ci: update workflow to build and push to GHCR instead of AWS ECR#1
Conversation
📝 WalkthroughWalkthroughThe CI workflow is migrated from AWS ECR to GitHub Container Registry (GHCR). The workflow name is updated, job-level permissions for ChangesECR to GHCR Migration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/bygg_push.yml:
- Line 1: The workflow file is committed with CRLF line endings, which is
causing yamllint to fail. Normalize the GitHub Actions workflow content to
LF-only line endings in the workflow file itself so it matches the repository’s
expected Unix newline format.
- Around line 15-16: The checkout step is persisting the repo token into the
workspace, which can leak into the Docker build context because the build uses a
broad copy of the repo. Update the actions/checkout step in the workflow to
disable credential persistence, and keep using the explicit push token later for
the config repo push. Reference the checkout step near the actions/checkout
usage so it’s easy to locate.
- Around line 15-23: The workflow step definitions for actions/checkout and
docker/login-action are pinned to outdated major versions. Update the uses
entries in the GitHub Actions job to the latest major releases for Checkout and
Docker Login so the workflow runs on supported runtimes and avoids Node 16
deprecation issues.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e350547f-d364-4790-9137-51c5bac87961
📒 Files selected for processing (1)
.github/workflows/bygg_push.yml
| @@ -1,4 +1,4 @@ | |||
| name: Build and Push to AWS ECR | |||
| name: Build and Push to GitHub Container Registry | |||
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Normalize this workflow file to LF line endings.
Yamllint is already failing on this file because it is committed with CRLF instead of \n.
🧰 Tools
🪛 YAMLlint (1.37.1)
[error] 1-1: wrong new line character: expected \n
(new-lines)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/bygg_push.yml at line 1, The workflow file is committed
with CRLF line endings, which is causing yamllint to fail. Normalize the GitHub
Actions workflow content to LF-only line endings in the workflow file itself so
it matches the repository’s expected Unix newline format.
Source: Linters/SAST tools
| - name: Checkout code | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable checkout credential persistence before the Docker build.
actions/checkout persists the repo token by default, and this repo’s Dockerfile:1-25 does COPY . .. That creates a real path for the checkout token to end up in the Docker build context/image whenever .git is not excluded. This workflow does not need the checkout token after clone anyway because the later config-repo push uses secrets.GITOPSTOKEN.
🔒 Suggested change
- name: Checkout code
uses: actions/checkout@v3
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 zizmor (1.26.1)
[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/bygg_push.yml around lines 15 - 16, The checkout step is
persisting the repo token into the workspace, which can leak into the Docker
build context because the build uses a broad copy of the repo. Update the
actions/checkout step in the workflow to disable credential persistence, and
keep using the explicit push token later for the config repo push. Reference the
checkout step near the actions/checkout usage so it’s easy to locate.
Source: Linters/SAST tools
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| - name: Log in to GitHub Container Registry | ||
| uses: docker/login-action@v2 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: eu-north-1 # Din region | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow file and surrounding context
git ls-files .github/workflows
wc -l .github/workflows/bygg_push.yml
cat -n .github/workflows/bygg_push.yml | sed -n '1,120p'
# Look for any version pins or related workflow usage elsewhere
rg -n "actions/checkout@v3|docker/login-action@v2|actions/checkout@v4|docker/login-action@v3" .github/workflows . || trueRepository: TeeHit101/inventory-tracker-app
Length of output: 2970
🌐 Web query:
GitHub Actions actions/checkout v3 support deprecation runner current GitHub-hosted runner docker/login-action v2 deprecation
💡 Result:
As of June 29, 2026, both actions/checkout@v3 and docker/login-action@v2 are outdated and should be upgraded to their latest versions to ensure compatibility with modern GitHub Actions runners, which have transitioned to newer Node.js runtimes [1][2][3][4][5]. actions/checkout: You should upgrade from v3 to the latest version (v7 as of June 2026) [6][7]. Older versions like v3 relied on Node.js 16, which is no longer supported by GitHub-hosted runners [1][2]. Using an outdated version may lead to runtime failures as GitHub-hosted runner images continue to remove legacy support for older Node.js versions [1]. docker/login-action: You should upgrade from v2 to the latest version (v4.2.0 as of May 2026) [3][8]. Version v2 is deprecated; GitHub community and maintainers advise updating to at least v3 or the current v4 series [4], which supports modern runtimes including Node.js 24 [3][5]. Current GitHub-hosted Runners: As of June 2026, GitHub-hosted runners have evolved to support newer operating systems and runtimes [9][10]. Notable current runner images include: - Linux: ubuntu-24.04 (current default) and ubuntu-26.04 (in public preview) [9][10][11]. Note that Ubuntu 22.04 images have entered a deprecation phase [10]. - Windows: Windows Server 2025 with Visual Studio 2026 [12][10][11]. - macOS: macOS 15 (latest) and preview versions of macOS 26 [12][11]. It is recommended to always use the most recent stable release of any GitHub Action to ensure security, compatibility with the latest runner environments, and access to new features [6][3].
