Added build tb-cli GHCR image action

[9larsons]

no ref

In an attempt to optimize the E2E tests, creating an image we can pull from GHCR should save us build time on each shard.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8aa22bf8-5040-4baa-806b-f78bc8884945

📥 Commits

Reviewing files that changed from the base of the PR and between 4e443e8 and 306537c.

📒 Files selected for processing (1)

• .github/workflows/publish-tb-cli.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish-tb-cli.yml

---

Walkthrough

A new GitHub Actions workflow file has been added at .github/workflows/publish-tb-cli.yml. This workflow automates the building and publishing of the tb-cli Docker image to GitHub Container Registry (GHCR). The workflow is triggered manually or when changes are pushed to the main branch affecting files in docker/tb-cli/**. It performs checkout, Docker Buildx setup, GHCR authentication, and builds and pushes the image with tags for latest and a SHA-based reference. The workflow uses GitHub Actions caching and includes a conditional guard to skip execution unless the repository is TryGhost/Ghost. The workflow grants write permissions to packages.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a GitHub Actions workflow to build and publish the tb-cli Docker image to GHCR.
Description check	✅ Passed	The description is related to the changeset, explaining the motivation for adding the GHCR image workflow to optimize E2E test build times.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch create-tb-cli-ghcr

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/publish-tb-cli.yml (1)

23-23: Consider updating Docker action majors to current stable.

docker/setup-buildx-action@v3 and docker/login-action@v3 are valid, but moving to current major reduces drift and future maintenance pressure.

Suggested update

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
...
-      - name: Login to GHCR
-        uses: docker/login-action@v3
+      - name: Login to GHCR
+        uses: docker/login-action@v4

Also applies to: 26-26

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-tb-cli.yml at line 23, Update the Docker GitHub
Actions to their current stable major versions: replace usages of
docker/setup-buildx-action@v3 and docker/login-action@v3 with the latest
recommended major (e.g., `@v4`) throughout the workflow file so both occurrences
are consistent; ensure you run a quick workflow lint or dry-run to verify no
breaking input changes are required by the newer action majors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-tb-cli.yml:
- Around line 13-18: The publish job (named "publish") can run concurrently and
overwrite the `latest` tag; add a job-level concurrency block to the "publish"
job to serialize runs and cancel in-progress duplicates (e.g., concurrency with
a unique group like "tb-cli-${{ github.ref }}" and cancel-in-progress: true).
Apply the same concurrency block to the other job referenced (lines 38-40) so
both jobs use the same pattern and avoid stale `latest` overwrites.
- Around line 3-4: The workflow currently allows manual workflow_dispatch from
any branch and can publish the :latest image; update the publish job (the job
that builds/pushes images and sets tags) to guard against non-main refs by
adding a job-level condition like `if: github.ref == 'refs/heads/main'` (or
equivalent) so the entire publish job only runs on main, and also ensure any
steps that set or push the `ghcr.io/tryghost/tb-cli:latest` tag (the tag/Push
steps referenced around the tag/latest logic) are similarly gated so they only
run when `github.ref == 'refs/heads/main'`.
- Around line 10-11: The workflow sets explicit permissions but omits repository
contents read access, which breaks actions/checkout@v6; update the
workflow-level permissions block (the permissions: packages: write entry) to
include contents: read so actions/checkout@v6 can access the repo via
GITHUB_TOKEN — add contents: read alongside packages: write in the permissions
mapping.

---

Nitpick comments:
In @.github/workflows/publish-tb-cli.yml:
- Line 23: Update the Docker GitHub Actions to their current stable major
versions: replace usages of docker/setup-buildx-action@v3 and
docker/login-action@v3 with the latest recommended major (e.g., `@v4`) throughout
the workflow file so both occurrences are consistent; ensure you run a quick
workflow lint or dry-run to verify no breaking input changes are required by the
newer action majors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 74b4fa33-ee15-4c6e-9e0f-5531c20bdf8d

📥 Commits

Reviewing files that changed from the base of the PR and between 3a67450 and 4e443e8.

📒 Files selected for processing (1)

• .github/workflows/publish-tb-cli.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add job-level concurrency to avoid stale latest overwrites.

Two close pushes to main can run concurrently; a slower older run can finish last and overwrite latest.

Suggested fix

 jobs:
   publish:
     name: Build and push tb-cli to GHCR
     runs-on: ubuntu-latest
     if: github.repository == 'TryGhost/Ghost'
+    concurrency:
+      group: publish-tb-cli-${{ github.ref }}
+      cancel-in-progress: true
     steps:

Also applies to: 38-40

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-tb-cli.yml around lines 13 - 18, The publish job
(named "publish") can run concurrently and overwrite the `latest` tag; add a
job-level concurrency block to the "publish" job to serialize runs and cancel
in-progress duplicates (e.g., concurrency with a unique group like "tb-cli-${{
github.ref }}" and cancel-in-progress: true). Apply the same concurrency block
to the other job referenced (lines 38-40) so both jobs use the same pattern and
avoid stale `latest` overwrites.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.19%. Comparing base (3a67450) to head (306537c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #26815   +/-   ##
=======================================
  Coverage   73.19%   73.19%           
=======================================
  Files        1534     1534           
  Lines      121065   121065           
  Branches    14643    14643           
=======================================
  Hits        88612    88612           
  Misses      31438    31438           
  Partials     1015     1015           

Flag	Coverage Δ
admin-tests	54.31% <ø> (ø)
e2e-tests	73.19% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ErisDS]

🤖 Velo CI Failure Analysis

Classification: 🟠 SOFT FAIL

• Workflow: CI
• Failed Step: Run yarn nx run @tryghost/admin-x-settings:test:acceptance
• Run: View failed run
  What failed: CI failure - likely code issue
  Why: The failure appears to be related to code changes. Check the error output for details.
  Action:
  Review the error logs and fix the issue in your code.