chore(ci): bump reusable-docker-build-publish ref#22254
Merged
Conversation
Contributor
|
✅ No conflicts with other open PRs targeting |
product-security-plaid-production
Bot
requested review from
ChrisAmora,
tvc-robsondebraga and
winder
Contributor
There was a problem hiding this comment.
Pull request overview
Risk Rating: MEDIUM (changes affect CI/release image build & publish behavior)
This PR updates the GitHub Actions workflows to use newer versions of the smartcontractkit/.github reusable Docker build/publish workflow, and adds an overwrite-prevention flag for public ECR publishing in the release workflow.
Changes:
- Update
.github/workflows/docker-build.ymlto referencereusable-docker-build-publish/v1(mutable major tag). - Update
.github/workflows/build-publish.ymlto pin to a newer reusable workflow commit SHA (reusable-docker-build-publish/1.2.0). - Add
allow-overwritesinput to release publish jobs to prevent overwriting existing public ECR tags.
Scrupulous human review focus:
- Validate the intended security/reproducibility tradeoff of using a mutable reusable-workflow ref in
docker-build.yml. - Confirm
allow-overwritesinput name and type match the reusable workflow’sworkflow_callcontract (especially boolean vs string).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/docker-build.yml | Bumps reusable workflow reference to a mutable v1 ref for docker-build jobs. |
| .github/workflows/build-publish.yml | Pins reusable workflow to a newer SHA and adds allow-overwrites configuration for public ECR publishing. |
erikburt
requested review from
chainchad
and removed request for
tvc-robsondebraga
chainchad
approved these changes
Apr 29, 2026
kalverra
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps
resuable-docker-build-publishto the newest ref (smartcontractkit/.github#1533).New input documented here: smartcontractkit/.github#1526
Changes
build-publishallow-ovewrites: "false"which ensures that we cannot overwrite existing images in the public ECRdocker-buildNotes
We do not set
allow-overwritesfor thedocker-buildworkflow, as the role that publishes the images doesn't have the proper permissions to query the private ECR. Republishing in the private ECR is also not a problem, but we shouldn't do it in the public ECR (which doesn't support immutability)