ci: automate docker image builds to GHCR

[pthmas]

Adds a reusable GitHub Actions workflow to automatically build and push Docker images for the indexer, API, and frontend services to GitHub Container Registry on every push to main.

Images are built for both linux/amd64 and linux/arm64 platforms using Docker Buildx. The workflow is triggered only on pushes to main and properly scoped permissions for reading code and writing to GHCR.

Summary by CodeRabbit

• Chores
  • CI pipeline reorganized: backend checks split into separate format, lint, and test stages for clearer, faster feedback.
  • Added a reusable Docker build-and-publish workflow and a CI job to invoke it, gated on main pushes.
  • Docker pipeline supports multi-platform image builds and per-service configuration to enable parallel, targeted image builds and faster deployments.

[coderabbitai]

📝 Walkthrough

Walkthrough

CI workflow split backend into separate format, lint, and test jobs and adds a reusable Docker build-and-push workflow plus a new "Docker (GHCR)" CI job that dispatches per-app multi‑platform image builds to the reusable workflow on pushes to main.

Changes

Cohort / File(s)	Summary
CI workflow (jobs decomposition & Docker dispatch) .github/workflows/ci.yml	Replaces monolithic backend job with backend-fmt (format), adds backend-clippy (lint) and backend-test (tests), scopes backend steps to working-directory, and adds a docker job "Docker (GHCR)" that dispatches the reusable Docker workflow with image-tag and apps on pushes to main.
Reusable Docker build workflow (new) .github/workflows/docker-build-push.yml	New reusable workflow accepting image-tag and apps (JSON). Uses a matrix over apps, checks out code, sets up Buildx, logs into GHCR, and runs docker/build-push-action@v6 per-app with conditional target to produce multi‑arch images tagged ghcr.io/{owner}/{app.name}:{image-tag}.

Sequence Diagram(s)

sequenceDiagram
    participant CI as CI (ci.yml)
    participant Reusable as Reusable Workflow (docker-build-push.yml)
    participant Buildx as Docker Buildx / build-push-action
    participant GHCR as GitHub Container Registry

    CI->>Reusable: dispatch with inputs (image-tag, apps)
    Reusable->>Buildx: checkout repo & setup buildx
    Reusable->>Buildx: start matrix build per app (context, dockerfile, optional target)
    Buildx->>GHCR: login (ghcr.io)
    Buildx->>GHCR: push multi-arch images (ghcr.io/{owner}/{app.name}:{image-tag})
    GHCR-->>Reusable: accept/persist images

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I formatted, linted, tested with cheer,
Then bundled containers for far and near,
Multi-arch wings and tags that cling,
I hopped to GHCR — watch them sing! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'ci: automate docker image builds to GHCR' directly summarizes the main change: introducing automated Docker image builds to GitHub Container Registry. It clearly reflects the core functionality added in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pthmas/inspect-evm-image-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/docker-build-push.yml (1)

48-48: Add an immutable image tag alongside main.

Using only a mutable tag makes rollback/debugging harder. Keep main, but also publish ${{ github.sha }}.

Suggested fix

-          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ github.sha }}
...
-          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ github.sha }}

Also applies to: 58-58

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-build-push.yml at line 48, The workflow currently
only pushes a mutable tag via the tags setting; add a second immutable tag using
the commit SHA by including both tags for the image push (keep the existing tag
using inputs.image-tag or "main" and also add ghcr.io/${{
github.repository_owner }}/${{ matrix.app.name }}:${{ github.sha }}), ensuring
the push action receives an array of tags so both are published; apply the same
change to the other tags occurrence referenced in the diff.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 67-70: The docker job is gated only by an if condition and can run
without waiting for other jobs; add an explicit dependency by adding needs:
[backend, frontend] to the docker job definition (the job with name/key "docker"
that uses ./.github/workflows/docker-build-push.yml) so that the Docker publish
step only runs after the backend and frontend jobs complete successfully.

In @.github/workflows/docker-build-push.yml:
- Around line 29-30: The workflow is missing QEMU emulation which breaks
multi-arch builds; add a step using docker/setup-qemu-action (e.g., uses:
docker/setup-qemu-action@v2) immediately before the "Set up Docker Buildx" step
so the runner can emulate arm64 when building the linux/amd64,linux/arm64
targets on ubuntu-latest; ensure the new step runs on the same job and is
positioned before docker/setup-buildx-action@v3.

---

Nitpick comments:
In @.github/workflows/docker-build-push.yml:
- Line 48: The workflow currently only pushes a mutable tag via the tags
setting; add a second immutable tag using the commit SHA by including both tags
for the image push (keep the existing tag using inputs.image-tag or "main" and
also add ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{
github.sha }}), ensuring the push action receives an array of tags so both are
published; apply the same change to the other tags occurrence referenced in the
diff.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93f90b65-b797-4359-93b0-e2e2d4d9074e

📥 Commits

Reviewing files that changed from the base of the PR and between a488e55 and d946366.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/docker-build-push.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

14-74: Optional: reduce backend job duplication with a matrix/composite step.

checkout/Rust setup/cache boilerplate is repeated across backend jobs; consolidating this would make future CI changes easier to maintain.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 14 - 74, Multiple backend jobs
(backend-fmt, backend-clippy, backend-test) repeat the same Checkout, Setup
Rust, and Cache Cargo steps; extract those into a reusable unit by creating
either a composite action or a shared job used via a workflow call or job
matrix. Replace duplicated steps in backend-fmt, backend-clippy, and
backend-test with a single invocation that performs Checkout
(actions/checkout@v4), Setup Rust (dtolnay/rust-toolchain@stable with
appropriate components), and Cache Cargo (Swatinem/rust-cache@v2) so each job
only runs its unique step (Format/Clippy/Test); ensure the new composite action
or called job exposes inputs for the working-directory and rust components so
backend-fmt, backend-clippy, and backend-test can pass different args (e.g.,
rustfmt vs clippy vs none) and preserve existing defaults.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 14-74: Multiple backend jobs (backend-fmt, backend-clippy,
backend-test) repeat the same Checkout, Setup Rust, and Cache Cargo steps;
extract those into a reusable unit by creating either a composite action or a
shared job used via a workflow call or job matrix. Replace duplicated steps in
backend-fmt, backend-clippy, and backend-test with a single invocation that
performs Checkout (actions/checkout@v4), Setup Rust
(dtolnay/rust-toolchain@stable with appropriate components), and Cache Cargo
(Swatinem/rust-cache@v2) so each job only runs its unique step
(Format/Clippy/Test); ensure the new composite action or called job exposes
inputs for the working-directory and rust components so backend-fmt,
backend-clippy, and backend-test can pass different args (e.g., rustfmt vs
clippy vs none) and preserve existing defaults.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4791f4dc-0a12-470a-827c-33cc13788b76

📥 Commits

Reviewing files that changed from the base of the PR and between dce7125 and c6bda36.

📒 Files selected for processing (1)

• .github/workflows/ci.yml