Skip to content

ci(codeapi): publish GHCR images#3

Merged
rschlaefli merged 1 commit into
mainfrom
codex/build-codeapi-ghcr-images
Jun 29, 2026
Merged

ci(codeapi): publish GHCR images#3
rschlaefli merged 1 commit into
mainfrom
codex/build-codeapi-ghcr-images

Conversation

@rschlaefli

@rschlaefli rschlaefli commented Jun 29, 2026

Copy link
Copy Markdown
Member

What This Adds

This PR adds a GitHub Actions workflow that publishes the CodeAPI runtime images to GHCR when main is updated, with manual dispatch available as well.

How It Works

  • Builds the seven deployment images under ghcr.io/uzh-bf/code-interpreter/*.
  • Tags each image with the full github.sha and main.
  • Uses pinned Docker actions and the repository GITHUB_TOKEN with packages: write.
  • Builds API, worker, file-server, tool-call-server, and egress-gateway as linux/amd64,linux/arm64.
  • Builds sandbox-runner and package-init as linux/amd64 for the dedicated KVM pool.

Branch Coverage

  • Base: main
  • Head: 1324330
  • Reviewed: 1 commit, 1 new workflow file
  • Diff: .github/workflows/build-codeapi-images.yml added, 88 lines

Review Focus

  • Image names and tags match the df-cloud staging rollout plan.
  • Service images use their production targets; sandbox-runner uses the sandbox-runner target.
  • codeapi-package-init is single-stage, so its empty target matrix value is intentional.
  • After first publish, GHCR package visibility still needs an operational decision: make all packages public and drop AKS pull secrets, or keep private packages and provide DOCKER_AUTH.

Verification

Current head:

  • ruby -e 'require "yaml"; YAML.load_file(".github/workflows/build-codeapi-images.yml"); puts "yaml ok"' -> passed
  • npm exec --package prettier@2.4.1 -- prettier --check .github/workflows/build-codeapi-images.yml -> passed
  • docker buildx build --check -> passed for all seven Dockerfiles/targets
  • opencode-go/glm-5.2 --variant max review -> no blockers; accepted simplification/traceability findings
  • GitHub CI run 28380177191 -> API Unit Tests passed, Service Unit Tests passed

Not run:

  • GitHub Actions image build has not run yet because this workflow must exist on main before it can publish the first images.

Security / Privacy

  • No secrets are added.
  • GHCR login uses the repository-scoped GITHUB_TOKEN.
  • Runtime AKS pull behavior is not decided here; df-cloud will handle public-package/no-secret versus private-package/DOCKER_AUTH after the first push.

Blocking Before Merge

None beyond normal workflow review.

Follow-Up After Merge

  • Monitor the first Build CodeAPI Images workflow run on main.
  • Record the resulting commit SHA and image availability in the df-cloud rollout plan.
  • Decide GHCR package visibility, then either remove df-cloud registry pull secrets or populate Infisical DOCKER_AUTH.
  • Update df-cloud Helm values with the image-producing commit SHA and matching chart targetRevision.

@rschlaefli rschlaefli marked this pull request as ready for review June 29, 2026 15:02
@rschlaefli rschlaefli merged commit 3d57f88 into main Jun 29, 2026
2 checks passed
@rschlaefli rschlaefli deleted the codex/build-codeapi-ghcr-images branch June 29, 2026 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant