ci: add Dockerfile base image verification workflow

[Yeraze]

Adds a PR check that verifies all Dockerfile base images exist for all target platforms (amd64, arm64, arm/v7). Runs only when Dockerfiles are modified.

Prevents issues like the armv7 build failure in v3.10.0-RC1 where node:22.22.1-trixie-slim didn't have an arm/v7 manifest.

🤖 Generated with Claude Code

[github-actions]

Claude finished @Yeraze's task —— View job

---

PR Review: Dockerfile Base Image Verification Workflow

Reviewing this PR that adds CI validation for Dockerfile base image availability across target platforms.

Todo List:

• Read and analyze the workflow file
• Review code quality and best practices
• Check for potential bugs or issues
• Assess performance considerations
• Identify security concerns
• Evaluate test coverage implications
• Provide comprehensive feedback

Review Findings

✅ Code Quality & Best Practices

Excellent overall implementation with good attention to detail:

• Proper error handling: Uses set -euo pipefail for strict bash execution
• Clear structure: Well-organized with descriptive comments and sections
• Appropriate triggering: Only runs on Dockerfile changes, avoiding unnecessary CI runs
• Platform mapping: Smart associative array mapping Dockerfiles to their target platforms
• Progress indicators: Good user experience with emoji indicators and status messages

✅ Robust Image Detection Logic

The workflow handles complex scenarios well:

• ARG resolution: Attempts to resolve ${VARIABLE} references using ARG defaults (lines 51-62)
• Multi-stage builds: Correctly skips references to earlier build stages (lines 64-67)
• Fallback verification: Double-checks with docker manifest inspect when buildx imagetools fails (lines 76-83)
• Duplicate elimination: Uses sort -u to avoid checking the same image multiple times

⚠️ Potential Issues & Improvements

1. ARG Resolution Limitations (.github/workflows/dockerfile-image-check.yml:54):

   RESOLVED=$(grep -E "^ARG $ARG_NAME=" "$dockerfile" | head -1 | sed "s/ARG $ARG_NAME=//")

   • Only handles simple ARG VAR=value syntax
   • Won't resolve multi-line ARGs or those with complex default values
   • Consider adding warning when ARG resolution fails

2. Platform String Parsing (.github/workflows/dockerfile-image-check.yml:77):

   grep -q "$(echo $platform | sed 's|/|-|g; s|linux-||')"

   • This regex transformation is fragile and may not work for all platform formats
   • Docker manifest formats can vary; consider using jq for more reliable JSON parsing

3. Missing Edge Cases:

   • No handling of COPY --from= references to external images
   • Multi-line FROM statements with backslashes aren't handled
   • Build-time ARGs passed via --build-arg won't be resolved

🔒 Security Considerations

Generally secure with no major concerns:

• ✅ Uses pinned action versions (@v6, @v4)
• ✅ No secret exposure or credential usage
• ✅ Read-only operations (inspect, not pull)
• ✅ Proper error boundaries prevent script injection

⚡ Performance Considerations

Well-optimized for typical usage:

• ✅ Only runs when Dockerfiles change
• ✅ Efficient duplicate elimination
• ✅ Parallel platform checks within images
• ✅ Early exit on missing Dockerfiles

Potential optimization: For repositories with many Dockerfiles, consider parallelizing the outer loop.

🧪 Test Coverage

The workflow itself provides good validation, but consider:

• Integration testing: Could add a test Dockerfile with intentionally missing platform support
• ARG resolution testing: Verify complex ARG scenarios work correctly
• Documentation: Add examples of supported/unsupported ARG patterns

📋 Recommendations

1. Enhance ARG resolution:

   # Handle quoted values and more complex ARG syntax
   RESOLVED=$(grep -E "^ARG $ARG_NAME=" "$dockerfile" | sed 's/.*=//' | sed 's/^"//;s/"$//')

2. Improve platform parsing:

   # Use jq for more reliable JSON parsing
   if docker manifest inspect "$image" -v 2>/dev/null | jq -r '.Descriptor.platform.architecture + "/" + .Descriptor.platform.variant' | grep -q "$platform"; then

3. Add validation for edge cases:

   • Detect and warn about unresolvable ARG references
   • Handle COPY --from= external image references
   • Support multi-line FROM statements

🎯 Summary

This is a high-quality addition that addresses a real problem (armv7 build failures). The implementation is thoughtful, well-structured, and handles most common scenarios correctly. The few identified issues are minor and the workflow provides significant value in its current form.

Recommendation: ✅ Approve - This solves the stated problem effectively with good engineering practices.

[github-actions]

Claude finished @Yeraze's task —— View job

---

PR Review: Dockerfile Base Image Verification Workflow

Reviewing this PR that adds CI validation for Dockerfile base image availability across target platforms.