Citations:
- 1: checkout@v3 using node20 instead of node16 actions/checkout#1809
- 2: [Github Actions] actions/checkout@v3 should be upgraded to v4 freshframework/fresh#2285
- 3: https://github.com/docker/login-action/releases
- 4: Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: docker/login-action@v1. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/. docker/login-action#668
- 5: https://github.com/docker/login-action/releases/tag/v4.0.0
- 6: https://github.com/actions/checkout
- 7: https://github.com/actions/checkout/?tab=readme-ov-file
- 8: https://github.com/docker/login-action/
- 9: https://docs.github.com/en/actions/reference/runners/github-hosted-runners
- 10: https://github.com/actions/runner-images/releases
- 11: https://github.com/actions/runner-images?tab=readme-ov-file
- 12: https://github.com/actions/runner-images/blob/main/README.md
🌐 Web query:
site:github.com/actions/checkout v3 Node 16 deprecation GitHub Actions
💡 Result:
Node.js 16 reached its end-of-life on September 11, 2023 [1][2], and GitHub Actions has subsequently transitioned to using Node.js 20 as the default runtime [2]. Because actions/checkout@v3 was built specifically to run on Node.js 16 [3], it is now considered deprecated and will trigger warning annotations in your GitHub Actions workflows [4][5]. To resolve these warnings and ensure compatibility with current infrastructure, you should update your workflows to use actions/checkout@v4 (or the latest major version) [4][5]. While some users may have experienced workarounds or inconsistencies where v3 might appear to run on Node.js 20 due to runner-level changes [6], relying on older action versions is not recommended. Updating to v4 is the standard and supported path to ensure your workflows remain secure and fully functional [5].
Citations:
- 1: The nodejs 16 version you are using will be deprecated soon. actions/checkout#1438
- 2: Update default runtime to node20 actions/checkout#1436
- 3: https://github.com/actions/checkout/releases/tag/v3.0.0
- 4: Node.js 16 actions are deprecated actions/checkout#1596
- 5: Please upgrade to node20, thank you. actions/checkout#1674
- 6: checkout@v3 using node20 instead of node16 actions/checkout#1809
Upgrade the pinned action majors. actions/checkout@v3 and docker/login-action@v2 are outdated; actions/checkout@v3 still targets Node 16, which GitHub Actions has deprecated. Move both to the latest major versions to avoid runner/runtime compatibility issues.
🧰 Tools
🪛 actionlint (1.7.12)
[error] 16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
[error] 19-19: the runner of "docker/login-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 zizmor (1.26.1)
[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/bygg_push.yml around lines 15 - 23, The workflow step
definitions for actions/checkout and docker/login-action are pinned to outdated
major versions. Update the uses entries in the GitHub Actions job to the latest
major releases for Checkout and Docker Login so the workflow runs on supported
runtimes and avoids Node 16 deprecation issues.
Source: Linters/SAST tools
Summary by CodeRabbit
latest.