carverauto/serviceradar

Fork 0

1683 chore bazel to push images to ghcrio #2261

Merged

mfreeman451 merged 5 commits from refs/pull/2261/head into main

2025-10-03 04:15:32 +00:00

mfreeman451 commented

2025-10-03 03:54:47 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1684
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1684
Original created: 2025-10-03T03:54:47Z
Original updated: 2025-10-03T04:15:38Z
Original head: carverauto/serviceradar:1683-chore-bazel-to-push-images-to-ghcrio
Original base: main
Original merged: 2025-10-03T04:15:32Z by @mfreeman451

PR Type

Enhancement

Description

Configure Bazel to push container images to GHCR
Update RBE executor image to v1.0.9
Add Docker authentication setup for BuildBuddy
Fix protoc configuration for Rust builds

Diagram Walkthrough

flowchart LR
  A["Bazel Build"] --> B["Docker Auth Setup"]
  B --> C["OCI Image Build"]
  C --> D["GHCR Push Targets"]
  D --> E["ghcr.io/carverauto/*"]
  F["RBE Executor v1.0.9"] --> A

File Walkthrough

Relevant files

Configuration changes

4 files

build.rs `Force protoc path for RBE builds`	+5/-1
BUILD.bazel `Update RBE image and add auth script`	+8/-1
BUILD `Update RBE executor image version`	+1/-1
platform_exec_properties.patch `Update OCaml platform executor image`	+2/-2

Enhancement

4 files

buildbuddy_setup_docker_auth.sh `Docker authentication setup script for BuildBuddy`	+43/-0
push_targets.bzl `GHCR push targets and multirun configuration`	+71/-0
Dockerfile.rbe `Add protobuf tools and GCC symlinks`	+7/-0
BUILD.bazel `Declare GHCR push targets`	+4/-0

Formatting

1 files

.bazelrc
Remove extra newline in remote config +0/-1

Dependencies

1 files

MODULE.bazel
Update dependencies and GCC toolchain paths +16/-6

Documentation

1 files

GHCR_PUBLISHING.md
Documentation for GHCR publishing workflow +101/-0

Imported from GitHub pull request. Original GitHub pull request: #1684 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1684 Original created: 2025-10-03T03:54:47Z Original updated: 2025-10-03T04:15:38Z Original head: carverauto/serviceradar:1683-chore-bazel-to-push-images-to-ghcrio Original base: main Original merged: 2025-10-03T04:15:32Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Configure Bazel to push container images to GHCR - Update RBE executor image to v1.0.9 - Add Docker authentication setup for BuildBuddy - Fix protoc configuration for Rust builds ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Bazel Build"] --> B["Docker Auth Setup"] B --> C["OCI Image Build"] C --> D["GHCR Push Targets"] D --> E["ghcr.io/carverauto/*"] F["RBE Executor v1.0.9"] --> A ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Configuration changes</strong></td><td><details><summary>4 files</summary><table> <tr> <td><strong>build.rs</strong><dd><code>Force protoc path for RBE builds</code>                                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-251e7a923f45f8f903e510d10f183366bda06d281c8ecc3669e1858256e2186d">+5/-1</a>      </td> </tr> <tr> <td><strong>BUILD.bazel</strong><dd><code>Update RBE image and add auth script</code>                                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-7fc57714ef13c3325ce2a1130202edced92fcccc0c6db34a72f7b57f60d552a3">+8/-1</a>      </td> </tr> <tr> <td><strong>BUILD</strong><dd><code>Update RBE executor image version</code>                                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-997d64eedc645601c81b86be6b25f569abfff63aaa3a49ff88975988a14065fb">+1/-1</a>      </td> </tr> <tr> <td><strong>platform_exec_properties.patch</strong><dd><code>Update OCaml platform executor image</code>                                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-ef5baf58450bc5fbbc939fbaf0283202e1baf01cf7e560bacf39cddee346fb3d">+2/-2</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Enhancement</strong></td><td><details><summary>4 files</summary><table> <tr> <td><strong>buildbuddy_setup_docker_auth.sh</strong><dd><code>Docker authentication setup script for BuildBuddy</code>                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-b8834135959342425abf14bc72698a3c47918fa435c7284348cc9735beb0bec4">+43/-0</a>    </td> </tr> <tr> <td><strong>push_targets.bzl</strong><dd><code>GHCR push targets and multirun configuration</code>                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-4af33fe62caba04b6d479589c16cfb85babc39bae5c92595d4d4e31660738513">+71/-0</a>    </td> </tr> <tr> <td><strong>Dockerfile.rbe</strong><dd><code>Add protobuf tools and GCC symlinks</code>                                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2">+7/-0</a>      </td> </tr> <tr> <td><strong>BUILD.bazel</strong><dd><code>Declare GHCR push targets</code>                                                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80">+4/-0</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Formatting</strong></td><td><details><summary>1 files</summary><table> <tr> <td><strong>.bazelrc</strong><dd><code>Remove extra newline in remote config</code>                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832f">+0/-1</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Dependencies</strong></td><td><details><summary>1 files</summary><table> <tr> <td><strong>MODULE.bazel</strong><dd><code>Update dependencies and GCC toolchain paths</code>                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+16/-6</a>    </td> </tr> </table></details></td></tr><tr><td><strong>Documentation</strong></td><td><details><summary>1 files</summary><table> <tr> <td><strong>GHCR_PUBLISHING.md</strong><dd><code>Documentation for GHCR publishing workflow</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-9050d4ad7d332fde74f286af69514012e30da293ca412f1a03ced08e2c43990a">+101/-0</a>  </td> </tr> </table></details></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-03 03:55:49 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1684#issuecomment-3364161783
Original created: 2025-10-03T03:55:49Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance

