ci: push PR images to Quay and tag full stack for deployment

[Gkrumbach07]

Summary

• Push PR images: PR builds now push to Quay with pr-{number} tags (previously build-only)
• Full-stack tagging: Unchanged components get their merge-base image aliased as pr-{number}, so the entire stack is deployable with a single consistent tag
• Alpha branch builds: Pushes to alpha now build and push images, and PRs targeting alpha trigger the workflow
• Merge-base detection: Uses github.event.pull_request.base.ref to resolve the correct base regardless of target branch

Deploy jobs remain main-only — no changes there.

Test plan

• Open a PR touching only one component — verify all 7 images have a pr-{number} tag in Quay
• Verify changed images are freshly built; unchanged images point to the merge-base SHA manifest
• Push to alpha branch and verify images are built and pushed
• Open a PR targeting alpha and verify merge-base resolution works
• Verify deploy jobs still only trigger on main

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ba6d7cf3-78e5-4417-824d-4cd4897a51cc

📥 Commits

Reviewing files that changed from the base of the PR and between 88bab44 and 2b9cec5.

📒 Files selected for processing (1)

• .github/workflows/components-build-deploy.yml

---

Walkthrough

Workflow triggers for push and pull_request extended to main and alpha. detect-changes no longer uses path-based FILTER_MAP or a force_build_all input; it builds components from an optional components input or defaults to all. Manifest creation split into branch-specific steps: main (latest, stage, sha) and alpha (alpha, sha); PR manifest behavior unchanged.

Changes

Cohort / File(s)	Summary
Workflow file ​.github/workflows/components-build-deploy.yml	Triggers extended to main and alpha. Removed workflow_dispatch force_build_all input and FILTER_MAP-based change detection. detect-changes now uses optional components input or defaults to all components. Manifest creation replaced generic non-PR step with branch-specific steps: main → latest/stage/${sha} and alpha → alpha/${sha}. PR manifest step kept unchanged.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Git as Git
    participant Runner as Build Runner
    participant Registry as Container Registry

    Dev->>Git: push or open PR
    Git->>GH: webhook (push / pull_request)
    GH->>GH: read inputs (optional `components`) or default to all
    alt PR
        GH->>Git: fetch base branch (if needed)
        GH->>GH: compute merge-base (used for tagging/sha)
    end
    GH->>Runner: build & push component images (selected or all)
    Runner->>Registry: push images (sha tags)
    alt push to main
        GH->>Registry: create manifests -> `latest`, `stage`, `${sha}`
    else push to alpha
        GH->>Registry: create manifests -> `alpha`, `${sha}`
    else pull_request
        GH->>Registry: create PR manifest (existing PR flow)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title refers to pushing PR images to Quay and tagging for deployment, but the actual changes involve expanding branch triggers (alpha), removing force_build_all logic, and updating manifest tagging for different branches—not primarily about PR image pushing.	Consider a more accurate title like 'ci: add alpha branch builds and update manifest tagging' to better reflect the core changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is related to the changeset, describing PR image pushing, full-stack tagging, alpha branch builds, and merge-base detection—all aspects present in the workflow changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pr-image-tagging-and-alpha-builds

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/components-build-deploy.yml (1)

78-95: 🧹 Nitpick | 🔵 Trivial

Consider adding the workflow file to paths-filter or documenting the behavior.

The workflow file .github/workflows/components-build-deploy.yml is in the paths trigger (line 7) but not in the paths-filter step. This means workflow-only changes will trigger the pipeline with has-builds=false and has-unchanged=true, causing all components to be aliased from merge-base.

