ci(build): add check-build workflow to verify docker images#300
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request modifies the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
| name: Detect Changes | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| console: ${{ steps.filter.outputs.console }} | ||
| core-api: ${{ steps.filter.outputs.core-api }} | ||
| worker: ${{ steps.filter.outputs.worker }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Filter changed files | ||
| uses: dorny/paths-filter@v3 | ||
| id: filter | ||
| with: | ||
| filters: | | ||
| console: | ||
| - 'console/**' | ||
| - 'console/.dockerignore' | ||
| - 'console/Dockerfile' | ||
| core-api: | ||
| - 'core-api/**' | ||
| - 'core-api/.dockerignore' | ||
| - 'core-api/Dockerfile' | ||
| worker: | ||
| - 'worker/**' | ||
| - 'worker/.dockerignore' | ||
| - 'worker/Dockerfile' | ||
|
|
||
| build-console: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
In general, the fix is to explicitly define a permissions block in the workflow (either at the top level or per job) that grants only the scopes required. This workflow reads repository contents (for actions/checkout and dorny/paths-filter) and builds Docker images locally without pushing or modifying GitHub resources. Therefore, contents: read is sufficient for all jobs.
The best minimal fix without changing functionality is to add a root-level permissions block right after the name: (or before jobs:) in .github/workflows/check-build.yml:
permissions:
contents: readThis block applies to all jobs that do not override permissions, which is the case here. No other scopes (packages, pull-requests, etc.) are needed because the workflow does not push images, publish packages, or update PRs. No imports or additional definitions are required since this is pure YAML configuration.
Concretely:
- Edit
.github/workflows/check-build.yml. - Insert the
permissionsblock between line 2 and line 3 (aftername: Check Buildand its blank line, beforeon:). - Leave all jobs unchanged; they will inherit this least-privilege configuration automatically.
| @@ -1,5 +1,8 @@ | ||
| name: Check Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
| name: Build Docker - Console | ||
| runs-on: ubuntu-latest | ||
| needs: changes | ||
| if: needs.changes.outputs.console == 'true' | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build Docker image (Console) | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: ./console | ||
| push: false | ||
| load: true | ||
| tags: oasm/oasm-console:test | ||
|
|
||
| build-core-api: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
In general, the fix is to add an explicit permissions block limiting the GITHUB_TOKEN to the least privileges required. Since this workflow only checks out code and builds Docker images locally (with push: false), it only needs to read repository contents. The simplest and safest approach is to define a root‑level permissions: block so it applies to all jobs that do not override it.
Concretely, in .github/workflows/check-build.yml, add:
permissions:
contents: readbetween the on: block and the jobs: block (e.g., after line 11, before line 13). This documents that the workflow only needs read access to repository contents and ensures that even if repo defaults are changed to read‑write in the future, this workflow keeps using restricted permissions. No additional imports or methods are needed, as this is a pure YAML configuration change.
| @@ -10,6 +10,9 @@ | ||
| - reopened | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| # Detect file changes | ||
| changes: |
| name: Build Docker - Core API | ||
| runs-on: ubuntu-latest | ||
| needs: changes | ||
| if: needs.changes.outputs.core-api == 'true' | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build Docker image (Core API) | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: ./core-api | ||
| push: false | ||
| load: true | ||
| tags: oasm/oasm-api:test | ||
|
|
||
| build-worker: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
In general, this issue is fixed by explicitly defining a permissions block either at the top workflow level (applies to all jobs) or for each job individually, and granting only the scopes actually required. Since all jobs here only need to read repository contents to run actions/checkout and filters/builds, the minimal necessary permission is contents: read.
The best fix without changing any existing functionality is to add a workflow‑level permissions block near the top of .github/workflows/check-build.yml, alongside name and on, so that all jobs (changes, build-console, build-core-api, build-worker, check-build, etc.) inherit contents: read. No job appears to require write access or any other privileged scope. Concretely, insert:
permissions:
contents: readbetween the name: Check Build and the on: block. This does not require any new imports or changes to steps, as GitHub Actions interprets the permissions key natively.
| @@ -1,5 +1,8 @@ | ||
| name: Check Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
| name: Build Docker - Worker | ||
| runs-on: ubuntu-latest | ||
| needs: changes | ||
| if: needs.changes.outputs.worker == 'true' | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build Docker image (Worker) | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: ./worker | ||
| push: false | ||
| load: true | ||
| tags: oasm/oasm-worker:test | ||
|
|
||
| check-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
To fix the problem, explicitly set permissions for the GITHUB_TOKEN in the workflow, restricting it to the least privilege needed. Since this workflow only checks out code and builds Docker images without pushing, it only needs read access to the repository contents. The most appropriate fix is to add a top-level permissions block with contents: read, which will apply to all jobs that do not define their own permissions.