⚪

Credential handling risk

Description: The script writes Docker auth credentials to ~/.docker/config.json which, if not protected
by permissions or proper secret scoping, may expose GHCR credentials on shared runners or
logs; ensure restricted file perms and no echoing of secrets.
buildbuddy_setup_docker_auth.sh [15-41]

Referred Code

if [[ -n "${DOCKER_AUTH_CONFIG_JSON:-}" ]]; then
  printf '%s\n' "${DOCKER_AUTH_CONFIG_JSON}" > "${config_path}"
  exit 0
fi

if [[ -n "${GHCR_DOCKER_AUTH:-}" ]]; then
  auth_entry="${GHCR_DOCKER_AUTH}"
elif [[ -n "${GHCR_USERNAME:-}" && -n "${GHCR_TOKEN:-}" ]]; then
  auth_entry=$(printf '%s:%s' "${GHCR_USERNAME}" "${GHCR_TOKEN}" | base64 | tr -d '\n')
else
  cat >&2 <<EOF_ERR
Missing registry credentials.
Provide one of the following before running this script:
  * DOCKER_AUTH_CONFIG_JSON: Full docker config JSON.
  * GHCR_DOCKER_AUTH: Base64-encoded "username:token" string for ${registry}.
  * GHCR_USERNAME and GHCR_TOKEN environment variables.
EOF_ERR
  exit 1
fi

cat > "${config_path}" <<EOF_JSON


 ... (clipped 6 lines)

Ticket Compliance

🟡

🎫 #1683

🟢	Configure Bazel to push container images to GHCR (ghcr.io) with appropriate targets and workflow.
	Provide Docker authentication setup suitable for BuildBuddy/CI to authenticate to GHCR without committing secrets.
	Update RBE executor image version to v1.0.9 across relevant Bazel platforms/toolchains.
	Fix protoc configuration so Rust builds use the correct system-installed protoc within the RBE image.
	Add documentation describing the GHCR publishing process and required secrets/workflows.
⚪	Validate that GHCR pushes succeed in CI with BuildBuddy using provided secrets and that images appear under ghcr.io/carverauto/*
⚪	Confirm that stamping produces expected tags (latest and sha-) in actual CI runs

Codebase Duplication Compliance

⚪

Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance

⚪

No custom compliance provided

Follow the guide to enable custom compliance check.

Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1684#issuecomment-3364161783 Original created: 2025-10-03T03:55:49Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary><strong>Credential handling risk </strong></summary><br> <b>Description:</b> The script writes Docker auth credentials to ~/.docker/config.json which, if not protected <br>by permissions or proper secret scoping, may expose GHCR credentials on shared runners or <br>logs; ensure restricted file perms and no echoing of secrets.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1684/files#diff-b8834135959342425abf14bc72698a3c47918fa435c7284348cc9735beb0bec4R15-R41'>buildbuddy_setup_docker_auth.sh [15-41]</a></strong><br> <details open><summary>Referred Code</summary> ```shell if [[ -n "${DOCKER_AUTH_CONFIG_JSON:-}" ]]; then printf '%s\n' "${DOCKER_AUTH_CONFIG_JSON}" > "${config_path}" exit 0 fi if [[ -n "${GHCR_DOCKER_AUTH:-}" ]]; then auth_entry="${GHCR_DOCKER_AUTH}" elif [[ -n "${GHCR_USERNAME:-}" && -n "${GHCR_TOKEN:-}" ]]; then auth_entry=$(printf '%s:%s' "${GHCR_USERNAME}" "${GHCR_TOKEN}" | base64 | tr -d '\n') else cat >&2 <<EOF_ERR Missing registry credentials. Provide one of the following before running this script: * DOCKER_AUTH_CONFIG_JSON: Full docker config JSON. * GHCR_DOCKER_AUTH: Base64-encoded "username:token" string for ${registry}. * GHCR_USERNAME and GHCR_TOKEN environment variables. EOF_ERR exit 1 fi cat > "${config_path}" <<EOF_JSON ... (clipped 6 lines) ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>🟡</td> <td> <details> <summary>🎫 <a href=https://github.com/carverauto/serviceradar/issues/1683>#1683</a></summary> <table width='100%'><tbody> <tr><td rowspan=5>🟢</td> <td>Configure Bazel to push container images to GHCR (ghcr.io) with appropriate targets and <br>workflow.</td></tr> <tr><td>Provide Docker authentication setup suitable for BuildBuddy/CI to authenticate to GHCR <br>without committing secrets.</td></tr> <tr><td>Update RBE executor image version to v1.0.9 across relevant Bazel platforms/toolchains.</td></tr> <tr><td>Fix protoc configuration so Rust builds use the correct system-installed protoc within the <br>RBE image.</td></tr> <tr><td>Add documentation describing the GHCR publishing process and required secrets/workflows.</td></tr> <tr><td rowspan=2>⚪</td> <td>Validate that GHCR pushes succeed in CI with BuildBuddy using provided secrets and that <br>images appear under ghcr.io/carverauto/*</td></tr> <tr><td>Confirm that stamping produces expected tags (latest and sha-<commit>) in actual CI runs</td></tr> </tbody></table> </details> </td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-03 03:56:56 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1684#issuecomment-3364163291
Original created: 2025-10-03T03:56:56Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Make authentication explicit for push targets Modify the authentication setup to have the script output the Docker config file. Then, explicitly pass this file to the `docker_config_json` attribute of the `oci_push` targets to create a clear and reliable dependency. Examples: docker/images/push_targets.bzl [50-56] `oci_push( name = "{}_push".format(image), image = ":{}".format(image), repository = repository, remote_tags = ":{}_push_tags".format(image), visibility = ["//visibility:public"], )` buildbuddy_setup_docker_auth.sh [6-43] `mkdir -p "${HOME}/.docker" config_path="${HOME}/.docker/config.json" registry="${GHCR_REGISTRY:-ghcr.io}" if [[ -f "${config_path}" && -z "${DOCKER_AUTH_CONFIG_JSON:-}" && -z "${GHCR_DOCKER_AUTH:-}" && -z "${GHCR_USERNAME:-}" && -z "${GHCR_TOKEN:-}" ]]; then echo "Docker config already present at ${config_path}; nothing to do." >&2 exit 0 fi if [[ -n "${DOCKER_AUTH_CONFIG_JSON:-}" ]]; then ... (clipped 28 lines)` Solution Walkthrough: Before: # buildbuddy_setup_docker_auth.sh config_path="${HOME}/.docker/config.json" # ... logic to get credentials ... cat > "${config_path}" <<EOF_JSON { "auths": { ... } } EOF_JSON # docker/images/push_targets.bzl def