ci(docker): split all-in-one into post-matrix job, exclude shibboleth from build_all

[mo-auto]

Summary

• fail-fast: false added to the matrix strategy — previously one failing image (e.g. shibboleth) cancelled all other builds
• all-in-one split into a separate docker-aio job with needs: [docker] — it now waits for all matrix jobs to fully complete before starting, replacing the bogus sleep 30 × 12 loop that was only a ~6-minute fixed delay
• Shibboleth excluded from build_all — removed from ALL_SERVICES; it still exists in the matrix and can be triggered via its individual workflow_dispatch input
• docker-jans-all-in-one removed from ALL_SERVICES — AIO is no longer in the matrix so the entry was dead
• docker-aio timeout set to 90m (vs 60m) to accommodate the full post-wait build

AIO actual dependencies (from Dockerfile FROMs)

• configurator
• persistence-loader
• auth-server
• config-api
• fido2
• scim
• casa

(shibboleth and link are commented out in the AIO Dockerfile)

Test plan

• docker matrix jobs run in parallel; a shibboleth failure does not cancel others
• docker-aio job appears in the workflow run after all matrix jobs finish
• Manual dispatch with build_all=true does not trigger shibboleth
• Manual dispatch with shibboleth=true still triggers shibboleth

Summary by CodeRabbit

• Chores
  • Improved build pipeline resilience so a single matrix job failure no longer cancels other jobs.
  • Updated the default set of Docker images used for multi-image builds.
  • Changed multi-image build sequencing to explicitly wait for required image jobs to finish and reliably abort on failures or timeouts.

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 36b83c88-d7b3-41cc-876d-15d30849d408

📥 Commits

Reviewing files that changed from the base of the PR and between d64ff1a and df36efb.

📒 Files selected for processing (1)

• .github/workflows/build-docker-image.yml

---

📝 Walkthrough

Walkthrough

The workflow disables matrix fail-fast, removes docker-jans-all-in-one and docker-jans-shibboleth from the default ALL_SERVICES, and replaces the all-in-one prerequisite sleep with a conditional GitHub Actions API polling loop that verifies required docker image job conclusions and aborts on failures.

Changes

Docker Image Build Workflow Adjustments

Layer / File(s)	Summary
Main job matrix configuration and service list .github/workflows/build-docker-image.yml	Sets strategy.fail-fast: false so matrix jobs run to completion, updates the default ALL_SERVICES to exclude docker-jans-all-in-one and docker-jans-shibboleth, and adds a trailing blank line.
All-in-one build prerequisite polling refactor .github/workflows/build-docker-image.yml	Reworks the all-in-one prerequisite step to run only when matrix.docker-images == "all-in-one" (and not on PRs), polling the GitHub Actions API for the required docker ($img) jobs and aborting the all-in-one build if any required job fails, is cancelled, times out, or never reaches success/skipped within the retry loop.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• JanssenProject/jans#12630: Modifies the same .github/workflows/build-docker-image.yml matrix / all-in-one synchronization logic and which docker-images are included/excluded.

Suggested reviewers

• moabu
• jgomer2001

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is comprehensive but does not follow the required template structure. It lacks target issue reference, formal test checklist items, and the documentation impact confirmation checkbox required by the template.	Add target issue number (closes #XXXX), complete the test checklist items with checkboxes, and confirm documentation impact following the template structure.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main changes: splitting all-in-one into a separate post-matrix job and excluding shibboleth from the default build, which aligns with the core modifications in the workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/docker-aio-ordering-shibboleth

