fix(ci): resolve Docker build and auto-release failures#157
Conversation
- ci.yml: add paths filter to push trigger so Docker build only runs when Dockerfile, source code, or ci.yml itself changes. Prevents the 'Dockerfile not found' error on OpenCI's own repo (no Dockerfile). - auto-release.yml: replace secrets.MY_GITHUB_TOKEN with github.token. MY_GITHUB_TOKEN was not configured, causing 401 on tag creation. github.token has contents:write permission which is sufficient.
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughTwo GitHub Actions workflow configurations are updated: the auto-release workflow now uses GitHub's built-in token instead of a custom secret for git tag creation, and the CI workflow adds path-based filtering to run only on changes to Docker, source code, and workflow files. ChangesAuto-release Token Update
CI Path-based Trigger Optimization
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested labels
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![openbot-dev[bot]](https://avatars.githubusercontent.com/u/279808688?s=60&v=4){kind=small}
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| env: | ||
| NEW_TAG: ${{ steps.version.outputs.tag }} | ||
| GH_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} | ||
| GH_TOKEN: ${{ github.token }} |
There was a problem hiding this comment.
github.token won't trigger release.yml on tag push
GitHub explicitly prevents GITHUB_TOKEN from triggering downstream workflow runs to avoid infinite loops. release.yml listens on push: tags: ["v*"], so when auto-release.yml creates a tag via the GitHub API using github.token, the tag event is silently swallowed and release.yml never starts. The summary step even says "Release workflow will be triggered automatically," which will no longer be true.
The original secrets.MY_GITHUB_TOKEN PAT was the right approach because a PAT does propagate push tag events. The correct fix is to provision (or reprovision) that secret — or replace it with a GitHub App installation token — rather than switching to github.token.
| paths: | ||
| - "Dockerfile*" | ||
| - "docker-compose*.yml" | ||
| - ".dockerignore" | ||
| - "src/**" | ||
| - "*.dockerfile" | ||
| - ".github/workflows/ci.yml" |
There was a problem hiding this comment.
harness-test job silently skipped on test-only changes
The paths filter applies to the entire ci.yml workflow, including the harness-test job. tests/** is not in the filter, so a push that only modifies BATS test files will not trigger the test suite on main. Since this repo IS the OpenCI library, changes to tests/ are a primary concern and should always exercise the BATS runner.
Adding "tests/**" (and optionally ".github/workflows/reusable-ci.yml") to the paths list would restore coverage for test-only commits.
1 participant
Summary
Fixes 2 recurring GitHub Actions failures on main:
1. CI › Build Docker — Dockerfile not found
ci.ymltriggersreusable-ci.ymlon every push to main, which runs a Docker build. OpenCI is a workflow/actions library, not a containerized app — there's no Dockerfile.pathsfilter toci.ymlpush trigger so the full CI pipeline (including Docker build) only runs when Docker-related files, source code, orci.ymlitself changes. This prevents the spurious failure on OpenCI's own repo while still allowing the CI to run when relevant files are modified.2. Auto-release › Create tag — Bad credentials (HTTP 401)
secrets.MY_GITHUB_TOKENwas referenced but is not configured (or expired) in the repo.${{ github.token }}— the workflow already hascontents: writepermission, which is sufficient for tag creation via the GitHub API.Files Changed
.github/workflows/ci.yml— Added paths filter to push trigger.github/workflows/auto-release.yml— Replaced unconfigured PAT with github.tokenTest Plan
actionlintvalidates both workflow filesNeed help on this PR? Tag
@codesmithwith what you need. Autofix is disabled.Summary by CodeRabbit
Greptile Summary
This PR addresses two recurring CI failures: a spurious Docker build error (no Dockerfile in this workflow library repo) and a 401 on tag creation caused by a missing/expired PAT. The
pathsfilter fix forci.ymlis directionally correct, but both changes introduce new issues that prevent the intended end-to-end release pipeline from working.auto-release.yml: Replacingsecrets.MY_GITHUB_TOKENwithgithub.tokeneliminates the 401 error, butgithub.tokencannot fire downstream workflow events —release.yml, which listens onpush: tags, will never be triggered automatically.ci.yml: Thepathsfilter prevents the Docker build job from failing on irrelevant pushes, buttests/**is absent from the filter, so theharness-test(BATS) job is silently skipped whenever only test files are changed onmain.Confidence Score: 3/5
The auto-release change fixes one failure but breaks the downstream release chain; merging will leave the repo unable to auto-publish releases without manual intervention.
Both files have functional gaps:
github.tokensuccessfully creates the tag but thepush: tagsevent is suppressed, sorelease.ymlnever runs — the stated goal of the fix is not achieved. Thepathsfilter inci.ymlmeanwhile silently drops BATS test execution whenever only test files change on main.Both changed files need attention:
auto-release.ymlfor the token/event-propagation issue, andci.ymlfor the missingtests/**path entry.Important Files Changed
github.token, which fixes the 401 error but breaks the tag-push event chain that triggersrelease.yml.pathsfilter to prevent spurious Docker-build failures, but the filter omitstests/**, so theharness-test(BATS) job is silently skipped on test-only commits to main.Sequence Diagram
sequenceDiagram participant Push as git push to main participant AR as auto-release.yml participant GH as GitHub API participant RL as release.yml Push->>AR: workflow triggered (no paths filter) AR->>AR: analyze commits, calculate new tag AR->>GH: POST /git/refs using github.token GH-->>AR: 201 Created tag successfully Note over GH,RL: Tag push event is suppressed<br/>github.token cannot trigger<br/>downstream workflows RL--xRL: release.yml never runs Note over Push,RL: Expected behavior with a valid PAT Push->>AR: workflow triggered AR->>GH: POST /git/refs using PAT GH->>RL: push tags event fires RL->>RL: marketplace and docker release runsReviews (1): Last reviewed commit: "fix(ci): resolve Docker build and auto-r..." | Re-trigger Greptile