ci: label-triggered stagex builds and cache/credential fixes#226
Closed
shahan-khatchadourian-anchorage wants to merge 2 commits into
Closed
ci: label-triggered stagex builds and cache/credential fixes#226shahan-khatchadourian-anchorage wants to merge 2 commits into
shahan-khatchadourian-anchorage wants to merge 2 commits into
Conversation
Copilot started reviewing on behalf of
shahan-khatchadourian-anchorage
March 27, 2026 02:30
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Restructures GitHub Actions workflows to separate fast, always-on validation from the heavier OCI image build pipeline, aligning CI triggers with the intended PR label–based build flow and adding musl cargo check coverage to match container build settings.
Changes:
- Split workflows into
check.yml(runs on every push/PR) andci.yml(full image build on push/main/tags, manual dispatch, or PRcilabel). - Add musl (
x86_64-unknown-linux-musl)cargo checkforparser_appandparser_gatewaywith--no-default-features. - Gate GHCR upload to push events only.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/check.yml | Removes branch filters and adds musl cargo check steps to validate container-equivalent build configs. |
| .github/workflows/ci.yml | Changes PR trigger to label-based, adds job-level gating for ci label, and restricts GHCR upload to push events. |
Comments suppressed due to low confidence (3)
.github/workflows/check.yml:61
- The new musl
cargo check --target x86_64-unknown-linux-muslsteps will often require a musl linker/toolchain on Ubuntu runners (e.g.,musl-tools, and sometimespkg-config/musl-devdepending on dependencies). Add an explicit install step before these checks so the workflow doesn't fail due to missingmusl-gcc/linker tooling.
.github/workflows/ci.yml:21 - Since this job now runs on
pull_request(label-triggered), be careful not to pass registry credentials during PR runs. The current workflow still runs theDocker setupcomposite action with DockerHub/GHCR tokens, which makes those credentials available to PR code even if the upload step is push-only. Consider gating the login/credential passing to push events (or moving login/push into a separate push-only job) so PR builds never receive registry write credentials.
.github/workflows/ci.yml:24 - The job runs on
pull_request(label-triggered) but grantsid-token: writeandpackages: writeto the PR workflow run. This is an unnecessary privilege escalation for PR builds and increases the blast radius if a workflow change is introduced in a PR. Consider splitting into separate jobs so PR builds run with read-only permissions, and only the push-triggered job haspackages: write/id-token: writefor publishing.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
shahan-khatchadourian-anchorage
force-pushed
the
shahankhatch/ci-restructure
branch
from
9822a81 to
7bdc3bc
Compare
shahan-khatchadourian-anchorage
changed the title
shahan-khatchadourian-anchorage
changed the title
- PR image builds now require the `stagex` label instead of auto-triggering on path changes. Push to main/tags unchanged. - GHCR credentials moved after build step so build runs without registry write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The action's bundled Swatinem/rust-cache fails because Cargo.toml is in src/, not the repo root. The manual actions/cache step already handles caching correctly. Disabling removes the error noise. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shahan-khatchadourian-anchorage
force-pushed
the
shahankhatch/ci-restructure
branch
from
de8f4b5 to
f6cb166
Compare
shahan-khatchadourian-anchorage
added a commit
that referenced
this pull request
Apr 11, 2026
Incorporates changes from PR #226: - stagex.yml: PR builds require `stagex` label instead of auto-triggering on path changes. GHCR login moved after build step. - main.yml: disable setup-rust-toolchain built-in cache which fails because Cargo.toml is in src/, not repo root. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 tasks
Contributor
Author
shahan-khatchadourian-anchorage
added a commit
that referenced
this pull request
Apr 11, 2026
- Add images/parser_cli/Containerfile for Solana-only CLI build - Add parser_cli target to Makefile and stagex.yml matrix - stagex.yml: PR builds require `stagex` label instead of auto-triggering on path changes; GHCR login moved after build - main.yml: disable setup-rust-toolchain built-in cache (Cargo.toml is in src/, not repo root) Incorporates PR #226 (now closed). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
4 tasks
shahan-khatchadourian-anchorage
added a commit
that referenced
this pull request
Apr 13, 2026
## Summary - Add `images/parser_cli/Containerfile` for Solana-only CLI build using StageX - Add `parser_cli` target to `Makefile` and `stagex.yml` matrix - **Incorporates PR #226**: stagex PR builds now require the `stagex` label instead of auto-triggering on path changes; GHCR login moved after build; disable setup-rust-toolchain built-in cache in main.yml Replaces #232 (rebased). Stacked on #224. ## Test plan - [ ] StageX build passes for `parser_cli` in CI (add `stagex` label to trigger) - [ ] Existing `parser_app` and `parser_gateway` builds unaffected - [ ] Push to main with relevant path changes still triggers the build - [ ] GHCR push still works on push to main 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
stagexlabel instead of auto-triggering on path changes. Push to main/tags with path filtering unchanged. GHCR credentials moved after build step so build runs without registry write access.setup-rust-toolchainbuilt-in cache (Swatinem/rust-cache) which fails becauseCargo.tomlis insrc/, not the repo root. The manualactions/cachestep already handles caching correctly.Test plan
stagexlabel triggers the build on a PRContinuous Integrationno longer showsCargo.tomlnot found errors🤖 Generated with Claude Code