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":401,"request":{"method":"PATCH","url":"https://api.github.com/repos/JanssenProject/jans/issues/comments/4671609286","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- review_stack_entry_start -->\n\n[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/JanssenProject/jans/pull/14252?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)\n\n<!-- review_stack_entry_end -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: Organization UI\n> \n> **Review profile**: ASSERTIVE\n> \n> **Plan**: Pro\n> \n> **Run ID**: `c417f49e-5c51-4acf-854e-00b353877210`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between 18f7dea32d6519315d1aaa11952e508bed29a58c and 75d00ddf2178ab8bc2ac1465a1109c01422506df.\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (1)</summary>\n> \n> * `.github/workflows/build-docker-image.yml`\n> \n> </details>\n> \n> ```ascii\n>  ________________________________________________________________________________________________________________________________\n> < Some things are better done than described. Don't fall into the specification spiral - at some point you need to start coding. >\n>  --------------------------------------------------------------------------------------------------------------------------------\n>   \\\n>    \\   \\\n>         \\ /\\\n>         ( )\n>       .( o ).\n> ```\n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `fix/docker-aio-ordering-shibboleth`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=JanssenProject/jans&utm_content=14252)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->"},"request":{"retryCount":1,"signal":{}}},"response":{"url":"https://api.github.com/repos/JanssenProject/jans/issues/comments/4671609286","status":401,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","connection":"close","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Wed, 10 Jun 2026 15:11:05 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","vary":"Accept-Encoding, Accept, X-Requested-With","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-media-type":"github.v3; format=json","x-github-request-id":"880E:1C5368:491711E:11437396:6A297E88","x-xss-protection":"0"},"data":{"message":"Requires authentication","documentation_url":"https://docs.github.com/rest","status":"401"}}}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build-docker-image.yml (1)

111-115: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

all-in-one is still wired as a matrix child, not a post-matrix job.

Line 139 removes it from the service list that drives workflow_dispatch build_all, nightly schedule, and the initial-push fallback, so those paths now skip AIO entirely. But because it still lives in the docker matrix, any changed-dir/tag path that does build it still runs under the matrix's 60-minute timeout and consumes a parallel slot instead of becoming the 90-minute needs: [docker] post-job described in this PR.

Also applies to: 139-140

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-docker-image.yml around lines 111 - 115, The matrix
still includes "all-in-one" in the docker-images list (matrix: docker-images:
[... "all-in-one" ...]) which keeps it running under the matrix’s 60-minute
timeout and consumes a parallel slot; remove "all-in-one" from that docker
matrix and instead implement it as the separate post-matrix job described in the
PR: create a new job named e.g. docker_all_in_one that has needs: [docker],
timeout-minutes: 90, and is wired into the same service
list/dispatch/nightly/fallback paths (the same places that drive
workflow_dispatch build_all) so AIO runs as the 90-minute post-job rather than
as a matrix child.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-docker-image.yml:
- Around line 277-289: The polling loop for "docker ($img)" using CONCLUSION
inside for attempt in $(seq 1 60) currently falls through if no terminal state
is observed, allowing the AIO build to proceed; update the logic so that after
the loop finishes (i.e., timed out without hitting success/skipped/failure), you
treat that as a failure and abort: after the for-loop, check if CONCLUSION is
not "success" or "skipped" and if so echo a clear error message including the
job name ("docker ($img)") and exit 1 — keep existing early exits for explicit
failure states and use the same CONCLUSION variable and job name string to
locate where to add this post-loop timeout handling.

---

Outside diff comments:
In @.github/workflows/build-docker-image.yml:
- Around line 111-115: The matrix still includes "all-in-one" in the
docker-images list (matrix: docker-images: [... "all-in-one" ...]) which keeps
it running under the matrix’s 60-minute timeout and consumes a parallel slot;
remove "all-in-one" from that docker matrix and instead implement it as the
separate post-matrix job described in the PR: create a new job named e.g.
docker_all_in_one that has needs: [docker], timeout-minutes: 90, and is wired
into the same service list/dispatch/nightly/fallback paths (the same places that
drive workflow_dispatch build_all) so AIO runs as the 90-minute post-job rather
than as a matrix child.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c417f49e-5c51-4acf-854e-00b353877210

📥 Commits

Reviewing files that changed from the base of the PR and between 18f7dea and 75d00dd.

📒 Files selected for processing (1)

• .github/workflows/build-docker-image.yml