carverauto/serviceradar

Fork 0

updated CI #2263

Merged

mfreeman451 merged 1 commit from refs/pull/2263/head into main

2025-10-03 05:14:22 +00:00

mfreeman451 commented

2025-10-03 05:04:20 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1688
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1688
Original created: 2025-10-03T05:04:20Z
Original updated: 2025-12-08T06:55:32Z
Original head: carverauto/serviceradar:1687-chorebazel-update-github-ci-to-publish-docker-images
Original base: main
Original merged: 2025-10-03T05:14:22Z by @mfreeman451

PR Type

Enhancement

Description

Replaced Docker-based CI with Bazel-based OCI image publishing
Consolidated 17 separate build jobs into single streamlined workflow
Added BuildBuddy remote caching for improved build performance
Switched from ubuntu to oracle runner infrastructure

Diagram Walkthrough

flowchart LR
  A["Old Docker CI"] --> B["17 separate jobs"]
  C["New Bazel CI"] --> D["Single publish job"]
  B --> E["Manual Dockerfiles"]
  D --> F["Bazel OCI rules"]
  E --> G["GitHub Actions cache"]
  F --> H["BuildBuddy remote cache"]

File Walkthrough

Relevant files

Enhancement

docker-build.yml

Complete CI workflow migration to Bazel

.github/workflows/docker-build.yml

Replaced 17 individual Docker build jobs with single Bazel-based
publish job
Added BuildBuddy remote caching configuration and authentication
Switched from ubuntu to oracle runner with enhanced environment
variables
Simplified workflow triggers and added optional release tag input
parameter

+78/-868

Imported from GitHub pull request. Original GitHub pull request: #1688 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1688 Original created: 2025-10-03T05:04:20Z Original updated: 2025-12-08T06:55:32Z Original head: carverauto/serviceradar:1687-chorebazel-update-github-ci-to-publish-docker-images Original base: main Original merged: 2025-10-03T05:14:22Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Replaced Docker-based CI with Bazel-based OCI image publishing - Consolidated 17 separate build jobs into single streamlined workflow - Added BuildBuddy remote caching for improved build performance - Switched from ubuntu to oracle runner infrastructure ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Old Docker CI"] --> B["17 separate jobs"] C["New Bazel CI"] --> D["Single publish job"] B --> E["Manual Dockerfiles"] D --> F["Bazel OCI rules"] E --> G["GitHub Actions cache"] F --> H["BuildBuddy remote cache"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>docker-build.yml</strong><dd><code>Complete CI workflow migration to Bazel</code>                                    </dd></summary> <hr> .github/workflows/docker-build.yml <ul><li>Replaced 17 individual Docker build jobs with single Bazel-based <br>publish job<br> <li> Added BuildBuddy remote caching configuration and authentication<br> <li> Switched from ubuntu to oracle runner with enhanced environment <br>variables<br> <li> Simplified workflow triggers and added optional release tag input <br>parameter</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1688/files#diff-3414847e2ad632333f775cabb810f0dc0df61a570365df34750a08b00912fe82">+78/-868</a></td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-03 05:04:47 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1688#issuecomment-3364269403
Original created: 2025-10-03T05:04:47Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance

⚪

Excessive secret exposure

Description: The workflow exposes multiple registry-related secrets as environment variables for all
steps in the job, increasing blast radius if any subsequent step (including third-party
actions) is compromised.
docker-build.yml [22-29]

Referred Code

runs-on: oracle
env:
  BUILDBUDDY_ORG_API_KEY: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
  GHCR_DOCKER_AUTH: ${{ secrets.GHCR_DOCKER_AUTH }}
  GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
  GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
  GHCR_REGISTRY: ghcr.io
steps:

Secret leakage risk

Description: Creating a .bazelrc.remote file from an environment-provided API key risks accidental
leakage if build logs or artifacts print or upload this file; prefer using --remote_header
via Bazel args or actions with masked secrets.
docker-build.yml [35-41]

