Workflow to build tutorial agents on commits #163

RoxyFarhad · 2025-10-22T21:13:31Z

🔧 Add Automated Tutorial Agent Build Pipeline

Summary

Introduces a CI/CD pipeline that automatically builds and deploys tutorial agent Docker images with intelligent change detection and maintainer-only manual overrides. These images are used by the scale-agentex repo as part of integration testing.

Key Features

🎯 Smart Change Detection

Git diff automatically detects which tutorial agents have changes
Only builds changed agents (vs all 17+ agents every time)
Matrix parallelization for faster builds

🔐 Access Control

Manual rebuild_all flag restricted to admin/maintainer permissions
Permission validation via GitHub API for workflow dispatch

🚀 Multi-Trigger Support

Pull Requests: Validate builds (no registry push)
Main Branch: Build + push to GHCR (latest tag)
Manual Override: rebuild_all=true rebuilds all agents

Workflow Behavior

Trigger	Builds	Registry Push	Use Case
Pull Request	Changed only	❌	Pre-merge validation
Push to Main	Changed only	✅	Production deployment
Manual rebuild_all=true	All agents	✅	Full rebuild

Usage

Manual rebuild all agents (maintainers only)
gh workflow run build-and-push-tutorial-agent.yml --field rebuild_all=true

Benefits

Faster CI: Only builds what changed
Secure: Prevents unauthorized expensive builds
Reliable: PR validation catches issues before merge
Visible: Clear job names per agent

Images published to ghcr.io/{owner}/{repo}/tutorial-agents/{agent-name}:latest

.github/workflows/build-and-push-tutorial-agent.yml

semgrep-app · 2025-10-22T21:44:03Z

.github/workflows/build-and-push-tutorial-agent.yml

+        run: |
+          # Remove examples/tutorials/ prefix and replace / with -
+          AGENT_NAME=$(echo "${{ inputs.agent_path }}" | sed 's|^examples/tutorials/||' | sed 's|/|-|g')
+          echo "AGENT_NAME=$AGENT_NAME" >> $GITHUB_ENV
+          echo "agent_name=$AGENT_NAME" >> $GITHUB_OUTPUT
+          echo "Agent name set to $AGENT_NAME"
+


Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

/fp <comment> for false positive

/ar <comment> for acceptable risk

/other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

.github/workflows/build-and-push-tutorial-agent.yml