Todo List:

• Read and analyze the workflow file
• Review code quality and best practices
• Check for potential bugs or issues
• Assess performance considerations
• Identify security concerns
• Evaluate test coverage implications
• Provide comprehensive feedback

Review Findings

✅ Code Quality & Best Practices

Excellent overall implementation with good attention to detail:

• Proper error handling: Uses set -euo pipefail for strict bash execution (.github/workflows/dockerfile-image-check.yml:23)
• Clear structure: Well-organized with descriptive comments and sections
• Appropriate triggering: Only runs on Dockerfile changes, avoiding unnecessary CI runs
• Platform mapping: Smart associative array mapping Dockerfiles to their target platforms (lines 26-30)
• Progress indicators: Good user experience with emoji indicators and status messages

✅ Robust Image Detection Logic

The workflow handles complex scenarios well:

• ARG resolution: Attempts to resolve ${VARIABLE} references using ARG defaults (lines 51-62)
• Multi-stage builds: Correctly skips references to earlier build stages (lines 64-67)
• Fallback verification: Double-checks with docker manifest inspect when buildx imagetools fails (lines 76-83)
• Duplicate elimination: Uses sort -u to avoid checking the same image multiple times (line 46)

⚠️ Potential Issues & Improvements

1. ARG Resolution Limitations (.github/workflows/dockerfile-image-check.yml:54):

   RESOLVED=$(grep -E "^ARG $ARG_NAME=" "$dockerfile" | head -1 | sed "s/ARG $ARG_NAME=//")

   • Only handles simple ARG VAR=value syntax
   • Won't resolve multi-line ARGs or those with complex default values
   • Consider adding warning when ARG resolution fails

2. Platform String Parsing (.github/workflows/dockerfile-image-check.yml:77):

   grep -q "$(echo $platform | sed 's|/|-|g; s|linux-||')"

   • This regex transformation is fragile and may not work for all platform formats
   • Docker manifest formats can vary; consider using jq for more reliable JSON parsing

3. Missing Edge Cases:

   • No handling of COPY --from= references to external images
   • Multi-line FROM statements with backslashes aren't handled
   • Build-time ARGs passed via --build-arg won't be resolved

🔒 Security Considerations

Generally secure with no major concerns:

• ✅ Uses pinned action versions (@v6, @v4)
• ✅ No secret exposure or credential usage
• ✅ Read-only operations (inspect, not pull)
• ✅ Proper error boundaries prevent script injection

⚡ Performance Considerations

Well-optimized for typical usage:

• ✅ Only runs when Dockerfiles change
• ✅ Efficient duplicate elimination
• ✅ Parallel platform checks within images
• ✅ Early exit on missing Dockerfiles

Potential optimization: For repositories with many Dockerfiles, consider parallelizing the outer loop.

🧪 Test Coverage

The workflow itself provides good validation, but consider:

• Integration testing: Could add a test Dockerfile with intentionally missing platform support
• ARG resolution testing: Verify complex ARG scenarios work correctly
• Documentation: Add examples of supported/unsupported ARG patterns

📋 Recommendations

1. Enhance ARG resolution:

   # Handle quoted values and more complex ARG syntax
   RESOLVED=$(grep -E "^ARG $ARG_NAME=" "$dockerfile" | sed 's/.*=//' | sed 's/^"//;s/"$//')

2. Improve platform parsing:

   # Use jq for more reliable JSON parsing
   if docker manifest inspect "$image" -v 2>/dev/null | jq -r '.Descriptor.platform.architecture + "/" + .Descriptor.platform.variant' | grep -q "$platform"; then

3. Add validation for edge cases:

   • Detect and warn about unresolvable ARG references
   • Handle COPY --from= external image references
   • Support multi-line FROM statements

🎯 Summary

This is a high-quality addition that addresses a real problem (armv7 build failures). The implementation is thoughtful, well-structured, and handles most common scenarios correctly. The few identified issues are minor and the workflow provides significant value in its current form.

Recommendation: ✅ Approve - This solves the stated problem effectively with good engineering practices.

---

[github-actions]

Claude finished @Yeraze's task —— View job

---

PR Review: Dockerfile Base Image Verification Workflow

Reviewing this PR that adds CI validation for Dockerfile base image availability across target platforms.

Todo List:

• Read and analyze the workflow file
• Review the release monitoring script
• Review the Claude command file
• Check code quality and best practices
• Identify potential bugs or issues
• Assess performance considerations
• Evaluate security concerns
• Check test coverage implications
• Provide comprehensive feedback

Review Findings

✅ Code Quality & Best Practices

Dockerfile Image Verification Workflow (.github/workflows/dockerfile-image-check.yml):

• Excellent error handling: Uses set -euo pipefail for strict bash execution (line 23)
• Clear structure: Well-organized with descriptive comments and sections
• Appropriate triggering: Only runs on Dockerfile changes, avoiding unnecessary CI runs
• Platform mapping: Smart associative array mapping Dockerfiles to their target platforms (lines 26-30)
• Progress indicators: Good user experience with emoji indicators and status messages
• Improved JSON parsing: Uses jq for reliable manifest inspection (lines 83-90) - much better than regex parsing