Concretely, in .github/workflows/check-build.yml, add:
permissions:
contents: readnear the top of the file, alongside name and on. This ensures every job (changes, build-console, build-core-api, build-worker, and check-build) runs with a read-only GITHUB_TOKEN for repository contents. No additional imports or methods are needed, as this is purely a YAML configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: Check Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
| name: Check Build - All Services | ||
| runs-on: ubuntu-latest | ||
| needs: [build-console, build-core-api, build-worker] | ||
| if: needs.build-console.result == 'success' || needs.build-core-api.result == 'success' || needs.build-worker.result == 'success' | ||
| steps: | ||
| - name: Check if all builds passed | ||
| run: | | ||
| FAILED=0 | ||
|
|
||
| if [ "${{ needs.build-console.result }}" == "failure" ]; then | ||
| echo "Console build failed" | ||
| FAILED=1 | ||
| fi | ||
|
|
||
| if [ "${{ needs.build-core-api.result }}" == "failure" ]; then | ||
| echo "Core API build failed" | ||
| FAILED=1 | ||
| fi | ||
|
|
||
| if [ "${{ needs.build-worker.result }}" == "failure" ]; then | ||
| echo "Worker build failed" | ||
| FAILED=1 | ||
| fi | ||
|
|
||
| if [ $FAILED -eq 1 ]; then | ||
| echo "One or more Docker builds failed" | ||
| exit 1 | ||
| fi | ||
| echo "All Docker builds passed successfully" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 26 days ago
To fix this, define explicit minimal GITHUB_TOKEN permissions in the workflow. Since the jobs only need to read the repository contents (for actions/checkout) and do local Docker builds, they can safely run with contents: read and no other elevated scopes.
The best way with minimal functional impact is to add a permissions: block at the top (workflow root) so it applies to all jobs, including check-build. Concretely:
- In
.github/workflows/check-build.yml, aftername: Check Build(line 1) and beforeon:(line 3), insert:
permissions:
contents: readThis documents that the workflow only needs read access to the repository contents and ensures the GITHUB_TOKEN is restricted even if repo/org defaults are broader. No other imports or methods are required.
| @@ -1,5 +1,8 @@ | ||
| name: Check Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: |
There was a problem hiding this comment.
Code Review
This pull request disables the pre-commit linting hooks, which is a significant change that lowers the code quality gate. Disabling these checks can lead to inconsistent code styles and potential bugs being introduced into the codebase. Furthermore, the pull request title, "ci(build): add check-build workflow to verify docker images", is misleading as the changes do not add any CI workflow but instead remove a local quality check. This change should be reverted unless there is a very strong and well-documented reason for it.
| # echo "Running lint check..." | ||
| # cd core-api && npm run lint | ||
| # if [ $? -ne 0 ]; then | ||
| # echo "Lint check failed in core-api. Please fix lint errors before committing." | ||
| # exit 1 | ||
| # fi | ||
|
|
||
| cd ../console && npm run lint | ||
| if [ $? -ne 0 ]; then | ||
| echo "Lint check failed in console. Please fix lint errors before committing." | ||
| exit 1 | ||
| fi | ||
| # cd ../console && npm run lint | ||
| # if [ $? -ne 0 ]; then | ||
| # echo "Lint check failed in console. Please fix lint errors before committing." | ||
| # exit 1 | ||
| # fi |
There was a problem hiding this comment.
Disabling the pre-commit lint checks is a significant regression in the development process. These hooks are essential for maintaining code quality and consistency across the project. By commenting them out, you are allowing developers to commit code that may not adhere to the project's style guidelines, potentially introducing errors and making the code harder to review and maintain. If these checks are causing issues, the underlying problems should be fixed rather than disabling the checks entirely. Please re-enable these checks.
echo "Running lint check..."
cd core-api && npm run lint
if [ $? -ne 0 ]; then
echo "Lint check failed in core-api. Please fix lint errors before committing."
exit 1
fi
cd ../console && npm run lint
if [ $? -ne 0 ]; then
echo "Lint check failed in console. Please fix lint errors before committing."
exit 1
fi
No description provided.