Sampleworks container build fully fixed#281
Conversation
|
Warning Review limit reached
Next review available in: 21 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. 📝 WalkthroughWalkthroughThe Docker workflow's image handoff between the ChangesDigest-pinned image handoff in Docker workflow
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docker.yml:
- Around line 228-231: The digest check in the workflow only verifies the
sha256: prefix and can still allow invalid values like sha256:not-a-digest.
Update the validation in the PUBLIC_IMAGE_DIGEST check to ensure the digest is a
complete, valid SHA256 value, not just prefixed correctly, so the early failure
catches bad inputs before the Astera build uses them.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 273e2b3f-2860-41ad-bbaa-f05c08955abc
📒 Files selected for processing (1)
.github/workflows/docker.yml
| if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then | ||
| echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Validate the full SHA256 digest, not just the prefix.
sha256: or sha256:not-a-digest passes this check and then fails later in the Astera build FROM, so the early validation does not catch invalid digests.
Suggested fix
- if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then
+ if ! printf '%s\n' "${PUBLIC_IMAGE_DIGEST}" | grep -Eq '^sha256:[0-9a-f]{64}$'; then
echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}"
exit 1
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then | |
| echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}" | |
| exit 1 | |
| fi | |
| if ! printf '%s\n' "${PUBLIC_IMAGE_DIGEST}" | grep -Eq '^sha256:[0-9a-f]{64}$'; then | |
| echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}" | |
| exit 1 | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docker.yml around lines 228 - 231, The digest check in the
workflow only verifies the sha256: prefix and can still allow invalid values
like sha256:not-a-digest. Update the validation in the PUBLIC_IMAGE_DIGEST check
to ensure the digest is a complete, valid SHA256 value, not just prefixed
correctly, so the early failure catches bad inputs before the Astera build uses
them.
| cancel-in-progress: true | ||
|
|
||
| env: | ||
| CONDA_OVERRIDE_CUDA: "12" |
There was a problem hiding this comment.
We added CONDA_OVERRIDE_CUDA=12 because CI runs on CPU-only GitHub runners, but our Pixi environments depend on CUDA 12 packages. Newer Pixi checks this more strictly and fails if CUDA is not detected, even before tests start. This variable tells Pixi to resolve the environment as CUDA 12 without requiring a real GPU on the CI runner.
Summary by CodeRabbit