Add GitHub Actions workflow to build and push OpenClaw image#5
Open
natifridman wants to merge 2 commits intoredhat-et:mainfrom
Open
Add GitHub Actions workflow to build and push OpenClaw image#5natifridman wants to merge 2 commits intoredhat-et:mainfrom
natifridman wants to merge 2 commits intoredhat-et:mainfrom
Conversation
📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow that builds and pushes a Docker image to quay.io. Triggers: nightly schedule, pushes when Dockerfile changes on main, pull requests touching the Dockerfile, and manual dispatch. Computes tags, sets up Buildx, conditionally logs into quay.io, and builds/pushes with cache. Changes
Sequence Diagram(s)sequenceDiagram
participant Repo as "Repository"
participant GH as "GitHub Actions"
participant Buildx as "Docker Buildx"
participant Quay as "quay.io Registry"
Repo->>GH: Trigger (schedule / push / PR / manual)
GH->>GH: Checkout repo
GH->>GH: Compute tags (latest, date, git-tag)
GH->>Buildx: Set up Buildx builder
alt event != pull_request
GH->>Quay: Login with quay credentials
end
GH->>Buildx: Build image, apply tags, use cache
Buildx->>Quay: Push image tags
Quay-->>GH: Acknowledge push
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/build-image.yml (1)
18-20: Add explicit least-privilege workflow permissions.No
permissionsblock is defined; default token scope can be broader than needed.Proposed fix
jobs: build: + permissions: + contents: read runs-on: ubuntu-latest🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-image.yml around lines 18 - 20, The workflow is missing an explicit least-privilege permissions block for the build job; add a permissions entry scoped to only the GitHub token privileges required by this job (attach a permissions map under the build job or at workflow root) and restrict each scope (e.g., contents, packages, pull-requests, id-token, etc.) to read or write only as needed for the build job; ensure the permissions block is placed under the jobs.build definition so the build job runs with the minimal token privileges.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-image.yml:
- Around line 37-50: The workflow currently allows non-PR manual runs
(workflow_dispatch) to log in and push images, so update the conditional guards
to restrict pushes to only the main branch (or proper release refs);
specifically, change the `if` on the "Log in to Quay.io" step and the `push`
expression on the "Build and push" step to include a ref check (e.g., require
github.ref == 'refs/heads/main' or allow refs/tags/* as appropriate) instead of
only checking github.event_name != 'pull_request', so manual runs on feature
branches cannot authenticate and push `latest`.
- Around line 25-32: The current "Set image tags" step (id: tags) builds TAGS
using date +%Y%m%d which is not unique per run; update the tag generation for
the TAGS variable to include a unique component (e.g., use date +%Y%m%d%H%M%S or
append github.run_id or GITHUB_RUN_NUMBER or a short GITHUB_SHA) so same-day
builds won't collide; modify the line that sets TAGS in that step to incorporate
the chosen unique token while keeping the existing latest and tag-ref behavior.
- Around line 22-46: The workflow uses mutable action tags (actions/checkout@v5,
docker/setup-buildx-action@v4, docker/login-action@v3,
docker/build-push-action@v6); replace each with the corresponding commit SHA for
that action to pin to an immutable revision: update the uses lines for
actions/checkout, docker/setup-buildx-action, docker/login-action, and
docker/build-push-action to use the specific commit SHAs (found from each repo’s
releases or tags) instead of the `@vX` tags, committing the updated workflow to
lock the supply chain.
---
Nitpick comments:
In @.github/workflows/build-image.yml:
- Around line 18-20: The workflow is missing an explicit least-privilege
permissions block for the build job; add a permissions entry scoped to only the
GitHub token privileges required by this job (attach a permissions map under the
build job or at workflow root) and restrict each scope (e.g., contents,
packages, pull-requests, id-token, etc.) to read or write only as needed for the
build job; ensure the permissions block is placed under the jobs.build
definition so the build job runs with the minimal token privileges.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 576fd8ea-68cb-4322-8336-c15134743b00
📒 Files selected for processing (1)
.github/workflows/build-image.yml
Comment on lines
+22
to
+46
| - name: Checkout | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Set image tags | ||
| id: tags | ||
| run: | | ||
| TAGS="${IMAGE}:latest,${IMAGE}:$(date +%Y%m%d)" | ||
| if [[ "${{ github.ref }}" == refs/tags/v* ]]; then | ||
| TAGS="${TAGS},${IMAGE}:${GITHUB_REF_NAME}" | ||
| fi | ||
| echo "tags=${TAGS}" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v4 | ||
|
|
||
| - name: Log in to Quay.io | ||
| if: github.event_name != 'pull_request' | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: quay.io | ||
| username: ${{ secrets.QUAY_USERNAME }} | ||
| password: ${{ secrets.QUAY_PASSWORD }} | ||
|
|
||
| - name: Build and push | ||
| uses: docker/build-push-action@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable action refs in workflows
rg -nP '^\s*uses:\s*[^@]+@(?:v?\d+(?:\.\d+){0,2}|main|master)\s*$' .github/workflowsRepository: redhat-et/openclaw-infra
Length of output: 372
Pin GitHub Actions by commit SHA to reduce supply-chain risk.