declare_ghcr_push_targets(): for image, repository in GHCR_PUSH_TARGETS: oci_push( name = "{}_push".format(image), image = ":{}".format(image), repository = repository, # Implicitly uses ~/.docker/config.json ) # CI must run two separate commands in order # bazel run //:buildbuddy_setup_docker_auth # bazel run //docker/images:push_all After: # buildbuddy_setup_docker_auth.sh (writes to stdout) # ... logic to get credentials ... cat <<EOF_JSON { "auths": { ... } } EOF_JSON # BUILD.bazel sh_binary( name = "buildbuddy_docker_auth_config", srcs = ["buildbuddy_setup_docker_auth.sh"], ) # docker/images/push_targets.bzl def declare_ghcr_push_targets(): for image, repository in GHCR_PUSH_TARGETS: oci_push( name = "{}_push".format(image), image = ":{}".format(image), repository = repository, docker_config_json = "//:buildbuddy_docker_auth_config", # Explicit dependency ) Suggestion importance[1-10]: 8 __ Why: This is a significant architectural improvement that makes the build more robust and hermetic by replacing an implicit, stateful dependency with an explicit one, which is a core principle of Bazel.	Medium
Possible issue	Merge credentials instead of overwriting config Instead of overwriting the Docker `config.json`, merge the new credentials using `jq` to avoid deleting existing configurations for other registries. buildbuddy_setup_docker_auth.sh [35-43] -cat > "${config_path}" <<EOF_JSON -{ - "auths": { - "${registry}": { - "auth": "${auth_entry}" - } - } -} -EOF_JSON +if ! command -v jq &> /dev/null; then + echo "jq could not be found, which is required for safely updating Docker config. Aborting." >&2 + exit 1 +fi +# Create a minimal config if it doesn't exist, or use the existing one. +base_config='{"auths":{}}' +if [[ -f "${config_path}" ]]; then + base_config=$(cat "${config_path}") +fi + +# Merge the new auth entry into the config using jq. +echo "${base_config}" \| jq --arg registry "${registry}" --arg auth_entry "${auth_entry}" \ + '.auths[$registry] = {auth: $auth_entry}' > "${config_path}" + Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that overwriting `config.json` is destructive and proposes a safer, non-destructive update using `jq`, which significantly improves the script's robustness for local development environments.	Medium
General	Limit parallel jobs to prevent issues Change `jobs = 0` to a fixed number like `4` in the `multirun` target to prevent network saturation, registry rate-limiting, and local resource exhaustion when pushing container images. docker/images/push_targets.bzl [66-71] `multirun( name = "push_all", commands = push_command_targets, - jobs = 0, + jobs = 4, visibility = ["//visibility:public"], )` Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that `jobs = 0` in `multirun` can lead to issues like network saturation and rate limiting, and proposing a fixed limit is a sensible improvement for stability.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1684#issuecomment-3364163291 Original created: 2025-10-03T03:56:56Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Make authentication explicit for push targets</summary> ___ **Modify the authentication setup to have the script output the Docker config <br>file. Then, explicitly pass this file to the <code>docker_config_json</code> attribute of the <br><code>oci_push</code> targets to create a clear and reliable dependency.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-4af33fe62caba04b6d479589c16cfb85babc39bae5c92595d4d4e31660738513R50-R56">docker/images/push_targets.bzl [50-56]</a> </summary> ```starlark oci_push( name = "{}_push".format(image), image = ":{}".format(image), repository = repository, remote_tags = ":{}_push_tags".format(image), visibility = ["//visibility:public"], ) ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1684/files#diff-b8834135959342425abf14bc72698a3c47918fa435c7284348cc9735beb0bec4R6-R43">buildbuddy_setup_docker_auth.sh [6-43]</a> </summary> ```bash mkdir -p "${HOME}/.docker" config_path="${HOME}/.docker/config.json" registry="${GHCR_REGISTRY:-ghcr.io}" if [[ -f "${config_path}" && -z "${DOCKER_AUTH_CONFIG_JSON:-}" && -z "${GHCR_DOCKER_AUTH:-}" && -z "${GHCR_USERNAME:-}" && -z "${GHCR_TOKEN:-}" ]]; then echo "Docker config already present at ${config_path}; nothing to do." >&2 exit 0 fi if [[ -n "${DOCKER_AUTH_CONFIG_JSON:-}" ]]; then ... (clipped 28 lines) ``` </details> ### Solution Walkthrough: #### Before: ```bash # buildbuddy_setup_docker_auth.sh config_path="${HOME}/.docker/config.json" # ... logic to get credentials ... cat > "${config_path}" <<EOF_JSON { "auths": { ... } } EOF_JSON # docker/images/push_targets.bzl def declare_ghcr_push_targets(): for image, repository in GHCR_PUSH_TARGETS: oci_push( name = "{}_push".format(image), image = ":{}".format(image), repository = repository, # Implicitly uses ~/.docker/config.json ) # CI must run two separate commands in order # bazel run //:buildbuddy_setup_docker_auth # bazel run //docker/images:push_all ``` #### After: ```bash # buildbuddy_setup_docker_auth.sh (writes to stdout) # ... logic to get credentials ... cat <<EOF_JSON { "auths": { ... } } EOF_JSON # BUILD.bazel sh_binary( name = "buildbuddy_docker_auth_config", srcs = ["buildbuddy_setup_docker_auth.sh"], ) # docker/images/push_targets.bzl def declare_ghcr_push_targets(): for image, repository in GHCR_PUSH_TARGETS: oci_push( name = "{}_push".format(image), image = ":{}".format(image), repository = repository, docker_config_json = "//:buildbuddy_docker_auth_config", # Explicit dependency ) ``` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This is a significant architectural improvement that makes the build more robust and hermetic by replacing an implicit, stateful dependency with an explicit one, which is a core principle of Bazel. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Merge credentials instead of overwriting config</summary> ___ **Instead of overwriting the Docker <code>config.json</code>, merge the new credentials using <br><code>jq</code> to avoid deleting existing configurations for other registries.** [buildbuddy_setup_docker_auth.sh [35-43]](https://github.com/carverauto/serviceradar/pull/1684/files#diff-b8834135959342425abf14bc72698a3c47918fa435c7284348cc9735beb0bec4R35-R43) ```diff -cat > "${config_path}" <<EOF_JSON -{ - "auths": { - "${registry}": { - "auth": "${auth_entry}" - } - } -} -EOF_JSON +if ! command -v jq &> /dev/null; then + echo "jq could not be found, which is required for safely updating Docker config. Aborting." >&2 + exit 1 +fi +# Create a minimal config if it doesn't exist, or use the existing one. +base_config='{"auths":{}}' +if [[ -f "${config_path}" ]]; then + base_config=$(cat "${config_path}") +fi + +# Merge the new auth entry into the config using jq. +echo "${base_config}" | jq --arg registry "${registry}" --arg auth_entry "${auth_entry}" \ + '.auths[$registry] = {auth: $auth_entry}' > "${config_path}" + ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies that overwriting `config.json` is destructive and proposes a safer, non-destructive update using `jq`, which significantly improves the script's robustness for local development environments. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Limit parallel jobs to prevent issues</summary> ___ **Change <code>jobs = 0</code> to a fixed number like <code>4</code> in the <code>multirun</code> target to prevent <br>network saturation, registry rate-limiting, and local resource exhaustion when <br>pushing container images.** [docker/images/push_targets.bzl [66-71]](https://github.com/carverauto/serviceradar/pull/1684/files#diff-4af33fe62caba04b6d479589c16cfb85babc39bae5c92595d4d4e31660738513R66-R71) ```diff multirun( name = "push_all", commands = push_command_targets, - jobs = 0, + jobs = 4, visibility = ["//visibility:public"], ) ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies that `jobs = 0` in `multirun` can lead to issues like network saturation and rate limiting, and proposing a fixed limit is a sensible improvement for stability. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>