Referred Code

- name: Configure BuildBuddy remote cache
  if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }}
  run: |
    cat <<'RC' > .bazelrc.remote
    common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
    RC

Ticket Compliance

🟡

🎫 #1687

🟢	Use BuildBuddy setup step to authenticate Docker and enable remote cache.
	Run Bazel push target to publish container images to the registry.
	Trigger on pushes to main and tags starting with v*, and allow manual dispatch.
🔴	Configure GitHub Actions to build, test, and publish all containers using Bazel.
	Build all Bazel targets with remote config enabled.
	Run unit and doc tests with appropriate test tags and CI env using remote config.
⚪	Ensure local test parity by keeping commands aligned with scripts/test.sh (note-only).

Codebase Duplication Compliance

⚪

Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance

⚪

No custom compliance provided

Follow the guide to enable custom compliance check.

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1688#issuecomment-3364269403 Original created: 2025-10-03T05:04:47Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=2>⚪</td> <td><details><summary><strong>Excessive secret exposure </strong></summary><br> <b>Description:</b> The workflow exposes multiple registry-related secrets as environment variables for all <br>steps in the job, increasing blast radius if any subsequent step (including third-party <br>actions) is compromised.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1688/files#diff-3414847e2ad632333f775cabb810f0dc0df61a570365df34750a08b00912fe82R22-R29'>docker-build.yml [22-29]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml runs-on: oracle env: BUILDBUDDY_ORG_API_KEY: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} GHCR_DOCKER_AUTH: ${{ secrets.GHCR_DOCKER_AUTH }} GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GHCR_REGISTRY: ghcr.io steps: ``` </details></details></td></tr> <tr><td><details><summary><strong>Secret leakage risk </strong></summary><br> <b>Description:</b> Creating a .bazelrc.remote file from an environment-provided API key risks accidental <br>leakage if build logs or artifacts print or upload this file; prefer using --remote_header <br>via Bazel args or actions with masked secrets.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1688/files#diff-3414847e2ad632333f775cabb810f0dc0df61a570365df34750a08b00912fe82R35-R41'>docker-build.yml [35-41]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml - name: Configure BuildBuddy remote cache if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: | cat <<'RC' > .bazelrc.remote common --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY} RC ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>🟡</td> <td> <details> <summary>🎫 <a href=https://github.com/carverauto/serviceradar/issues/1687>#1687</a></summary> <table width='100%'><tbody> <tr><td rowspan=3>🟢</td> <td>Use BuildBuddy setup step to authenticate Docker and enable remote cache.</td></tr> <tr><td>Run Bazel push target to publish container images to the registry.</td></tr> <tr><td>Trigger on pushes to main and tags starting with v*, and allow manual dispatch.</td></tr> <tr><td rowspan=3>🔴</td> <td>Configure GitHub Actions to build, test, and publish all containers using Bazel.</td></tr> <tr><td>Build all Bazel targets with remote config enabled.</td></tr> <tr><td>Run unit and doc tests with appropriate test tags and CI env using remote config.</td></tr> <tr><td rowspan=1>⚪</td> <td>Ensure local test parity by keeping commands aligned with scripts/test.sh (note-only).</td></tr> </tbody></table> </details> </td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-03 05:05:48 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1688#issuecomment-3364271271