All four actions use mutable version tags (@v5, @v4, @v3, @v6), allowing upstream retargeting. Pin each to a specific commit SHA instead.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/build-image.yml around lines 22 - 46, The workflow uses
mutable action tags (actions/checkout@v5, docker/setup-buildx-action@v4,
docker/login-action@v3, docker/build-push-action@v6); replace each with the
corresponding commit SHA for that action to pin to an immutable revision: update
the uses lines for actions/checkout, docker/setup-buildx-action,
docker/login-action, and docker/build-push-action to use the specific commit
SHAs (found from each repo’s releases or tags) instead of the `@vX` tags,
committing the updated workflow to lock the supply chain.
sallyom
force-pushed
the
main
branch
3 times, most recently
from
2cce133 to
61d8026
Compare
Builds the container image nightly and on Dockerfile changes to main, pushing to quay.io/aicatalyst/openclaw. PRs with Dockerfile changes trigger build-only (no push). Required GitHub repository secrets: QUAY_USERNAME - Quay.io robot account or username QUAY_PASSWORD - Quay.io robot account token or password Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
natifridman
force-pushed
the
build-action
branch
from
e1c5854 to
62d63df
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-image.yml:
- Around line 29-31: The conditional checking refs/tags/v* is unreachable
because the workflow's push trigger only includes branches: [main]; either
enable tag pushes or remove the dead branch: update the workflow's on.push
configuration to include tags (for example add a tags pattern like v* or add a
separate push.tags entry) so that the refs/tags/v* condition can be true, or if
you don't want tag-triggered builds remove the TAGS append block entirely;
locate the block with the refs/tags/v* condition and either add tag patterns to
the push trigger or delete that conditional and its TAGS logic accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6e2a9e88-3155-4fec-b9e1-c3d53d0da4b3
📒 Files selected for processing (1)
.github/workflows/build-image.yml
Comment on lines
+29
to
+31
| if [[ "${{ github.ref }}" == refs/tags/v* ]]; then | ||
| TAGS="${TAGS},${IMAGE}:${GITHUB_REF_NAME}" | ||
| fi |
There was a problem hiding this comment.
Tag version logic is unreachable — workflow never triggers on tag pushes.
The push trigger (lines 6-9) only fires for branches: [main]. Since there's no tags: filter, this refs/tags/v* condition will never match, making these lines dead code.
If you intend to publish versioned images on tag pushes, add a tags trigger:
Proposed fix to enable tag-triggered builds
on:
schedule:
- cron: '0 3 * * *' # Nightly at 3:00 UTC
push:
branches: [main]
+ tags:
+ - 'v*'
paths:
- 'Dockerfile'Alternatively, remove the dead code if versioned tag publishing is not needed.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| if [[ "${{ github.ref }}" == refs/tags/v* ]]; then | |
| TAGS="${TAGS},${IMAGE}:${GITHUB_REF_NAME}" | |
| fi | |
| on: | |
| schedule: | |
| - cron: '0 3 * * *' # Nightly at 3:00 UTC | |
| push: | |
| branches: [main] | |
| tags: | |
| - 'v*' | |
| paths: | |
| - 'Dockerfile' |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/build-image.yml around lines 29 - 31, The conditional
checking refs/tags/v* is unreachable because the workflow's push trigger only
includes branches: [main]; either enable tag pushes or remove the dead branch:
update the workflow's on.push configuration to include tags (for example add a
tags pattern like v* or add a separate push.tags entry) so that the refs/tags/v*
condition can be true, or if you don't want tag-triggered builds remove the TAGS
append block entirely; locate the block with the refs/tags/v* condition and
either add tag patterns to the push trigger or delete that conditional and its
TAGS logic accordingly.