If this is intentional (useful for testing workflow changes), consider adding a comment documenting this behavior. Otherwise, consider either:

• Adding a filter for workflow changes that forces a full rebuild, or
• Removing the workflow file from the trigger paths

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml around lines 78 - 95, The
paths-filter step (id: filter) lacks a filter for workflow file changes, so
workflow-only edits still run the pipeline with has-builds=false and causes all
components to be aliased; to fix, either add a new filter key (e.g., workflows)
under the filters block that matches '.github/workflows/**' and configure it to
force a full rebuild, or document this intentional behavior near the paths
trigger and the filter step (id: filter) so reviewers know workflow edits will
trigger the aliasing behavior; update the filters block (keys like frontend,
backend, operator, claude-runner, state-sync, public-api, ambient-api-server)
accordingly or remove the workflow file from the paths trigger if you prefer not
to trigger on workflow-only changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/components-build-deploy.yml:
- Around line 281-312: In the tag-unchanged-for-pr job, before running docker
buildx imagetools create, add a pre-flight existence check for the source image
(${IMAGE}:${MERGE_BASE}) inside the same "Tag ${{ matrix.component.name }} from
merge base as pr-${{ github.event.pull_request.number }}" run block: attempt to
inspect the image (e.g., docker buildx imagetools inspect
"${IMAGE}:${MERGE_BASE}" || docker manifest inspect "${IMAGE}:${MERGE_BASE}")
and if the inspect fails, print a clear error mentioning MERGE_BASE, IMAGE and
PR_TAG and exit 1; only run docker buildx imagetools create when the inspect
succeeds. This ensures you fail fast with a helpful message rather than the
confusing buildx error.
- Around line 67-75: The shallow fetch with git fetch origin "${BASE_REF}"
--depth=50 in the "Determine merge base for PR" step (id: merge-base) can miss
the true merge base, so update that step to attempt an unshallow/deeper fetch if
git merge-base returns empty or fails: after computing SHA=$(git merge-base
"origin/${BASE_REF}" ${{ github.event.pull_request.head.sha }}), check if SHA is
empty or the command failed, then run git fetch --unshallow or git fetch origin
"${BASE_REF}" --depth=1000 (or loop increasing depth), recompute SHA, and if
still empty emit a clear error via echo and exit non-zero; ensure variables
BASE_REF and SHA are preserved and logged for debugging.

---

Outside diff comments:
In @.github/workflows/components-build-deploy.yml:
- Around line 78-95: The paths-filter step (id: filter) lacks a filter for
workflow file changes, so workflow-only edits still run the pipeline with
has-builds=false and causes all components to be aliased; to fix, either add a
new filter key (e.g., workflows) under the filters block that matches
'.github/workflows/**' and configure it to force a full rebuild, or document
this intentional behavior near the paths trigger and the filter step (id:
filter) so reviewers know workflow edits will trigger the aliasing behavior;
update the filters block (keys like frontend, backend, operator, claude-runner,
state-sync, public-api, ambient-api-server) accordingly or remove the workflow
file from the paths trigger if you prefer not to trigger on workflow-only
changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 262c161f-6e99-4b8b-ad89-3af55da22b6b

📥 Commits

Reviewing files that changed from the base of the PR and between 208e4e2 and edc9211.

📒 Files selected for processing (1)

• .github/workflows/components-build-deploy.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add validation that merge-base image exists before attempting to tag.

The docker buildx imagetools create command will fail with a confusing error if ${IMAGE}:${MERGE_BASE} doesn't exist in Quay. This can happen if:

• The merge-base commit didn't trigger a build (paths filter didn't match)
• The image was pruned by Quay's tag expiration policy
• The alpha branch is new and has no prior images

Consider adding a pre-flight check to verify the source image exists and provide a clear error message.

🛡️ Proposed fix with existence check

       - name: Tag ${{ matrix.component.name }} from merge base as pr-${{ github.event.pull_request.number }}
         run: |
           MERGE_BASE="${{ needs.detect-changes.outputs.merge-base-sha }}"
           PR_TAG="pr-${{ github.event.pull_request.number }}"
           IMAGE="${{ matrix.component.image }}"
 
