feat: push PR images to GHCR when a custom label is provided

[ADobrodey]

Summary of changes

Introduction of custom PR label to allow push to GHCR pre-release images

Changes introduced in this pull request:

• Added support for custom labels: push-slim-to-ghcr and push-fat-to-ghcr

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Added a new manual CI workflow to build and publish development Docker images to the project container registry.
  • Workflow lets you select a branch or commit, enforces concurrency, runs on Ubuntu with a timeout, builds a multi-arch (fat) image for linux/amd64, and pushes images with date- and SHA-derived tags and metadata.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow at .github/workflows/docker-dev.yml that can be manually triggered to build a fat Docker image (linux/amd64) via Buildx, tag it with date and SHA, and push it to GHCR (ghcr.io/chainsafe/forest).

Changes

Cohort / File(s)	Summary
New Docker Build Workflow .github/workflows/docker-dev.yml	Adds a workflow_dispatch workflow named "Build Dev Docker Image" with a git_ref input and concurrency group; job build-and-push-docker-image on ubuntu-24.04 that checks out the specified ref, sets up Docker Buildx, logs into ghcr.io with GITHUB_TOKEN, generates Docker metadata (image ghcr.io/chainsafe/forest, date/sha tags, fat-image flavor), builds for linux/amd64, and pushes image and labels.

Sequence Diagram(s)

sequenceDiagram
  participant Maintainer as Maintainer
  participant GH as GitHub Actions
  participant Repo as Repository
  participant Buildx as Docker Buildx
  participant GHCR as GHCR

  Note over Maintainer,GH: Manual trigger (workflow_dispatch) with `git_ref`
  Maintainer->>GH: trigger workflow
  GH->>Repo: checkout specified ref
  GH->>Buildx: setup buildx
  GH->>GHCR: authenticate using GITHUB_TOKEN
  GH->>GH: generate metadata (ghcr.io/chainsafe/forest, date/sha tags)
  GH->>Buildx: build fat-image (linux/amd64)
  Buildx->>GHCR: push image with tags & labels
  GH->>Maintainer: complete (success/failure)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: multiarch retag for docker images #5826 — Modifies GitHub Actions workflows for building/tagging/pushing multiarch/fat Docker images to GHCR; closely related to CI workflow changes here.

Suggested reviewers

• hanabi1224
• akaladarshi

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The PR title states "push PR images to GHCR when a custom label is provided," which describes triggering via custom PR labels. However, the raw summary shows the actual implementation adds a GitHub Actions workflow triggered via workflow_dispatch with a git_ref input parameter, not by custom labels. The PR comments indicate discussion about moving from label-based triggering to manual workflow_dispatch triggering, which was preferred as more flexible. This creates a mismatch between the title's description of the triggering mechanism and the actual implementation shown in the changeset.	The title should be updated to accurately reflect that the workflow uses manual workflow_dispatch triggering rather than custom PR labels. A more accurate title might be "feat: add manual workflow to push Docker images to GHCR" or similar, which would correctly describe the implementation shown in the changeset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/custom-pr-ghcr-push

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/docker.yml (1)

193-193: Augmented push conditions now support custom PR labels—functional but could be more explicit.

The changes correctly enable pushing images when specific PR labels (push-fat-to-ghcr, push-slim-to-ghcr) are applied. The logic is sound: the fat and slim image steps will now push to GHCR on main/tags or when the corresponding label is present on a PR. The platforms logic (line 195, 222) remains unchanged, so PR builds will still only use amd64, which is consistent with the available artifacts.

However, the PR label checks (contains(github.event.pull_request.labels.*.name, ...)) access event properties that may not exist on push events. This relies on short-circuit evaluation of the || operator to avoid evaluating the third condition when the first two are true. While this should work in practice, it's fragile.

For clarity and robustness, consider guarding the PR label check with an explicit event type check:

- push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || contains(github.event.pull_request.labels.*.name, 'push-fat-to-ghcr') }}
+ push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'push-fat-to-ghcr')) }}

Apply the same fix to line 220 for the slim image.

Also applies to: 220-220

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 87f9985 and d091bf3.

📒 Files selected for processing (1)

• .github/workflows/docker.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests-release
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build MacOS
• GitHub Check: tests
• GitHub Check: All lint checks
• GitHub Check: Build Ubuntu
• GitHub Check: Build forest binaries on Linux AMD64

[LesnyRumcajs]

As mentioned, PR branches must not overwrite the edge tag.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d091bf3 and 55c0b61.

📒 Files selected for processing (1)

• .github/workflows/docker.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/docker.yml

203-203: property "output" is not defined in object type {conclusion: string; outcome: string; outputs: {annotations: string; bake-file: string; bake-file-annotations: string; bake-file-labels: string; bake-file-tags: string; json: string; labels: string; tags: string; version: string}}

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: All lint checks
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu
• GitHub Check: tests-release
• GitHub Check: tests

🔇 Additional comments (2)

.github/workflows/docker.yml (2)

186-197: Step design looks sound with proper label gating.

The metafatpr step correctly uses the if: condition to execute only when the push-fat-to-ghcr label is present. The fallback to steps.metafat.outputs.tags on line 203 (once the typo is fixed) ensures the workflow remains functional for non-labeled PRs.

---

225-234: Verify slim image label support is intentional.

The PR objectives mention two labels (push-slim-to-ghcr and push-fat-to-ghcr), but the slim image build (lines 225–234) lacks a corresponding conditional push or metadata step like the fat image has. The slim image push condition on line 232 only checks for main branch or tag refs, not the label.

