Skip to content

Fix build container on tags #638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aj-stein wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Fix build container on tags #638

aj-stein wants to merge 4 commits into from

Conversation

@aj-stein
Copy link
Contributor

@aj-stein aj-stein commented Jan 12, 2026
edited by coderabbitai bot
Loading

Committer Notes

{Please provide a brief description of what this PR accomplishes. Be sure to reference any issues addressed. If the PR is a work-in-progress submitted for early review, please include [WIP] at the beginning of the title or mark the PR as DRAFT.}

All Submissions:

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

Changes to Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you included examples of how to use your new feature(s)?
  • Have you updated all website and readme documentation affected by the changes you made?

Summary by CodeRabbit

  • Chores
    • Enhanced deployment workflow with support for custom container image tagging and reference-based builds.
    • Added automated build artifact archival for distribution packages.
    • Integrated container image building into the deployment pipeline.

✏️ Tip: You can customize this high-level summary in your review settings.

@aj-stein aj-stein self-assigned this Jan 12, 2026
@coderabbitai
Copy link

coderabbitai bot commented Jan 12, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The PR adds flexibility to the container build workflow by introducing ref and custom_tag inputs for custom Git references and Docker tags. The release workflow now includes a new build-container job that reuses the container workflow to build and push container images after successful deployment.

Changes

Cohort / File(s) Summary
Container workflow configuration
.github/workflows/container.yml		 Added ref and custom_tag workflow inputs; checkout step now uses parameterized ref; Docker metadata generation includes new raw tag type with value from custom_tag
Release workflow integration
.github/workflows/release.yml		 Added artifact upload step for build zip archive; introduced new build-container job that runs after deploy-to-nexus, reuses container workflow with push: true parameter, and includes container registry permissions

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • oscal-cli#208: Modifies the container build workflow and related build-container job configuration
  • metaschema-java#562: Adds the same ref and custom_tag inputs to the container workflow with Docker metadata tag enhancements
  • metaschema-java#585: Implements conditional logic on the build-container job to skip container builds for forked pull requests

Suggested reviewers

  • david-waltermire

Poem

🐰 A workflow refined with inputs so neat,
Custom refs and tags make the build complete!
Container jobs dancing after deploy,
Pushing images with automated joy!
The release pipeline hops to the beat. 🚀

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately reflects the main objective: enabling container builds when Git tags are created, which is directly supported by the changes to add workflow inputs and propagate them through the container and release workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-build-container-on-tags
📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1268b57 and fca8c3f.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 623
File: .github/workflows/build.yml:8-14
Timestamp: 2026-01-07T04:40:01.060Z
Learning: In the metaschema-java repository, the build workflow intentionally includes `main` in the `pull_request.branches` trigger even though CONTRIBUTING.md requires PRs to target `develop`. This is a defensive design to provide feedback if someone accidentally targets main, rather than silent failure. The UPLOAD_SCAN_SARIF logic also needs main for security scan results.
📚 Learning: 2026-01-08T01:44:38.651Z 
Learnt from: david-waltermire
Repo: metaschema-framework/oscal-cli PR: 208
File: .github/workflows/container-cleanup.yml:22-30
Timestamp: 2026-01-08T01:44:38.651Z
Learning: In the metaschema-framework organization, container cleanup workflows use GITHUB_TOKEN with packages:write permission for deleting old GHCR container images. This approach works for org-owned packages when the workflow runs from the same organization, following the pattern established in metaschema-java's container-cleanup.yml.

Applied to files:

  • .github/workflows/release.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Website
  • GitHub Check: Code
🔇 Additional comments (2)
.github/workflows/release.yml (2)

54-58: The artifact upload is correctly consumed. The container.yml workflow explicitly downloads the build_zip artifact using the actions/download-artifact action in the "Download build zip" step, placing it in ./metaschema-cli/target/ where it's used during the container build process.

Likely an incorrect or invalid review comment.

59-69: LGTM! Container workflow inputs are properly configured.

