at repo or org level.

---

69-70: Use Quay robot credentials and consider dropping unnecessary GitHub permissions.

Quay secrets usage is correct. Prefer a robot account token and remove packages: write permission since GHCR is no longer used here.

     permissions:
       contents: read
-      # Required for image pushing to a registry
-      packages: write
+      # No GHCR push; keep minimal permissions
+      # packages: write

Also verify the robot account has write access to quay.io/lightspeed-core/rag-content-gpu.

---

44-51: Multi-arch GPU images: verify base image availability for arm64.

You’re building amd64 and arm64 for the GPU image. Many CUDA/NVIDIA bases are amd64-only; if the base lacks arm64, the build for that arch will fail. If arm64 is required (e.g., Jetson), confirm the base tag supports it; otherwise restrict to amd64.

-          archs: amd64, arm64
+          # If the GPU base supports only amd64, build a single-arch image to avoid failures.
+          archs: amd64

If you want me to verify the Containerfile-gpu base tags across the repo, I can run a script to parse and report them.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 53179ec and 6f64d86.

📒 Files selected for processing (2)

• .github/workflows/build_and_push_dev.yaml (3 hunks)
• .github/workflows/build_and_push_dev_gpu.yaml (2 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/build_and_push_dev.yaml

[error] 73-73: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: mypy
• GitHub Check: build-and-push-dev
• GitHub Check: Pylinter

[tisnik]

LGTM