+          # Verify source image exists
+          if ! docker buildx imagetools inspect "${IMAGE}:${MERGE_BASE}" > /dev/null 2>&1; then
+            echo "::error::Source image ${IMAGE}:${MERGE_BASE} not found in registry. The merge-base commit may not have been built."
+            echo "::error::Consider rebasing onto a more recent commit that has images available."
+            exit 1
+          fi
+
           echo "Aliasing ${IMAGE}:${MERGE_BASE} → ${IMAGE}:${PR_TAG}"
           docker buildx imagetools create \
             -t "${IMAGE}:${PR_TAG}" \
             "${IMAGE}:${MERGE_BASE}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	tag-unchanged-for-pr:
	needs: [detect-changes]
	if: github.event_name == 'pull_request' && needs.detect-changes.outputs.has-unchanged == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	strategy:
	fail-fast: false
	matrix:
	component: ${{ fromJSON(needs.detect-changes.outputs.unchanged-matrix) }}
	steps:
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to Quay.io
	uses: docker/login-action@v3
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME }}
	password: ${{ secrets.QUAY_PASSWORD }}
	- name: Tag ${{ matrix.component.name }} from merge base as pr-${{ github.event.pull_request.number }}
	run: |
	MERGE_BASE="${{ needs.detect-changes.outputs.merge-base-sha }}"
	PR_TAG="pr-${{ github.event.pull_request.number }}"
	IMAGE="${{ matrix.component.image }}"
	echo "Aliasing ${IMAGE}:${MERGE_BASE} → ${IMAGE}:${PR_TAG}"
	docker buildx imagetools create \
	-t "${IMAGE}:${PR_TAG}" \
	"${IMAGE}:${MERGE_BASE}"
	tag-unchanged-for-pr:
	needs: [detect-changes]
	if: github.event_name == 'pull_request' && needs.detect-changes.outputs.has-unchanged == 'true'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	strategy:
	fail-fast: false
	matrix:
	component: ${{ fromJSON(needs.detect-changes.outputs.unchanged-matrix) }}
	steps:
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Log in to Quay.io
	uses: docker/login-action@v3
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME }}
	password: ${{ secrets.QUAY_PASSWORD }}
	- name: Tag ${{ matrix.component.name }} from merge base as pr-${{ github.event.pull_request.number }}
	run: |
	MERGE_BASE="${{ needs.detect-changes.outputs.merge-base-sha }}"
	PR_TAG="pr-${{ github.event.pull_request.number }}"
	IMAGE="${{ matrix.component.image }}"
	# Verify source image exists
	if ! docker buildx imagetools inspect "${IMAGE}:${MERGE_BASE}" > /dev/null 2>&1; then
	echo "::error::Source image ${IMAGE}:${MERGE_BASE} not found in registry. The merge-base commit may not have been built."
	echo "::error::Consider rebasing onto a more recent commit that has images available."
	exit 1
	fi
	echo "Aliasing ${IMAGE}:${MERGE_BASE} → ${IMAGE}:${PR_TAG}"
	docker buildx imagetools create \
	-t "${IMAGE}:${PR_TAG}" \
	"${IMAGE}:${MERGE_BASE}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml around lines 281 - 312, In the
tag-unchanged-for-pr job, before running docker buildx imagetools create, add a
pre-flight existence check for the source image (${IMAGE}:${MERGE_BASE}) inside
the same "Tag ${{ matrix.component.name }} from merge base as pr-${{
github.event.pull_request.number }}" run block: attempt to inspect the image
(e.g., docker buildx imagetools inspect "${IMAGE}:${MERGE_BASE}" || docker
manifest inspect "${IMAGE}:${MERGE_BASE}") and if the inspect fails, print a
clear error mentioning MERGE_BASE, IMAGE and PR_TAG and exit 1; only run docker
buildx imagetools create when the inspect succeeds. This ensures you fail fast
with a helpful message rather than the confusing buildx error.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/components-build-deploy.yml:
- Around line 358-366: Add a pre-check in the "Tag ... as alpha" step to
validate that the source image tag exists before calling docker buildx
imagetools create: use the PARENT_SHA and IMAGE variables to attempt inspection
(e.g., docker manifest inspect "${IMAGE}:${PARENT_SHA}" or an equivalent
registry API call) and, if the inspect call fails or returns non-200, log a
clear message and skip/exit the step gracefully instead of running docker buildx
imagetools create; ensure the step refers to PARENT_SHA and IMAGE and only runs
the imagetools create when the existence check succeeds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2ba6c97f-3291-4d69-9e18-9a64b2ece048

📥 Commits

Reviewing files that changed from the base of the PR and between edc9211 and 46a98cd.