The job structure is correct:

  • Appropriate permissions for pushing to GHCR with attestations
  • Correct dependency on deploy-to-nexus to ensure artifacts are published first
  • push: true correctly enables pushing the container image

The container.yml reusable workflow defaults inputs appropriately:

  • ref defaults to github.ref when omitted (line 37), ensuring the current tag is used for release builds
  • custom_tag defaults to empty and is only applied when explicitly provided (line 71), allowing auto-generated tags based on metadata (SHA, branch, tag)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@aj-stein aj-stein changed the base branch from main to develop January 12, 2026 14:41
aj-stein
aj-stein commented Jan 12, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Jan 12, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.github/workflows/build.yml (1)

18-53: Missing custom_tag input in workflow_call.

The custom_tag input is defined for workflow_dispatch (lines 50-53) but not for workflow_call (lines 18-43). This means when this workflow is called by another workflow, inputs.custom_tag (referenced at line 335) will always be empty.

For consistency with ref (which is defined in both triggers), consider adding custom_tag to workflow_call:

Suggested fix 
   workflow_call:
     inputs:
       ref:
         description: 'Git ref to checkout (branch, tag, or SHA)'
         required: false
         type: string
+      custom_tag:
+        description: 'Custom tag for container image (e.g., v3.0.0)'
+        required: false
+        type: string
       skip_code_scans:
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d336494 and 1268b57.

📒 Files selected for processing (2)
  • .github/workflows/build.yml
  • .github/workflows/container.yml
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 623
File: .github/workflows/build.yml:8-14
Timestamp: 2026-01-07T04:40:01.060Z
Learning: In the metaschema-java repository, the build workflow intentionally includes `main` in the `pull_request.branches` trigger even though CONTRIBUTING.md requires PRs to target `develop`. This is a defensive design to provide feedback if someone accidentally targets main, rather than silent failure. The UPLOAD_SCAN_SARIF logic also needs main for security scan results.
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: Use branch naming: `feature/*` for new features and enhancements, `release/*` (format: `release/MAJOR.MINOR`) for release preparation, `fix/*` for bug fixes

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-13T21:16:12.281Z 
Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

  • .github/workflows/build.yml
📚 Learning: 2025-12-17T13:27:43.679Z 
Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

  • .github/workflows/build.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Code
  • GitHub Check: Website
🔇 Additional comments (5)
.github/workflows/build.yml (2)

8-9: LGTM on tag trigger addition.

The v* pattern correctly captures semantic versioning tags (e.g., v1.0.0, v2.3.4-rc1), enabling container builds on release tags as intended.

334-335: Implementation correctly handles empty inputs on tag pushes.

On tag pushes, inputs.ref and inputs.custom_tag are empty strings. The container workflow handles this correctly:

  • Checkout uses ${{ inputs.ref || github.ref }} (line 37), which treats empty string as falsy and falls back to the tag ref
  • Docker metadata conditionally adds custom_tag only when inputs.custom_tag != '' (line 71)
  • The type=ref,event=tag metadata rule (line 69) automatically generates tag-based image refs

No changes needed.

.github/workflows/container.yml (3)

10-17: LGTM on new workflow inputs.

The ref and custom_tag inputs are well-defined with clear descriptions. Making them optional allows the workflow to function both when called with explicit values and when triggered automatically (falling back to defaults).

35-39: LGTM on checkout ref handling.

The inputs.ref || github.ref pattern correctly falls back to the triggering ref when no explicit ref is provided, ensuring the workflow checks out the right commit for both manual and automated triggers.

66-71: LGTM on custom tag metadata.

The type=raw with enable=${{ inputs.custom_tag != '' }} correctly:

  1. Adds the custom tag only when explicitly provided
  2. Coexists with type=ref,event=tag (line 69) for automatic git tag detection

This enables both automatic tagging on v* tag pushes and manual override via workflow_dispatch.

@aj-stein aj-stein marked this pull request as ready for review January 12, 2026 23:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@aj-stein aj-stein

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aj-stein