Is the omission of push-slim-to-ghcr support intentional, or should lines 225–234 mirror the fat image pattern with a PR-specific metadata step and label-based push condition?

[hanabi1224]

Instead of triggering by tag, could we make it only be manually triggered by specifying branch and tag name? So it's on demand and decoupled from PR. (like https://github.com/ChainSafe/forest/actions/workflows/docker-latest-tag.yml or https://github.com/ChainSafe/forest/actions/workflows/lotus-devnet-publish.yml)

[ADobrodey]

Instead of triggering by tag, could we make it only be manually triggered by specifying branch and tag name? So it's on demand and decoupled from PR. (like https://github.com/ChainSafe/forest/actions/workflows/docker-latest-tag.yml or https://github.com/ChainSafe/forest/actions/workflows/lotus-devnet-publish.yml)
@hanabi1224
It's triggered by assigning a specific label to the PR (push-fat-to-ghcr). Then this custom fat image could be used by the infra team

[LesnyRumcajs]

I think @hanabi1224 idea is quite a good one and definitely more flexible. So it'd be basically a workflow dispatch with some inputs that would build the image on anything.

by specifying branch and tag name

I'd recommend specifying commit and not branch (or allow both) in case one would like to publish an image from an earlier commit in a given branch (perhaps to check for regressions).

@ADobrodey what do you think?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/docker-dev.yml (1)

6-16: Clarify mutual exclusion between branch and commit inputs.

The description states these inputs "Conflict with" each other, but there's no validation enforcing mutual exclusion. A user could provide both values, though the condition on line 24 only checks if at least one is non-empty.

Add explicit input validation or clarify the expected behavior when both inputs are provided. Consider adding a comment or using a different condition pattern to make the mutual exclusivity requirement more explicit.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6dae21f and f373807.

📒 Files selected for processing (2)

• .github/workflows/docker-dev.yml (1 hunks)
• .github/workflows/docker.yml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/docker.yml

🧰 Additional context used

🪛 GitHub Actions: Script linters

.github/workflows/docker-dev.yml

[error] 1-1: Prettier formatting check failed. Run 'prettier --write' to fix code style issues in this file.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build MacOS
• GitHub Check: Build Ubuntu
• GitHub Check: All lint checks
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests-release
• GitHub Check: tests

🔇 Additional comments (2)

.github/workflows/docker-dev.yml (2)

42-50: Verify scope of label coverage against PR objectives.

Per the PR objectives, support is being added for two custom labels: push-slim-to-ghcr and push-fat-to-ghcr. This workflow implements only the push-fat-to-ghcr variant (targeting the fat-image Docker target).

Confirm whether a separate workflow for push-slim-to-ghcr should also be added, or if the slim variant is being handled elsewhere.

---

27-60: Workflow structure and implementation are sound.

The overall workflow is well-structured: concurrency control prevents duplicate runs, Docker Buildx is properly configured, GHCR authentication is correct, and metadata generation with date/SHA/flavor tagging is appropriate for a dev image. The amd64-only platform restriction is reasonable for CI efficiency.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/docker-dev.yml (1)

1-61: Previous review flagged Prettier formatting failure—verify and fix before merge.

A prior review comment noted that Prettier formatting checks failed on this file. This issue should be resolved before the PR is merged. Prettier may enforce specific spacing, indentation, or line-length requirements for YAML.

To fix locally and verify:

#!/bin/bash
# Run Prettier on the workflow file to auto-fix formatting
prettier --write .github/workflows/docker-dev.yml

# Verify the changes
git diff .github/workflows/docker-dev.yml

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f373807 and 1b6e54f.

📒 Files selected for processing (1)

• .github/workflows/docker-dev.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Build Ubuntu
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests-release
• GitHub Check: tests
• GitHub Check: All lint checks

🔇 Additional comments (2)

.github/workflows/docker-dev.yml (2)

27-40: Checkout, Docker setup, and registry login look good.

The fallback logic in the checkout step correctly handles both branch and commit inputs. Using secrets.GITHUB_TOKEN for GHCR authentication is the standard approach and appropriate here.

---

42-61: Docker metadata generation and build steps are well-structured.

The tag format YYYY-MM-DD-{{sha}}-fat provides clear traceability, the fat-image target aligns with PR objectives, and the single-platform (amd64) build is a reasonable optimization for dev workflows. The latest=false setting is appropriate for pre-release dev images.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/docker-dev.yml (1)

35-43: Update outdated step name comment.

Line 35 refers to "Docker Meta fat for PRs only" but this workflow is now a manual workflow_dispatch trigger, not PR-specific. The comment is a leftover from earlier iterations.

Update the step name to reflect the current design:

-      - name: Docker Meta fat for PRs only
+      - name: Docker Meta fat image

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 787cf57 and 9dd41af.

📒 Files selected for processing (1)

• .github/workflows/docker-dev.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: All lint checks
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: Build MacOS
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu
• GitHub Check: tests-release
• GitHub Check: tests

🔇 Additional comments (1)

.github/workflows/docker-dev.yml (1)

1-53: Workflow structure and Docker target verified successfully.

The workflow correctly references the fat-image build target, which is properly defined in the Dockerfile at line 58. All multi-stage build targets are present: build-env, slim-image, and fat-image. The workflow implementation with manual workflow_dispatch triggering, proper concurrency handling, and correct platform/target configuration is sound. Ready to merge.

[LesnyRumcajs]

LGTM

[hanabi1224]

nit: Not for PRs anymore