- Add least-privilege permissions (contents: read) to build job - Make image tags unique per run by appending short commit SHA - Restrict image push and registry login to main branch only Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/build-image.yml (2)
27-36:⚠️ Potential issue | 🟠 Major
DATE_TAG+ short SHA still isn't unique per run.A rerun, nightly job, and manual dispatch for the same commit on the same day all publish the same
${DATE_TAG}-${SHA_TAG}tag, so one run overwrites the previous image. Add a run-unique suffix such asGITHUB_RUN_IDorGITHUB_RUN_NUMBER.Suggested change
- DATE_TAG="$(date -u +%Y%m%d)" - SHA_TAG="${GITHUB_SHA::7}" - TAGS="${IMAGE}:latest,${IMAGE}:${DATE_TAG}-${SHA_TAG}" + DATE_TAG="$(date -u +%Y%m%d)" + SHA_TAG="${GITHUB_SHA::7}" + RUN_TAG="${GITHUB_RUN_ID}" + TAGS="${IMAGE}:latest,${IMAGE}:${DATE_TAG}-${SHA_TAG}-${RUN_TAG}"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-image.yml around lines 27 - 36, The current tag generation (variables DATE_TAG and SHA_TAG producing TAGS) can collide across runs; update the TAGS computation to append a run-unique suffix (use GITHUB_RUN_ID or GITHUB_RUN_NUMBER) to the DATE_TAG-SHA_TAG token so each workflow invocation produces a distinct tag; specifically modify the TAGS assignment that builds "${IMAGE}:${DATE_TAG}-${SHA_TAG}" to include "-${GITHUB_RUN_ID}" (or "-${GITHUB_RUN_NUMBER}") and ensure the new value is what gets echoed to GITHUB_OUTPUT under the tags step.
25-25:⚠️ Potential issue | 🟠 MajorPin each GitHub Action to an immutable commit SHA.
@v5/@v4/@v3/@v6are still mutable refs. That leaves the workflow exposed to upstream retargeting and makes builds less reproducible. Replace eachuses:version tag with the full release commit SHA instead.What commit SHAs correspond to the current stable releases of actions/checkout v5, docker/setup-buildx-action v4, docker/login-action v3, and docker/build-push-action v6?Also applies to: 39-39, 43-43, 50-50
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-image.yml at line 25, Replace mutable version tags (`@v5`, `@4`, `@v3`, `@v6`) with the corresponding immutable commit SHAs for each GitHub Action usage so the workflow is hermetic; specifically update the uses entries for actions/checkout, docker/setup-buildx-action, docker/login-action, and docker/build-push-action in the workflow (the lines currently using "uses: actions/checkout@v5", "uses: docker/setup-buildx-action@v4", "uses: docker/login-action@v3", and "uses: docker/build-push-action@v6") to reference the full commit SHA of the release you want to pin, verify the SHAs against the official action repos/tags, and replace the tags with those SHAs across the workflow.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/build-image.yml:
- Around line 27-36: The current tag generation (variables DATE_TAG and SHA_TAG
producing TAGS) can collide across runs; update the TAGS computation to append a
run-unique suffix (use GITHUB_RUN_ID or GITHUB_RUN_NUMBER) to the
DATE_TAG-SHA_TAG token so each workflow invocation produces a distinct tag;
specifically modify the TAGS assignment that builds
"${IMAGE}:${DATE_TAG}-${SHA_TAG}" to include "-${GITHUB_RUN_ID}" (or
"-${GITHUB_RUN_NUMBER}") and ensure the new value is what gets echoed to
GITHUB_OUTPUT under the tags step.
- Line 25: Replace mutable version tags (`@v5`, `@4`, `@v3`, `@v6`) with the
corresponding immutable commit SHAs for each GitHub Action usage so the workflow
is hermetic; specifically update the uses entries for actions/checkout,
docker/setup-buildx-action, docker/login-action, and docker/build-push-action in
the workflow (the lines currently using "uses: actions/checkout@v5", "uses:
docker/setup-buildx-action@v4", "uses: docker/login-action@v3", and "uses:
docker/build-push-action@v6") to reference the full commit SHA of the release
you want to pin, verify the SHAs against the official action repos/tags, and
replace the tags with those SHAs across the workflow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6f3cbc5b-7016-45a0-a58f-5eb0fb4c2541
📒 Files selected for processing (1)
.github/workflows/build-image.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Builds the container image nightly and on Dockerfile changes to main, pushing to quay.io/aicatalyst/openclaw. PRs with Dockerfile changes trigger build-only (no push).
Required GitHub repository secrets:
QUAY_USERNAME - Quay.io robot account or username
QUAY_PASSWORD - Quay.io robot account token or password
Summary by CodeRabbit
Chores
Impact