📒 Files selected for processing (1)

• .github/workflows/components-build-deploy.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add validation that parent commit image exists before attempting to tag.

Same issue as the PR aliasing job: if ${IMAGE}:${PARENT_SHA} doesn't exist in Quay (parent commit didn't trigger a build for this component, or images were pruned), the docker buildx imagetools create command will fail with a confusing error.

🛡️ Proposed fix with existence check

       - name: Tag ${{ matrix.component.name }} from parent commit as alpha
         run: |
           PARENT_SHA="${{ needs.detect-changes.outputs.merge-base-sha }}"
           IMAGE="${{ matrix.component.image }}"
 
+          # Verify source image exists
+          if ! docker buildx imagetools inspect "${IMAGE}:${PARENT_SHA}" > /dev/null 2>&1; then
+            echo "::warning::Source image ${IMAGE}:${PARENT_SHA} not found. Skipping alpha tag for this component."
+            echo "::warning::The parent commit may not have built this component."
+            exit 0
+          fi
+
           echo "Aliasing ${IMAGE}:${PARENT_SHA} → ${IMAGE}:alpha"
           docker buildx imagetools create \
             -t "${IMAGE}:alpha" \
             "${IMAGE}:${PARENT_SHA}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml around lines 358 - 366, Add a
pre-check in the "Tag ... as alpha" step to validate that the source image tag
exists before calling docker buildx imagetools create: use the PARENT_SHA and
IMAGE variables to attempt inspection (e.g., docker manifest inspect
"${IMAGE}:${PARENT_SHA}" or an equivalent registry API call) and, if the inspect
call fails or returns non-200, log a clear message and skip/exit the step
gracefully instead of running docker buildx imagetools create; ensure the step
refers to PARENT_SHA and IMAGE and only runs the imagetools create when the
existence check succeeds.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/components-build-deploy.yml (2)

276-296: ⚠️ Potential issue | 🟠 Major

Manual dispatches now deploy the wrong tags outside main.

After this split, a workflow_dispatch on alpha publishes alpha/${github.sha}, but deploy-with-disptach still rolls out stage for most components, so it ignores the fresh build. On any other ref, no manifests are created at all, yet runner/state-sync can still be pinned to ${github.sha}. Either keep the old dispatch manifest path or restrict the deploy job to refs that publish the tags it consumes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml around lines 276 - 296, The
workflow currently creates multi-arch manifests only for refs main and alpha,
causing manual workflow_dispatch on alpha (or other refs) to publish tags that
the deploy job (deploy-with-dispatch) doesn't consume; update the manifest
creation steps to match what deploy-with-dispatch expects or constrain
deploy-with-dispatch to only run on refs that publish those tags. Concretely,
modify the docker buildx imagetools create invocation(s) to include the same tag
set that deploy-with-dispatch consumes (e.g., add the :stage tag and
${github.sha}:stage/arch variants when handling alpha or add a catch-all branch
that creates the ${github.sha} and :stage manifests), or change the
deploy-with-dispatch trigger/if condition to only run on refs where those tags
are produced; reference matrix.component.image, ${github.sha}, the existing
"Create multi-arch manifest for ... (alpha)" step, and the deploy-with-dispatch
job when making the change.

---

276-296: ⚠️ Potential issue | 🔴 Critical

Partial branch builds never backfill commit tags for unchanged images.

Lines 282-295 only create ${github.sha} for components in merge-matrix. The new alias jobs then use merge-base-sha / PARENT_SHA as the source for unchanged components, but those commit tags were never created for untouched images. Example: commit A rebuilds only frontend; the next partial run that uses A as its base will fail at Line 337 or Line 369 when it looks for backend:A, state-sync:A, etc. Please publish ${github.sha} for unchanged components on main/alpha as well.