Release Monitoring Script (scripts/watch-release.sh):

• Robust error handling: Proper use of set -euo pipefail
• Good user experience: Clear progress indicators and desktop notifications
• Flexible usage: Supports both tagged and latest release monitoring
• Proper exit codes: Returns appropriate exit status based on workflow results

Claude Release Command (.claude/commands/create-release.md):

• Comprehensive documentation: Well-structured with clear phases and validation steps
• Good safety checks: Validates existing releases, version format, and package.json consistency
• Proper workflow integration: Uses the monitoring script and follows GitHub best practices

✅ Robust Image Detection Logic

The workflow handles complex scenarios well:

• ARG resolution: Attempts to resolve ${VARIABLE} references using ARG defaults (lines 51-62)
• Multi-stage builds: Correctly skips references to earlier build stages (lines 64-67)
• JSON-based verification: Uses jq for reliable platform detection instead of fragile regex (lines 79-91)
• Duplicate elimination: Uses sort -u to avoid checking the same image multiple times (line 46)

⚠️ Potential Issues & Improvements

1. ARG Resolution Limitations (.github/workflows/dockerfile-image-check.yml:54):

   RESOLVED=$(grep -E "^ARG $ARG_NAME=" "$dockerfile" | head -1 | sed "s/ARG $ARG_NAME=//")

   • Only handles simple ARG VAR=value syntax
   • Won't resolve multi-line ARGs, quoted values, or build-time ARGs passed via --build-arg
   • Consider adding warning when ARG resolution fails or pattern is unsupported

2. Missing Edge Cases:

   • No handling of COPY --from= references to external images
   • Multi-line FROM statements with backslashes aren't handled
   • Build-time ARGs passed via --build-arg won't be resolved
   • Could miss complex ARG patterns like ARG VERSION="1.0"

3. Limited Test Coverage:

   • No integration tests to verify the workflow catches real issues
   • No test cases for ARG resolution edge cases
   • Consider adding test Dockerfiles with intentionally missing platform support

🔒 Security Considerations

Generally secure with no major concerns:

• ✅ Uses pinned action versions (@v6, @v4)
• ✅ No secret exposure or credential usage
• ✅ Read-only operations (inspect, not pull)
• ✅ Proper error boundaries prevent script injection
• ✅ Uses jq for JSON parsing instead of eval or unsafe regex

⚡ Performance Considerations

Well-optimized for typical usage:

• ✅ Only runs when Dockerfiles change (paths filter)
• ✅ Efficient duplicate elimination
• ✅ Parallel platform checks within images
• ✅ Early exit on missing Dockerfiles
• ✅ Reasonable timeout expectations

Potential optimization: For repositories with many Dockerfiles, consider parallelizing the outer loop or using matrix strategy.

🧪 Test Coverage Implications

Strengths:

• The workflow itself provides validation for the core use case
• Release monitoring script helps catch issues in actual releases

Gaps:

• No unit tests for ARG resolution logic
• No integration tests with intentionally broken Dockerfiles
• No validation of edge cases like multi-line FROM statements

📋 Recommendations

High Priority

1. Enhance ARG resolution to handle quoted values and warn on failures:

   # Handle quoted values and warn on failures
   RESOLVED=$(grep -E "^ARG $ARG_NAME=" "$dockerfile" | head -1 | sed 's/.*=//' | sed 's/^"//;s/"$//')
   if [ -z "$RESOLVED" ]; then
     echo "  ⚠ Cannot resolve ARG $ARG_NAME in $dockerfile - manual verification needed"
   fi

2. Add validation for COPY --from= external images - these can also cause platform issues

Medium Priority

1. Improve error messages to include specific dockerfile and line numbers for better debugging
2. Add support for multi-line FROM statements (continuation with backslashes)
3. Consider adding dry-run mode that lists what would be checked without actually checking

Low Priority

1. Add integration tests with test Dockerfiles that intentionally fail on certain platforms
2. Document supported/unsupported ARG patterns in workflow comments
3. Consider matrix parallelization for repositories with many Dockerfiles

🎯 Summary

This is a high-quality addition that addresses a real problem (armv7 build failures). The implementation is thoughtful, well-structured, and handles most common scenarios correctly. The use of jq for JSON parsing and the comprehensive error handling demonstrate good engineering practices.

Key Strengths:

• Solves the stated problem effectively
• Well-structured code with proper error handling
• Good user experience with clear progress indicators
• Secure implementation with no major vulnerabilities
• Performance-conscious design

Areas for Enhancement:

• ARG resolution could be more robust
• Missing some edge cases (COPY --from, multi-line FROM)
• Limited test coverage for complex scenarios

Recommendation: ✅ Approve - This provides significant value in its current form and can be enhanced incrementally. The core functionality is solid and addresses the immediate need to prevent platform-specific build failures.

---

Job Run: https://github.com/Yeraze/meshmonitor/actions/runs/23349741929
Branch: ci/dockerfile-image-check