Skip to content

feat(actions): add docker-registry.yml for automatic ghcr.io image publishing #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Wong789 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(actions): add docker-registry.yml for automatic ghcr.io image publishing #463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
af67fed
Add docker-registry.yml workflow for automatic ghcr.io image publishi…
Wong789 Apr 17, 2026
6b0ebbf
Rename docker-registry.yml to github/workflows/docker-registry.yml
Wong789 Apr 17, 2026
767e492
Add docker-registry.yml to .github/workflows/
Wong789 Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed .github/assets/icon-dark.webp
View file
Open in desktop
Binary file not shown.
Binary file removed .github/assets/screenshot.webp
View file
Open in desktop
Binary file not shown.
0 .github/workflows/build-windows.yml → .github/build-windows.yml
View file
Open in desktop
File renamed without changes.
51 changes: 51 additions & 0 deletions .github/docker-registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Build and Push Docker Image

on:
push:
tags:
- 'v*'

jobs:
docker:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata for Docker image
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository_owner }}/voicebox
tags: |
type=semver,pattern={{version}}
type=raw,value=latest,enable=${{ github.ref == format('"refs/heads/{0}"', github.default_branch) }}
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

docker/metadata-action is_default_branch enable tag semver

💡 Result:

docker/metadata-action supports the global expression {{is_default_branch}} (true when the branch that triggered the workflow run is the repository’s default branch) and lets you use it to conditionally enable tag-generation. Separately, it supports SemVer tags via the tag type type=semver with patterns like {{version}}. Example (set a “latest” tag only when the workflow is triggered from the default branch, and also generate SemVer-derived tags from Git tag refs): tags: | # generate version tags from semver Git tags type=semver,pattern={{version}} # only add “latest” when this run is from the default branch type=raw,value=latest,enable={{is_default_branch}} How it fits together: - type=semver: used for SemVer tags when the workflow is triggered by a push to a Git tag, and uses a pattern such as {{version}} (or other semver components). - {{is_default_branch}}: returns true only for runs triggered by the repo’s default branch; you can place it in enable=... to conditionally emit certain tags (commonly used for “latest”). So the phrase “docker/metadata-action is_default_branch enable tag semver” corresponds to combining: 1) enable={{is_default_branch}} to gate a tag on default-branch runs, and 2) type=semver,pattern=... to emit SemVer tags.

Citations:

latest tag will never be applied — broken condition and mismatched trigger.

Two problems with this line:

  1. This workflow only runs on push: tags: ['v*'], so github.ref is always refs/tags/vX.Y.Z — never refs/heads/<default_branch>. The enable expression can therefore never evaluate to true on this trigger.
  2. The format('"refs/heads/{0}"', github.default_branch) call wraps the result in literal double quotes, producing the string "refs/heads/main" (quotes included), which would never equal github.ref even on a branch push.

If the intent is to tag latest on semver releases from the default branch, use type=raw,value=latest,enable={{is_default_branch}} (supported by docker/metadata-action), which correctly handles tag pushes. Otherwise, drop the enable= clause to always apply latest on version-tag pushes.

🔧 Proposed fix 
           tags: |
             type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == format('"refs/heads/{0}"', github.default_branch) }}
+            type=raw,value=latest,enable={{is_default_branch}}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docker-registry.yml` at line 40, The current docker metadata line uses
enable=${{ github.ref == format('"refs/heads/{0}"', github.default_branch) }}
which can never be true for a tag push and also incorrectly injects literal
quotes; fix by replacing the broken enable clause: either remove the enable
parameter to always apply the "latest" tag on version-tag pushes, or use the
action-supported guard enable={{is_default_branch}} if you only want "latest"
when the tag was created from the default branch; update the line containing
type=raw,value=latest,... accordingly.


- name: Build and push with metadata
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
Comment on lines +1 to +51
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify the Docker registry workflow is in GitHub Actions' discovery directory.

set -euo pipefail

echo "Workflow files found:"
fd -a '^docker-registry\.ya?ml$' . 2>/dev/null || true

test -f .github/workflows/docker-registry.yml

Repository: jamiepine/voicebox

Length of output: 139

Move this workflow under .github/workflows so it actually runs.

The current path is github/workflows/docker-registry.yml, missing the leading dot. GitHub Actions will not discover this workflow there, so v* tag pushes will not trigger the GHCR publish job.

🔧 Proposed fix 
-github/workflows/docker-registry.yml
+.github/workflows/docker-registry.yml
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@github/workflows/docker-registry.yml` around lines 1 - 51, The workflow
"Build and Push Docker Image" that triggers on push tags 'v*' is not placed
where GitHub Actions will discover it; move the workflow file (the one named
docker-registry.yml) into the repository's GitHub Actions workflows directory so
the runner picks up the on: push tags trigger, keeping the existing job
definitions (docker job, permissions, checkout, login, metadata and build/push
steps) and tags/labels configuration unchanged; after moving, verify the push
trigger (tags: - 'v*') and registry login inputs (username/password) are still
correct.

Comment on lines +42 to +51
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
fd -HI -t f '^Dockerfile' .
rg -n 'latest-(cuda|rocm)' docs/ || true

Repository: jamiepine/voicebox

Length of output: 563

🏁 Script executed:

cat -n .github/docker-registry.yml

Repository: jamiepine/voicebox

Length of output: 1761

Update documentation or extend workflow to build CUDA/ROCm variants.

The workflow only builds a single image variant tagged {{version}}/latest, but docs/plans/DOCKER_DEPLOYMENT.md advertises latest-cuda and latest-rocm image variants. Extend the workflow with a matrix strategy to build both variants, or remove the variant references from the documentation.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/docker-registry.yml around lines 42 - 51, The workflow step "Build
and push with metadata" currently builds a single image; update the job to
produce CUDA and ROCm variants (or remove docs references). Change the job to
use a matrix (e.g., matrix.variant: [cpu, cuda, rocm]) or add two dedicated jobs
that call docker/build-push-action@v5, passing variant-specific build-args and
tags (e.g., set tags to include "${{ steps.meta.outputs.tags }}-cuda" and
"-rocm" or compute tags from matrix.variant), and adjust platforms/cache inputs
accordingly so both latest-cuda and latest-rocm images are built and pushed;
alternatively, if you choose not to build variants, remove the
"latest-cuda"/"latest-rocm" references from docs/plans/DOCKER_DEPLOYMENT.md.
Ensure changes reference the existing "Build and push with metadata" step and
preserve using docker/build-push-action@v5 and steps.meta outputs.

0 .github/workflows/release.yml → .github/release.yml
View file
Open in desktop
File renamed without changes.