Original created: 2025-10-03T05:05:48Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	CI workflow omits critical test step The CI workflow is missing the `bazel test` command before the image publishing step. This introduces a risk of deploying untested code and should be added to maintain code quality. Examples: .github/workflows/docker-build.yml [21-87] `publish: runs-on: oracle env: BUILDBUDDY_ORG_API_KEY: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} GHCR_DOCKER_AUTH: ${{ secrets.GHCR_DOCKER_AUTH }} GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GHCR_REGISTRY: ghcr.io steps: - name: Checkout ... (clipped 57 lines)` Solution Walkthrough: Before: `jobs: publish: steps: - name: Checkout ... - name: Authenticate Docker for GHCR run: \| bazel run ... //:buildbuddy_setup_docker_auth - name: Build (no publish) run: \| bazel build ... //docker/images:push_all - name: Publish images run: \| bazel run ... //docker/images:push_all ...` After: `jobs: publish: steps: - name: Checkout ... - name: Authenticate Docker for GHCR run: \| bazel run ... //:buildbuddy_setup_docker_auth - name: Run tests run: \| bazel test -c opt //... --config=remote - name: Publish images run: \| bazel run ... //docker/images:push_all ...` Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical omission of the testing step before publishing images, which was specified in the ticket and is essential for preventing regressions.	High
General	Simplify workflow input access logic Simplify the expression for accessing the `release_tag` workflow input by using the `inputs` context directly, i.e., `inputs.release_tag`. .github/workflows/docker-build.yml [42-51] `- name: Resolve release tag id: release env: - WORKFLOW_INPUT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.release_tag \|\| '' }} + WORKFLOW_INPUT: ${{ inputs.release_tag }} run: \| tag="$WORKFLOW_INPUT" if [[ -z "$tag" && "${GITHUB_REF}" == refs/tags/* ]]; then tag="${GITHUB_REF#refs/tags/}" fi echo "tag=${tag}" >> "$GITHUB_OUTPUT"` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies a way to simplify the GitHub Actions expression by using the `inputs` context, which improves readability and maintainability.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1688#issuecomment-3364271271 Original created: 2025-10-03T05:05:48Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>CI workflow omits critical test step</summary> ___ **The CI workflow is missing the <code>bazel test</code> command before the image publishing <br>step. This introduces a risk of deploying untested code and should be added to <br>maintain code quality.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1688/files#diff-3414847e2ad632333f775cabb810f0dc0df61a570365df34750a08b00912fe82R21-R87">.github/workflows/docker-build.yml [21-87]</a> </summary> ```yaml publish: runs-on: oracle env: BUILDBUDDY_ORG_API_KEY: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} GHCR_DOCKER_AUTH: ${{ secrets.GHCR_DOCKER_AUTH }} GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GHCR_REGISTRY: ghcr.io steps: - name: Checkout ... (clipped 57 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml jobs: publish: steps: - name: Checkout ... - name: Authenticate Docker for GHCR run: | bazel run ... //:buildbuddy_setup_docker_auth - name: Build (no publish) run: | bazel build ... //docker/images:push_all - name: Publish images run: | bazel run ... //docker/images:push_all ... ``` #### After: ```yaml jobs: publish: steps: - name: Checkout ... - name: Authenticate Docker for GHCR run: | bazel run ... //:buildbuddy_setup_docker_auth - name: Run tests run: | bazel test -c opt //... --config=remote - name: Publish images run: | bazel run ... //docker/images:push_all ... ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a critical omission of the testing step before publishing images, which was specified in the ticket and is essential for preventing regressions. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Simplify workflow input access logic</summary> ___ **Simplify the expression for accessing the <code>release_tag</code> workflow input by using <br>the <code>inputs</code> context directly, i.e., <code>inputs.release_tag</code>.** [.github/workflows/docker-build.yml [42-51]](https://github.com/carverauto/serviceradar/pull/1688/files#diff-3414847e2ad632333f775cabb810f0dc0df61a570365df34750a08b00912fe82R42-R51) ```diff - name: Resolve release tag id: release env: - WORKFLOW_INPUT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.release_tag || '' }} + WORKFLOW_INPUT: ${{ inputs.release_tag }} run: | tag="$WORKFLOW_INPUT" if [[ -z "$tag" && "${GITHUB_REF}" == refs/tags/* ]]; then tag="${GITHUB_REF#refs/tags/}" fi echo "tag=${tag}" >> "$GITHUB_OUTPUT" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion correctly identifies a way to simplify the GitHub Actions expression by using the `inputs` context, which improves readability and maintainability. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>