Also applies to: 328-337, 361-369

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml around lines 276 - 296, The
multi-arch manifest steps for main/alpha currently omit publishing the
${github.sha} tag for components that weren't rebuilt, causing later alias jobs
(which use merge-base-sha / PARENT_SHA) to fail when looking up e.g.
backend:${github.sha}. Update the two imagetools create blocks (the "Create
multi-arch manifest for ${{ matrix.component.name }} (main)" and "(alpha)") to
always include -t ${{ matrix.component.image }}:${{ github.sha }} and ensure the
source images include the arch-suffixed tags for the base/parent commit (use the
existing merge-base-sha / PARENT_SHA variables or matrix component base SHA
equivalents as the source images), so unchanged components get a ${github.sha}
tag created even when only some components were rebuilt.

♻️ Duplicate comments (1)

.github/workflows/components-build-deploy.yml (1)

67-76: ⚠️ Potential issue | 🟠 Major

git merge-base is still brittle with long-lived PRs.

Both fetches are still capped at 100 commits. If the common ancestor sits outside that window, Line 76 fails again and the workflow never produces merge-base-sha. Please add a deeper-fetch/--unshallow fallback before using SHA.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml around lines 67 - 76, The
merge-base step (id: merge-base) is brittle because both git fetch calls are
limited to --depth=100 so SHA=$(git merge-base ...) can fail for long-lived PRs;
modify the step to attempt a deeper fetch or unshallow before computing SHA:
first try increasing history (e.g., additional git fetch --deepen or fetching
origin/${BASE_REF} without depth), and if that still might be shallow run git
fetch --unshallow as a fallback, then compute SHA=$(git merge-base
"origin/${BASE_REF}" ${{ github.event.pull_request.head.sha }}); ensure any
fetch errors are handled so merge-base-sha is produced reliably.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/components-build-deploy.yml:
- Around line 276-296: The workflow currently creates multi-arch manifests only
for refs main and alpha, causing manual workflow_dispatch on alpha (or other
refs) to publish tags that the deploy job (deploy-with-dispatch) doesn't
consume; update the manifest creation steps to match what deploy-with-dispatch
expects or constrain deploy-with-dispatch to only run on refs that publish those
tags. Concretely, modify the docker buildx imagetools create invocation(s) to
include the same tag set that deploy-with-dispatch consumes (e.g., add the
:stage tag and ${github.sha}:stage/arch variants when handling alpha or add a
catch-all branch that creates the ${github.sha} and :stage manifests), or change
the deploy-with-dispatch trigger/if condition to only run on refs where those
tags are produced; reference matrix.component.image, ${github.sha}, the existing
"Create multi-arch manifest for ... (alpha)" step, and the deploy-with-dispatch
job when making the change.
- Around line 276-296: The multi-arch manifest steps for main/alpha currently
omit publishing the ${github.sha} tag for components that weren't rebuilt,
causing later alias jobs (which use merge-base-sha / PARENT_SHA) to fail when
looking up e.g. backend:${github.sha}. Update the two imagetools create blocks
(the "Create multi-arch manifest for ${{ matrix.component.name }} (main)" and
"(alpha)") to always include -t ${{ matrix.component.image }}:${{ github.sha }}
and ensure the source images include the arch-suffixed tags for the base/parent
commit (use the existing merge-base-sha / PARENT_SHA variables or matrix
component base SHA equivalents as the source images), so unchanged components
get a ${github.sha} tag created even when only some components were rebuilt.

---

Duplicate comments:
In @.github/workflows/components-build-deploy.yml:
- Around line 67-76: The merge-base step (id: merge-base) is brittle because
both git fetch calls are limited to --depth=100 so SHA=$(git merge-base ...) can
fail for long-lived PRs; modify the step to attempt a deeper fetch or unshallow
before computing SHA: first try increasing history (e.g., additional git fetch
--deepen or fetching origin/${BASE_REF} without depth), and if that still might
be shallow run git fetch --unshallow as a fallback, then compute SHA=$(git
merge-base "origin/${BASE_REF}" ${{ github.event.pull_request.head.sha }});
ensure any fetch errors are handled so merge-base-sha is produced reliably.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d58c74d0-c393-4500-bfa0-285fbb512501

📥 Commits

Reviewing files that changed from the base of the PR and between 46a98cd and 88bab44.

📒 Files selected for processing (1)

• .github/workflows/components-build-deploy.yml