ci: automate docker image builds to GHCR

[pthmas]

Adds a reusable GitHub Actions workflow to automatically build and push Docker images for the indexer, API, and frontend services to GitHub Container Registry on every push to main.

Images are built for both linux/amd64 and linux/arm64 platforms using Docker Buildx. The workflow is triggered only on pushes to main and properly scoped permissions for reading code and writing to GHCR.

Summary by CodeRabbit

• Chores
  • Added automated Docker image build-and-publish pipeline to the registry, triggered on pushes to main.
  • Supports multi-platform images (linux/amd64 and linux/arm64).
  • Enables per-service build configurations and parallel image builds for multiple services to speed deployments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 90ebb241-f4a4-4217-a7a6-a517b7a806b6

📥 Commits

Reviewing files that changed from the base of the PR and between d946366 and dce7125.

📒 Files selected for processing (1)

• .github/workflows/docker-build-push.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/docker-build-push.yml

---

📝 Walkthrough

Walkthrough

Adds a new reusable GitHub Actions workflow and a CI job to build and push multi-platform Docker images for three services to GitHub Container Registry, triggered on pushes to main and executed via a matrix-driven per-app build process.

Changes

Cohort / File(s)	Summary
CI workflow update .github/workflows/ci.yml	Adds a new "Docker (GHCR)" job that calls the reusable docker-build-push.yml workflow on pushes to main, passing image-tag: main and an apps array for three services.
Reusable Docker build workflow .github/workflows/docker-build-push.yml	New reusable workflow that accepts image-tag and apps (JSON). Uses a matrix to build each app with Buildx, logs into GHCR, and runs docker/build-push-action@v6 conditionally with or without a target, producing multi-platform images (linux/amd64, linux/arm64) and tagging them as ghcr.io/{owner}/{app.name}:{image-tag}.

Sequence Diagram(s)

sequenceDiagram
    participant CI as CI (ci.yml)
    participant Reusable as Reusable Workflow (docker-build-push.yml)
    participant Buildx as Docker Buildx
    participant GHCR as GitHub Container Registry

    CI->>Reusable: dispatch with inputs (image-tag, apps)
    Reusable->>Buildx: setup buildx & checkout repo
    Reusable->>Buildx: start matrix build per app (context, dockerfile, target?)
    Buildx->>GHCR: login
    Buildx->>GHCR: push multi-arch images (ghcr.io/{owner}/{app}:{tag})
    GHCR-->>CI: images available

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I dug a little CI hole today,
Built images two-arch, then sent them away,
Three services snug in ghcr's nest,
Pipelines humming — I hopped and I rest. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: automate docker image builds to GHCR' directly and accurately summarizes the main change: adding automation for Docker image builds to GitHub Container Registry.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pthmas/inspect-evm-image-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/docker-build-push.yml (1)

48-48: Add an immutable image tag alongside main.

Using only a mutable tag makes rollback/debugging harder. Keep main, but also publish ${{ github.sha }}.

Suggested fix

-          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ github.sha }}
...
-          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ inputs.image-tag }}
+            ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{ github.sha }}

Also applies to: 58-58

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-build-push.yml at line 48, The workflow currently
only pushes a mutable tag via the tags setting; add a second immutable tag using
the commit SHA by including both tags for the image push (keep the existing tag
using inputs.image-tag or "main" and also add ghcr.io/${{
github.repository_owner }}/${{ matrix.app.name }}:${{ github.sha }}), ensuring
the push action receives an array of tags so both are published; apply the same
change to the other tags occurrence referenced in the diff.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 67-70: The docker job is gated only by an if condition and can run
without waiting for other jobs; add an explicit dependency by adding needs:
[backend, frontend] to the docker job definition (the job with name/key "docker"
that uses ./.github/workflows/docker-build-push.yml) so that the Docker publish
step only runs after the backend and frontend jobs complete successfully.

In @.github/workflows/docker-build-push.yml:
- Around line 29-30: The workflow is missing QEMU emulation which breaks
multi-arch builds; add a step using docker/setup-qemu-action (e.g., uses:
docker/setup-qemu-action@v2) immediately before the "Set up Docker Buildx" step
so the runner can emulate arm64 when building the linux/amd64,linux/arm64
targets on ubuntu-latest; ensure the new step runs on the same job and is
positioned before docker/setup-buildx-action@v3.

---

Nitpick comments:
In @.github/workflows/docker-build-push.yml:
- Line 48: The workflow currently only pushes a mutable tag via the tags
setting; add a second immutable tag using the commit SHA by including both tags
for the image push (keep the existing tag using inputs.image-tag or "main" and
also add ghcr.io/${{ github.repository_owner }}/${{ matrix.app.name }}:${{
github.sha }}), ensuring the push action receives an array of tags so both are
published; apply the same change to the other tags occurrence referenced in the
diff.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93f90b65-b797-4359-93b0-e2e2d4d9074e

📥 Commits

Reviewing files that changed from the base of the PR and between a488e55 and d946366.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/docker-build-push.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the file exists and get its structure
if [ -f .github/workflows/ci.yml ]; then
  echo "=== File found, examining structure ==="
  wc -l .github/workflows/ci.yml
  echo ""
  echo "=== Lines 40-75 (around backend, frontend, docker jobs) ==="
  sed -n '40,75p' .github/workflows/ci.yml
else
  echo "File not found"
fi

Repository: evstack/atlas

Length of output: 961

---

🏁 Script executed:

cat -n .github/workflows/ci.yml

Repository: evstack/atlas

Length of output: 2542

---

Gate image publishing on CI success with needs.

The docker job (lines 67-76) currently only checks the event and branch with if: github.event_name == 'push' && github.ref == 'refs/heads/main'. This condition does not enforce job dependencies. Without needs, the docker publish job can run in parallel with or independently of the backend tests (line 14) and frontend build (line 43), and will execute even if either fails. Add needs: [backend, frontend] to ensure images are only published after both jobs succeed.

Suggested fix

  docker:
    name: Docker (GHCR)
+   needs:
+     - backend
+     - frontend
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    uses: ./.github/workflows/docker-build-push.yml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	docker:
	name: Docker (GHCR)
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	uses: ./.github/workflows/docker-build-push.yml
	docker:
	name: Docker (GHCR)
	needs:
	- backend
	- frontend
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	uses: ./.github/workflows/docker-build-push.yml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 67 - 70, The docker job is gated only
by an if condition and can run without waiting for other jobs; add an explicit
dependency by adding needs: [backend, frontend] to the docker job definition
(the job with name/key "docker" that uses
./.github/workflows/docker-build-push.yml) so that the Docker publish step only
runs after the backend and frontend jobs complete successfully.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/docker-build-push.yml

Repository: evstack/atlas

Length of output: 2187

---

Add QEMU setup before Docker Buildx for multi-platform builds.

The workflow attempts to build for linux/amd64,linux/arm64 (lines 47, 57) on ubuntu-latest (x86_64), but there is no QEMU emulation configured. Without docker/setup-qemu-action, arm64 builds will fail on the runner.

Suggested fix

      - name: Checkout
        uses: actions/checkout@v4

+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-build-push.yml around lines 29 - 30, The workflow
is missing QEMU emulation which breaks multi-arch builds; add a step using
docker/setup-qemu-action (e.g., uses: docker/setup-qemu-action@v2) immediately
before the "Set up Docker Buildx" step so the runner can emulate arm64 when
building the linux/amd64,linux/arm64 targets on ubuntu-latest; ensure the new
step runs on the same job and is positioned before
docker/setup-buildx-action@v3.